Page 1
... connecting your business
LANCOM 1711 VPN
Business VPN router for professional site connectivity
쮿 5 IPSec VPN channels integrated; optional: 25 simultaneous VPN channels and hardware
VPN accelerator
쮿 Stateful-inspection firewall with intrusion detection/denial-of- service protection
쮿 4 separable switch ports
쮿 Quality of Service and bandwidth management
쮿 Load balancing with up to 4 WAN connections
쮿 ISDN interface for remote access, remote maintenance and dial-backup
쮿 For connection to an ADSL/SDSL/cable modem
쮿 Optional: VoIP PBX with SIP proxy and SIP gateway functions
Page 2
The LANCOM 1711 VPN serves as a central firewall and VPN gateway for smaller and medium-sized sites.
Equipped with 5 VPN channels as standard, the LANCOM 1711 VPN can be combined with the 25-channel VPN-option activated VPN hardware accelerator that has sufficient
reserves for up to 25 simultaneous VPN dial-in connections (e.g. with the LANCOM Advanced VPN Client) or for site coupling with demanding applications such as VoIP.
LANCOM Dynamic VPN, our IPSec extension, offers the active establishment of connections to remote sites with dynamic IP addresses—even when the remote site is not always on.
More Security.
The integrated firewall with the latest security functions such as stateful inspection, Intrusion Detection and Denial-of- Service protection is supplemented by dynamic bandwidth
management and comprehensive functions for backup, high-availability and redundancy. The integrated VPN gateway that fulfills the IPSec standard, and the optional hardware
accelerator provide optimal security for connecting telecommuters and branch offices thanks to the high-security 3- DES or AES encryption and support of digital certificates.
More Management.
The management systems LANconfig and LANmonitor are included and offer not only cost-effective remote maintenance of entire installations and highly convenient setup wizards,
but also full real-time monitoring and logging. What’s more, service providers benefit from the broad range of scripting methods and professional access with individual access
rights for administrators via SSH, HTTPS, TFTP and ISDN dial-in.
More Benefits.
The versatile functions for address translation and routing allow completely different networks to be connected over common infrastructure. Existing networks at partner companies,
home-office workstations or subsidiaries can be integrated into the VPN without problem. With the option of port separation and a separate address range, your own web servers
can be securely separated from the LAN.
Upgrading with LANCOM VoIP Advanced Option and VoIP-32 Option to a VoIP PBX for up to 32 subscribers offers big savings through the use of existing data connections for
voice transmission (VoIP telephony) and no need for a separate PBX.
The integrated ISDN interface allows remote field installations, dial-up access and CAPI featured functions such as fax services for all connected PCs.
More Reliability for the Future.
From the very start, LANCOM products are designed for a product life of several years. They are equipped with hardware dimensioned for the future. Even reaching back to older
product generations, updates to the LANCOM Operating System—LCOS—are available several times a year, free of charge and offering major features. LANCOM offers unbeatable
protection of your investment!
Page 3
LANCOM 1711 VPN
Firewall
Stateful inspection firewall Incoming/Outgoing Traffic inspection based on connection information
Packet filter Check based on the header information of an IP packet (IP or MAC source/destination addresses; source/destination ports,
Extended port forwarding Network Address Translation (NAT) based on protocol and WAN address, i.e. to make internal webservers accessible from WAN
N:N IP address mapping N:N IP address mapping for translation of IP addresses or entire networks
Tagging The firewall marks packets with routing tags, e.g. for policy-based routing
Actions Forward, drop, reject, block sender address, close destination port, disconnect
Notification Via e- mail, SYSLOG or SNMP trap
Quality of Service
Traffic shaping Dynamic bandwidth management with IP traffic shaping
Bandwidth reservation Dynamic reservation of minimum and maximum bandwidths, totally or connection bases, separate settings for send and receive
DiffServ/TOS Priority queuing of packets based on DiffServ/TOS fields
Packet-size control Automatic packet-size control by fragmentation or Path Maximum Transmission Unit (PMTU) adjustment.
Layer 2/Layer 3 tagging Automatic or fixed translation of layer-2 priority information (802.11p- marked Ethernet frames) to layer-3 DiffServ attributes in
Security
Intrusion Prevention Monitoring and blocking of login attempts and port scans
IP spoofing Source IP address check on all interfaces: only IP addresses belonging to the defined IP networks are allowed
Access control lists Filtering of IP or MAC addresses and preset protocols for configuration access and LANCAPI
Denial of Service protection Protection from fragmentation errors and SYN flooding
General Detailed settings for handling reassembly, PING, stealth mode and AUTH port
URL blocker Filtering of unwanted URLs based on DNS hitlists and wildcard filters
Password protection Password-protected configuration access can be set for each interface
Alerts Alerts via e-mail, SNMP- Traps and SYSLOG
Authentication mechanisms PAP, CHAP and MS-CHAP as PPP authentication mechanism
Anti-theft Anti-theft ISDN site verification over B or D channel (self-initiated call back and blocking)
Adjustable reset button Adjustable reset button for "ignore", "boot-only" and "reset-or-boot
High availability / redundancy
VRRP VRRP (Virtual Router Redundancy Protocol) for backup in case of failure of a device or remote station. Enables passive standby
FirmSafe For completely safe software upgrades thanks to two stored firmware versions, incl. test mode for firmware updates
ISDN backup In case of failure of the main connection, a backup connection is established over ISDN; automatic return to the main connection
Analog/GSM modem backup Optional operation of an analog or GSM modem at the serial interface
Load balancing Static and dynamic load balancing over up to 4 WAN connections; channel bundling with Multilink PPP (if supported by network
VPN redundancy Control of up to 16 redundant VPN gateways for high availability or load balancing
Line monitoring Line monitoring with LCP echo monitoring, dead-peer detection and up to 4 addresses for end-to-end monitoring with ICMP
VPN
1-Click- VPN Client assistant One click function in LANconfig to create VPN client connections, incl. automatic profile creation for the LANCOM Advanced
1-Click- VPN Site- to- Site Creation of VPN connections between LANCOM router via drag and drop in LANconfig
Number of VPN tunnels 5 IPSec connections active simultaneously (25 with VPN-25 Option), 25 connections configurable (50 with VPN-25 Option).
Hardware accelerator (optional) Activated 3DES/AES hardware encryption with the VPN-25 Option
IKE IPSec key exchange with Preshared Key or certificate
Certificates X.509 digital certificate support, compatible with Microsoft Server / Enterprise Server and OpenSSL, upload of PKCS#12 files via
Certificate rollout Automatic creation, rollout and renewal of certificates via SCEP (Simple Certificate Enrollment Protocol)
DiffServ attribute); remote-site dependant, direction dependant, bandwidth dependant
directions
routing mode. Translation from layer 3 to layer 2 with automatic recognition of 802.1p-support in the destination device.
groups or reciprocal backup between multiple active devices including load balancing and user definable backup priorities
operator)
polling.
VPN Client
Configuration of all remote sites via one configuration entry when using the RAS user template or Proadaptive VPN
HTTPS interface
Scope of features: as of LCOS version 7.2
Page 4
LANCOM 1711 VPN
VPN
Certificate revocation lists (CRL) CRL retrieval via HTTP
RAS user template Configuration of all VPN client connections in IKE ConfigMode via a single configuration entry
Proadaptive VPN Automated configuration and dynamic creation of all necessary VPN and routing entries based on a default entry for site-to-
Algorithms 3DES (168 bit), AES (128, 192 or 256 bit), Blowfish (128 bit), RSA (128 or -448 bit) and CAST (128 bit); MD-5 or SHA- 1 hashes
NAT-Traversal NAT-Traversal (NAT-T) support for VPN over routes without VPN passthrough
IPCOMP VPN data compression based on LZS or Deflate compression for higher IPSec throughput
LANCOM Dynamic VPN: Enables VPN connections from or to dynamic IP addresses. The IP address is communicated via ISDN B- or D-channel or with
Dynamic DNS Enables the registration of IP addresses with a Dynamic DNS provider in the case that fixed IP addresses are not used for the
Specific DNS forwarding DNS forwarding according to DNS domain, e.g. internal names are translated by proprietary DSN servers in the VPN; external
VPN throughput (max.)*
1364-byte packet size 33 Mbps
265-byte packet size 6 Mbps
*) Notice all VPN figures with AES encryption and active VPN hardware acceleration
Firewall throughput (max.)
1470-byte packet size 61 Mbps
256-byte packet size 9 Mbps
VoIP (optional)
VoIP support Extended VoIP support (only in combination with the LANCOM VoIP Advanced Option)
Number of local subscribers max. 8 (upgradable to 32 with LANCOM VoIP-32 Option)
PBX functionality Switching between local SIP subscribers and upstream SIP PBXs or external ISDN and SIP subscribers.
Hunt groups Hunt group cascades with groups as group members. Call diversion to all members simultaneously or sequentially. Automatic
Multi login Registration of several SIP terminal devices with the same number/ID. Signaling like with a single subscriber, e.g. tabletop
Call router Central switching of all incoming and outgoing calls. Number translation by mapping, numeral replacement and number
SIP proxy and registrar Management of local SIP users with optional automatic registration/authentication. Mapping of up to 16 public SIP-provider
SIP gateway Transparent conversion of ISDN telephone calls to SIP calls, and vice versa. Number translation between internal numbers and
SIP trunk Outgoing call switching and incoming call reception based on extension numbers to/from SIP PBXs/SIP providers (requires
SIP link Outgoing call switching and incoming call reception of any numbers to/from SIP PBXs/SIP providers (requires support of this
SIP remote gateway Local break-in/out of calls with any telephone number to/from upstream VoIP PBXs/SIP providers with telephone number
Media proxy Termination and interconnection of multiple media streams. Control of media sessions resulting from SIP connections. IP address
Number of simultaneous connections 2 - 16 depending on code conversion, echo canceling and load
site connections. Propogation of dynamically learned routes via RIPv2, if required.
the ICMP or UDP protocol in encrypted form. Dynamic dial-in for remote sites via connection template
VPN connection
names are translated by Internet DNS servers.
E.g. support for: Hold/Request, Swap, Transfer, Call Forwarding (CFU, CFB, CFNR), Number display/suppression (CLIP, CLIR),
named internal subscribers, suppression of second call (Busy on Busy), immediate outgoing line, hunt groups, call diversion
SIP subscriber initiated actions:
쮿 Hold/Consultation, Swap, Transfer
쮿 Call Forwarding unconditional (CFU), on busy (CFB), on no reply (CFNR)
forwarding to target number or hunt group after timeout or when busy/unreachable.
telephone, softphone and mobile handset at the same time
supplementation Configuration of line and route selection, entry of multiple alternative routes (line backup). Routing based on
calling and called number, SIP domain and line. Manual routing by the user ("outside-line access codes"); routing with lineselection keys on telephones or telephone number prefixes; targeted routing for individual telephone numbers (e.g. emergency
calls via local ISDN); separate routes for internal, local, long-distance or international calls; blocking of telephone numbers or
blocks of telephone numbers; inclusion of local subscribers into the number range of an upstream SIP PBX; internal standard
telephone number for undeliverable calls; supplement/remove line-related prefixes or switchboard numbers
accounts as telephone lines for shared use. Connection to up to four upstream SIP PBXs including line backup. SIP connections
from/to internal subscribers, SIP providers and SIP PBXs with automatic login of SIP users at SIP providers/upstream SIP PBXs.
Optional shared/individual password for authentication at an upstream SIP PBX. Automatic bandwidth management and
automatic configuration of the firewall for SIP connections. Default DNS entry for the local SIP domains, service location (SRV)
support
MSN/DDI (including telephone number blocks, max. 40 mapping entries), plus automatic adaptation of calling numbers and
called numbers
support of the SIP-DDI functions compliant with ITU- T Q.1912.5 at the central exchange) with just a single user account to
register the switchboard number. Mapping of entire SIP telephone number blocks
function at the central exchange) with just a single user account to register. Mapping of entire SIP telephone number blocks
mapping, independent of local users
and port translation for media stream packets. Connection of parties at media stream level where a call transfer in SIP (REFER)
is not possible
Scope of features: as of LCOS version 7.2
Page 5
LANCOM 1711 VPN
VoIP (optional)
Signaling VoIP: SIPv2, ISDN: DSS1 (Euro-ISDN), point-to-point/point- to- multipoint; 1TR6 (only at an external ISDN connector in TE mode)
Media protocols RTP
ISDN features Operation directly at ISDN exchange lines or at ISDN extension lines of existing PBXs. ISDN supplementary services CLIP, CLIR,
Audio properties Echo canceling (G.168), automatic adaptive de- jitter buffer. Inband tone signaling compliant with EU standards and country-
Fax transmission Transmisson of fax via SIP on the LAN side with T.38 or G.711, on the WAN/Internet side with T.38. Conversion of SIP fax with
Auto QoS Automatic dynamic bandwidth reservation per SIP connection. Automatic selection of compression method depending upon
VoIP management VoIP Setup Wizard and configuration with LANconfig. Configuration and tracing with command line interface (remote or locally)
VoIP monitoring Reporting of Call Data Records (CDR) via Syslog or e-mail. Status display of subscribers, lines, and connections. Logging of VoIP
Routing functions
Router IP, IPX and NetBIOS/IP multi-protocol router
VLAN VLAN ID definable per interface and routing context (4094 IDs)
Q-in- Q tagging Support of layered 802.1q VLANs
Advanced Routing and Forwarding Separate processing of 8 contexts due to virtualization of the routers. Mapping to VLANs and complete independent
HTTP HTTP and HTTPS server for configuration by web interface
DNS DNS client, DNS server, DNS relay, DNS proxy and dynamic DNS client
DHCP DHCP client, DHCP relay and DHCP server with autodetection
NetBIOS NetBIOS/IP proxy
NTP NTP client and SNTP server, automatic adjustment for daylight-saving time
Policy-based routing Policy-based routing based on routing tags. Based on firewall rules, certain data types are marked for specific routing, e.g. to
Dynamic routing Dynamic routing with RIPv2. Learning and propagating routes; separate settings for LAN and WAN
LAN protocols
IP ARP, proxy ARP, BOOTP, LANCAPI, DHCP, DNS, HTTP, HTTPS, IP, ICMP, NTP/SNTP, NetBIOS, PPPoE (server), RADIUS, RIP-1, RIP-
IPX RIP, SAP, IPX and SPX watchdogs, NetBIOS watchdogs
WAN protocols
Ethernet PPPoE, Multi- PPPoE, ML-PPP, PPTP (PAC or PNS) and plain Ethernet (with or without DHCP), RIP-1, RIP- 2, VLAN
ISDN 1TR6, DSS1 (Euro-ISDN), PPP, X75, HDLC, ML- PPP, V.110/GSM/HSCSD, CAPI 2.0 via LANCAPI, Stac data compression
Interfaces
WAN: Ethernet 10/100 Mbps Fast Ethernet
Ethernet ports 4 individual 10/100-Mbps Fast Ethernet ports; up to 3 ports can be switched as additional WAN ports with load balancing
- freely configurable Each Ethernet port can be freely configured (LAN, DMZ, WAN, monitor port, off). LAN ports can be operated as a switch or
ISDN ISDN S0 bus
Serial interface Serial configuration interface / COM port (8 pin Mini-DIN): 9,600 - 115,000 baud, suitable for optional connection of analog/
Management
LANconfig Configuration program for Microsoft Windows, incl. convenient Setup Wizards. Optional group configuration, simultaneous
LANmonitor Monitoring application for Microsoft Windows for (remote) surveillance and logging of the status of LANCOM devices and
Webconfig Integrated web server for the configuration of LANCOM devices via Internet browsers with HTTPS or HTTP
en-block dial and individual dialing with adjustable wait- time until completion. ISDN-UDI calls with G.722 (not with VoIP Basic
Option). Pass-through of service identifiers (BC, HLC, LLC) for ISDN-to-ISDN connections. PCM bit- transparent coupling. Support
for keypad facilities. Advice of charge (AOC-D, AOC- E).
specific. DTMF support compliant with RFC 2976 (SIP info), RFC 2833 (RTP payload type/outband). Transparent pass-through
for negotiated codecs. Interaction on codec negotiation between subscribers (filter, quality/bandwidth) Voice encoding with
G.711 μ-law/A-law (64 kbps), G.726 (16, 24, 32, 40 kbps), G.722 high- quality codec, G.729 Annex A
T.38 and break-in/break- out at the outside line to ISDN G.711 with service signalisation.
available bandwidth. Voice packet prioritization (CoS), DiffServ marking, traffic shaping (incoming/outgoing) and packet-size
management of non- prioritized connections compared to VoIP
Call Manager events in LANmonitor. SYSLOG and TRACE for voice connections. Active monitoring even of ISDN interface states
with SNMP
management and configuration of IP networks in the device, i.e. individual settings for DHCP, DNS, Firewalling, QoS, Routing
etc.
particular remote sites or lines.
2, RTP, SIP, SNMP, TCP, TFTP, UDP, VRRP
separately. Additionally, external DSL modems or termination routers can be operated as a WAN port with load balancing and
policy-based routing. DMZ ports can be operated with their own IP address range without NAT
GPRS modems
remote configuration and management of multiple devices over ISDN dial-in or IP connection (HTTPS, HTTP, TFTP)
connections, incl. PING diagnosis
Scope of features: as of LCOS version 7.2
Page 6
LANCOM 1711 VPN
Management
Access rights Individual access and function rights for up to 16 administrators
User administration RADIUS user administration for dial-in access (PPP/PPTP and ISDN CLIP)
Remote maintenance Remote configuration with Telnet/SSL, SSH (with password or public key), browser (HTTP/HTTPS), TFTP or SNMP, firmware upload
ISDN remote maintenance Remote maintenance over ISDN dial-in with calling-number check
Security Access rights (read/Write) over WAN or (W)LAN can be set up separately (VPN only, Telnet/SSL, SSH, SNMP, HTTPS/HTTP), access
Scripting Scripting function for batch-programming of all command-line parameters and for transferring (partial) configurations,
SNMP SNMP management via SNMP V2, private MIB exportable by WEBconfig, MIB II
Timed control Scheduled control of parameters and actions with CRON service
TFTP TFTP client and server with variable file names (name, MAC/IP address, serial number)
Diagnosis Extensive LOG and TRACE options, PING and TRACEROUTE for checking connections, LANmonitor status display, internal logging
Statistics
Statistics Extensive Ethernet, IP and DNS statistics; SYSLOG error counter
Accounting Connection time, online time, transfer volumes per station. Snapshot function for regular read-out of values at the end of a
Export Accounting information exportable via LANmonitor and SYSLOG
Hardware
Power supply 12 V AC, external power adapter (230 V)
Housing Robust synthetic housing, rear connectors, ready for wall mounting, Kensington lock; 210 x 45 x 140 mm (W x H x D)
Power consumption (max) ca. 5 Watts
Declarations of conformity
CE EN 55022, EN 55024, EN 60950
Medical Medical conformity with EN 60601-1- 2
Package content
Manual Printed User Manual (DE, EN) and Quick Installation Guide (DE/EN/FR/ES/IT/PT/NL)
CD CD with firmware, management software (LANconfig, LANmonitor, LANCAPI) and documentation
Cable Serial configuration cable, 1.5m
Cable 2 Ethernet cables, 3m
Cable ISDN cable, 3m
Power supply unit 12 V AC, external power adapter (230 V)
Support
Warranty 3 years, support via Hotline and Internet KnowledgeBase
Software updates Regular free updates (LCOS operating system and management tools) via Internet
Options
VPN LANCOM VPN-25 Option (25 channels, incl. activated VPN hardware accelerator), item no. 60083
Service LANCOM Service Option (24h advance replacement within Germany, 4 year warranty, not for PoE Power Injector), item no.
VoIP LANCOM VoIP Advanced Option (8 SIP users), item no. 61421
VoIP extension LANCOM VoIP-32 Option (Upgrade to 32 SIP users in total, LANCOM VoIP Advanced Option preconditional), item no. 61617
Accessories
Documentation LANCOM LCOS Reference Manual (DE), item no. 61700
19" Rack Mount 19" rackmount adapter, item no. 61501
Modem Backup LANCOM Modem Adapter Kit, item no. 61500
VPN Client Software LANCOM Advanced VPN Client for Windows® 2000, Windows® XP, Windows Vista™, single license, item no. 61600
VPN Client Software LANCOM Advanced VPN Client for Windows® 2000, Windows® XP, Windows Vista™, 10 licenses, item no. 61601
via HTTP/HTTPS or TFTP. A remote configuration for devices behind der LANCOM can be accomplished (after authentication) via
tunneling of arbitrary TCP-based protocols, e.g. for HTTP(S) remote maintenance of VoIP phones or printers of the LAN
control list
irrespective of software versions and device types, incl. test mode for parameter changes
buffer for SYSLOG and firewall events, monitor mode for Ethernet ports
billing period.
61401
Scope of features: as of LCOS version 7.2
Page 7
LANCOM 1711 VPN
Accessories
VPN Client Software LANCOM Advanced VPN Client for Windows® 2000, Windows® XP, Windows Vista™, 25 licenses, item no. 61602
VoIP Client Software LANCOM Advanced VoIP Client for Windows® 2000, Windows® XP, Windows Vista™, single license, item no. 61610
VoIP Client Software LANCOM Advanced VoIP Client for Windows® 2000, Windows® XP, Windows Vista™, 10 licenses, item no. 61611
Item numbers
LANCOM 1711 VPN 61125
LANCOM 1711 VPN UK 61126
Scope of features: as of LCOS version 7.2
www.lancom.eu
LANCOM Systems GmbH I Adenauerstr. 20/B2 I 52146 Wuerselen I Deutschland I E-Mail info@lancom.eu I Internet www.lancom.eu
LANCOM, LANCOM Systems and LCOS are registered trademarks. All other names or descriptions used may be trademarks or registered trademarks of their owners. Subject to change without notice.
No liability for technical errors and/or omissions. 03/08
Loading...