Nortel Networks 608-WL, 620 User Manual
SpeedTouch™608(WL)/620
(Wireless) Business DSL Router
IPSec Configuration Guide
SpeedTouch™608WL and
SpeedTouch™620 only
Power
Ethernet
N
LA
N
W
Plug-in
ISD
Internet
SpeedTouch™
608(WL)/620
IPSec Configuration Guide
Copyright
Copyright ©1999-2006 THOMSON. All rights reserved.
Distribution and copying of this document, use and communication of its contents is not permitted without written authorization
from THOMSON. The content of this document is furnished for informational use only, may be subject to change without notice,
and should not be construed as a commitment by THOMSON. THOMSON assumes no responsibility or liability for any errors or
inaccuracies that may appear in this document.
Thomson Telecom Belgium
Prins Boudewijnlaan, 47
B-2650 Edegem
Belgium
www.speedtouch.com
Trademarks
The following trademarks are used in this document:
SpeedTouch™ is a trademark of THOMSON.
Bluetooth® word mark and logos are owned by the Bluetooth SIG, Inc.
Ethernet™ is a trademark of Xerox Corporation.
Wi-Fi® and the Wi-Fi logo are registered trademarks of the Wi-Fi Alliance. "Wi-Fi CERTIFIED", "Wi-Fi ZONE", "Wi-Fi Alli-
ance", their respective logos and "Wi-Fi Protected Access" are trademarks of the Wi-Fi Alliance.
UPnP™ is a certification mark of the UPnP™ Implementers Corporation.
Microsoft®, MS-DOS®, Windows® and Windows NT® are either registered trademarks or trademarks of Microsoft Corpo-
ration in the United States and/or other countries.
Apple® and Mac OS® are registered trademarks of Apple Computer, Incorporated, registered in the United States and
other countries.
UNIX® is a registered trademark of UNIX System Laboratories, Incorporated.
Adobe®, the Adobe logo, Acrobat and Acrobat Reader are trademarks or registered trademarks of Adobe Systems, Incor-
porated, registered in the United States and/or other countries.
Netscape® and Netscape Navigator® are registered trademarks of Netscape Communications Corporation.
Other brands and product names may be trademarks or registered trademarks of their respective holders.
Document Information
Status: v1.0 (January 2006)
Reference: E-DOC-CTC-20051017-0169
Short Title: IPSec Configuration Guide ST608(WL)/620 R5.4
Contents
Contents
About this IPSec Configuration Guide ....................... 9
1 IPSec: Concept for secure IP connections................. 11
1.1 IPSec Concepts ............................................................................ 12
2 SpeedTouch™ IPSec terminology............................. 15
2.1 Policy ........................................................................................... 16
2.2 Security Descriptor ...................................................................... 17
2.3 Authentication Attribute ............................................................. 18
2.4 Peer (Phase 1) .............................................................................. 19
2.5 Connection (Phase 2) ................................................................... 20
2.6 Network descriptor ...................................................................... 21
3 Configuration via Local Pages ...................................23
3.1 LAN to LAN Application............................................................... 25
3.1.1 Remote Gateway Address Known Page ...................................................................... 27
3.1.2 Remote Gateway Address Unknown Page..................................................................35
3.1.3 Connections Page .......................................................................................................... 47
E-DOC-CTC-20051017-0169 v0.1
3.2 VPN Client.................................................................................... 51
3.2.1 VPN Client Page ............................................................................................................. 52
3.2.2 Starting the VPN Client Connection ............................................................................. 59
3.2.3 Closing a Connection..................................................................................................... 62
3
Contents
3.3 VPN Server ................................................................................... 63
3.3.1 VPN Server Page............................................................................................................64
3.4 Certificates .................................................................................. 73
3.5 Advanced VPN Menu ................................................................... 75
3.5.1 Peer Profiles Page.......................................................................................................... 78
3.5.2 Authentication Page ......................................................................................................82
3.5.3 Peer Descriptors Page ................................................................................................... 83
3.5.4 Peer Options Page ......................................................................................................... 85
3.5.5 VPN-Client Page.............................................................................................................86
3.5.6 VPN-Server Page............................................................................................................88
3.5.7 VPN-Server-XAuth Page................................................................................................90
3.5.8 Connection Profiles Page .............................................................................................. 91
3.5.9 Networks Page ...............................................................................................................94
3.5.10 Connection Descriptors Page........................................................................................ 96
3.5.11 Connection Options Page..............................................................................................99
3.5.12 Client Page....................................................................................................................100
4 Configuration via the Command Line Interface ..... 101
4.1 Basic IPSec configuration procedure ......................................... 102
4.2 Peer: Authentication Attribute .................................................. 104
4.2.1 Authentication Attribute Parameters ......................................................................... 105
4.2.2 List all Authentication Attributes................................................................................ 106
4.2.3 Create a New Authentication Attribute ...................................................................... 107
4.2.4 Set or Modify the Authentication Attribute Parameters........................................... 108
4.2.5 Delete an Authentication attribute .............................................................................109
4.3 Peer Security Descriptor ............................................................ 110
4.3.1 Peer Security Descriptor Parameters ......................................................................... 111
4.3.2 List all Peer Security Descriptors................................................................................114
4.3.3 Create a New Peer Security Descriptor......................................................................115
4.3.4 Set or Modify the Peer Descriptor Parameters..........................................................116
4.3.5 Delete a Peer Descriptor..............................................................................................117
4
E-DOC-CTC-20051017-0169 v0.1
Contents
4.4 Peer ............................................................................................ 118
4.4.1 Peer parameters........................................................................................................... 119
4.4.2 List all peer entities...................................................................................................... 123
4.4.3 Create a new peer entity ............................................................................................. 124
4.4.4 Set or modify the peer parameters ............................................................................125
4.4.5 Delete a Peer entity...................................................................................................... 126
4.5 Connection Security Descriptor................................................. 127
4.5.1 Connection Security Descriptor parameters .............................................................128
4.5.2 List all Connection Security Descriptors....................................................................131
4.5.3 Create a new Connection Security Descriptor...........................................................132
4.5.4 Set the Connection Security Descriptor Parameters ................................................133
4.5.5 Delete a Connection Security Descriptor ................................................................... 134
4.6 Network Descriptor ................................................................... 135
4.6.1 Network Descriptor Parameters ................................................................................. 136
4.6.2 Create a New Network Descriptor..............................................................................138
4.6.3 Set the Network Descriptor Parameters ....................................................................139
4.6.4 Delete a Network Descriptor.......................................................................................140
4.7 Connection ................................................................................. 141
4.7.1 Connection Parameters...............................................................................................142
4.7.2 List all Connections...................................................................................................... 145
4.7.3 Create a New Connection............................................................................................146
4.7.4 Set or Modify the Connection Parameters ................................................................ 147
4.7.5 Delete a Connection..................................................................................................... 148
4.7.6 Start a Connection ....................................................................................................... 149
4.7.7 Stop a connection........................................................................................................150
4.8 Auxiliary Commands .................................................................. 151
4.8.1 Config Command.........................................................................................................152
4.8.2 Flush Command...........................................................................................................155
4.8.3 Clear Command Group ...............................................................................................156
4.9 Organisation of the IPSec Command Group .............................. 157
E-DOC-CTC-20051017-0169 v0.1
5 Troubleshooting SpeedTouch™ IPSec ...................161
5.1 Via the Debug Web pages .......................................................... 162
5.2 Via the CLI: Show command group............................................ 165
5
Contents
5.3 Via the CLI: Debug command group ......................................... 167
5.4 Via SNMP ................................................................................... 170
5.5 Pinging from the SpeedTouch™ to the remote private network 171
6 Advanced Features ................................................... 173
6.1 IPSec and the Stateful Inspection Firewall ................................ 174
6.2 Surfing through the VPN tunnel ................................................ 175
6.3 Extended Authentication (XAuth) .............................................. 176
6.4 VPN Client.................................................................................. 177
6.4.1 VPN Client parameters ................................................................................................178
6.4.2 Create a new vpnclient................................................................................................179
6.4.3 Set or modify the vpnclient parameters .................................................................... 180
6.4.4 Attach the vpnclient entity to the peer entity ............................................................ 181
6.5 VPN Server ................................................................................. 182
6.5.1 VPN Server parameters............................................................................................... 183
6.5.2 Create a new VPN server.............................................................................................185
6.5.3 Set or modify the vpnserver parameters................................................................... 186
6.5.4 Attach the vpnserver entity to the peer entity........................................................... 187
6.6 XAuth Users Pool....................................................................... 188
6.6.1 XAuth Pool parameters...............................................................................................189
6.6.2 Create a new XAuth pool ............................................................................................190
6.6.3 Modify the xauthpool type..........................................................................................191
6.6.4 Attach the xauthpool entity to the vpnserver entity .................................................192
6.6.5 Delete an xauthpool entity..........................................................................................193
6.6.6 XAuth User parameters............................................................................................... 194
6.6.7 Create a new XAuth user ............................................................................................ 195
6.6.8 Set or modify the password of an XAuth user.......................................................... 196
6.6.9 Delete an xauthuser entity ..........................................................................................197
6.7 The Default Peer Concept .......................................................... 198
6.8 One Peer - Multiple Connections ............................................... 200
6
E-DOC-CTC-20051017-0169 v0.1
Contents
6.9 Peer Options .............................................................................. 201
6.9.1 List all Peer Options lists............................................................................................. 203
6.9.2 Create a Peer Options list............................................................................................ 204
6.9.3 Set or modify the Peer Option list parameters......................................................... 205
6.9.4 Delete a Peer Options list............................................................................................ 206
6.10 Connection Options ................................................................... 207
6.10.1 List all Connection Options lists ................................................................................. 209
6.10.2 Create a Connection Options list................................................................................210
6.10.3 Set or modify the Connection Option list parameters............................................. 211
6.10.4 Delete an Options list .................................................................................................. 212
6.11 Advanced Connection ................................................................ 213
E-DOC-CTC-20051017-0169 v0.1
7
Contents
8
E-DOC-CTC-20051017-0169 v0.1
About this IPSec Configuration Guide
About this IPSec Configuration Guide
Abstract This document explains the IPSec functionality of the SpeedTouch™ Release R5.4
and higher. A brief theoretical explanation is provided where needed, but the main
goal of this document is to be a practical guide.
Applicability This configuration guide applies to the following SpeedTouch™ products:
The SpeedTouch™608/608WL (Wireless) Business DSL Routers Release R5.4
and higher.
The SpeedTouch™620 Wireless Business DSL Routers Release R5.4 and
higher.
In some SpeedTouch™ products, the IPSec VPN features are bundled in an
optional VPN software module. An optional VPN module is activated with a
VPN software activation key. By default, this key is not installed. If you want
to use the SpeedTouch™ VPN features, and the VPN software module is not
activated on your SpeedTouch™, please contact your local dealer.
Activating the VPN software module is described in the SpeedTouch™
Operator’s Guide.
Used Symbols The following symbols are used in this IPSec Configuration Guide:
A note provides additional information about a topic.
A tip provides an alternative method or shortcut to perform an action.
A caution warns you about potential problems or specific precautions that
!
need to be taken.
Terminology Generally, the SpeedTouch™ 608(WL) or SpeedTouch™620 will be referred to as
SpeedTouch™ in this IPSec Configuration Guide.
Documentation and
software updates
THOMSON continuously develops new solutions, but is also committed to improve
its existing products.
For suggestions regarding this document, please contact
documentation.speedtouch@thomson.net
For more information on THOMSON's latest technological innovations, documents
and software releases, visit us at:
www.speedtouch.com
.
E-DOC-CTC-20051017-0169 v1.0
9
About this IPSec Configuration Guide
10
E-DOC-CTC-20051017-0169 v1.0
1 IPSec: Concept for secure IP connections
Policies The introduction of network security mainly involves the application of traffic
policies. Firstly, the policies need to be defined, then it should be whether the
policies are correctly applied.
Security policies can apply to various levels. The IPSec protocol (Internet Protocol
Security) applies to the IP layer. This location of the IPSec protocol within the
layered network model makes it a generic solution for a wide range of applications.
Types of policies supported in the IPSec protocol:
user/entity authentication
level of encryption
validity time of the keys
...
The Target of IPSec The main goals for using the IPSec protocol suite are:
Integrity of data
It ensures that data has not been modified in transit.
Confidentiality of data
On non-trusted network sections, the data is encrypted. When this data is
intercepted, it cannot be interpreted by the eavesdropper.
User authentication
Ensures that you know the party you are communicating with, and that they
are who they say they are.
Chapter 1
IPSec: Concept for secure IP connections
In this section The following items are discussed in this section:
Topic Page
1.1 IPSec Concepts 12
E-DOC-CTC-20051017-0169 v1.0
11
Chapter 1
IPSec: Concept for secure IP connections
1.1 IPSec Concepts
Red and Black Network Following nomenclature will be used throughout this document:
The SpeedTouch™
The IPSec capable DSL router
The Red network
Private or trusted side of the SpeedTouch™.
The Black network
Public or non-trusted side of the SpeedTouch™. The black network is
frequently referred to as the WAN side, being the connection towards the
Internet.
Red network
node
SpeedTouch 620 [1] Red network
SpeedTouch 620 [2]
node
Red LAN
Trusted network side
Black network
Non-trusted network side
Red LAN
Trusted network side
Authentication Header The Authentication Header (AH) protocol allows to check the integrity of a data
packet. A digital signature (=hash) is computed over the entire packet, with the
exception of the mutable fields (fields that change during the transmission of the
packet - e.g. TTL counter).
As the use of the Authentication Header is deprecated, the SpeedTouch™
from Release onwards only supports the ESP protocol. Authentication
without encryption can be achieved by selecting ESP with NULL encryption.
Encapsulated Security
Payload
The Encapsulated Security Payload (ESP) protocol provides data confidentiality and
ensures data integrity (message authentication). ESP supports various encryption
algorithms, thus making the data unreadable for an eavesdropper. A Security
Association (SA) consists of a set of parameters, negotiated between two peers:
authentication type
compression, hashing or encryption algorithms
key size
key lifetime
...
12
E-DOC-CTC-20051017-0169 v1.0
Chapter 1
IPSec: Concept for secure IP connections
Internet Key Exchange The Internet Key Exchange (IKE) protocol is the negotiation protocol used to establish
an SA by negotiating security protocols and exchanging keys. First the IKE SA is set
up, then the IKE channel acts as a signalling channel to negotiate a general purpose
SA.
Phase 1
Phase 1 (IKE) SA
SA (ESP/AH)
SA (ESP/AH)
Phase 2 tunnel
Security Associations Within the IKE protocol, two phases are distinguished to set up a tunnel between
two peers:
Phase 1: negotiate a bi-directional IKE SA functioning as a signalling channel to
negotiate the Phase 2 SAs.
Phase 2: negotiate unidirectional IPSec Security Associations that will carry
general purpose traffic.
The IKE SA is bidirectional, whereas the Phase 2 SA is unidirectional: one Security
Association must be set up in each direction. The initiator and responder cookies
uniquely identify an IKE SA while each PH2 SA is uniquely identified by a SPI
(Security Parameter Index) value.
Per convention, throughout this document the IKE SA is referred to as the Phase 1
SA and the ESP SAs are referred to as the Phase 2 SA:
Phase 1 SA = IKE SA = secure Phase 1 tunnel
A pair of Phase 2 SAs = a secure Phase 2 tunnel
Tunnel Mode Using tunnel mode, the complete IP packet (including its IP header) is encapsulated
Transport Mode In transport mode, the IP header is transported unmodified. The use of transport
E-DOC-CTC-20051017-0169 v1.0
and a new IP header is attached. This allows for the original source and destination IP
addresses to be hidden from the outside world.
Red network
node
AB C D
AB AB
SpeedTouch620 [1] SpeedTouch620 [2]
CDAB
Red LAN Black LAN Red LAN
Red network
node
mode is limited to connections where the security gateway is acting as a host, e.g.,
for network management applications. When the SpeedTouch™ is managed from a
remote location via a VPN connection, transport mode can be used, because in this
case the SpeedTouch™ is the end user of this information stream.
13
Chapter 1
IPSec: Concept for secure IP connections
14
E-DOC-CTC-20051017-0169 v1.0
SpeedTouch™ IPSec terminology
2 SpeedTouch™ IPSec terminology
Introduction In order to understand the IPSec configuration of the SpeedTouch™, a number of
concepts and definitions are introduced in this section. The Graphical User Interface
(GUI) and the Command Line Interface (CLI) provide two alternative methods to
configure the IPSec functions. The GUI contains some scenario-driven pages, which
means that the configuration pages are grouped according to the intended network
application. The advanced GUI pages and the CLI are component-driven, which
means that network components are configured independently of each other. It is
up to the user to combine the configuration of various components in order to build
an operational node in the intended network environment.
The majority of IPSec configurations can be built with the Graphical User Interface.
Only in particular situations, it may be required to access some advanced functions
via the Command Line Interface. The terminology used in the CLI and GUI is similar.
The clarification of the concepts and terms refers to the command structure of the
CLI. The IPSec command group comprises a number of underlying command
groups, each containing a number of commands in a hierarchical way.
Chapter 2
In this section The following topics are discussed in this section:
Topic Page
2.1 Policy 16
2.2 Security Descriptor 17
2.3 Authentication Attribute 18
2.4 Peer (Phase 1) 19
2.5 Connection (Phase 2) 20
2.6 Network descriptor 21
E-DOC-CTC-20051017-0169 v1.0
15
Chapter 2
SpeedTouch™ IPSec terminology
2.1 Policy
What is ... Security is all about traffic policies and these can be configured using the IPSec
Static policy In a static network environment with fixed IP addresses, the policy can be
Dynamic policy In a more dynamic network environment, where IP addresses are dynamically
policy commands. By default, policy rules are automatically generated when the
IPSec connection is created and the user does not need to execute extra commands.
A set of rules defines whether a packet has to pass through a secure tunnel or not.
These rules are expressed in terms of IP addresses, protocols and/or ports that have
access to the secure connections. The user specifies and configures a general policy
in function of his overall security policy and the VPN network topology.
completely defined, and specific rules can be expressed in the configuration.
assigned, or where terminals may connect from various unknown locations, it may
be impossible to express a specific policy in the router configuration. In order to
cope with this situation, the SpeedTouch™ allows expressing a general policy in the
configuration. This general policy may include some placeholders for information
that becomes available only during the Security Association negotiations. The
specific policy rules are automatically derived from the general policy and the
outcome of the negotiations.
16
E-DOC-CTC-20051017-0169 v1.0
2.2 Security Descriptor
What is ... All security parameters required to establish a secure tunnel are grouped into a
string called Security Descriptor or simply descriptor. Two different sets of
descriptors are defined:
IKE session descriptors
IPSec descriptors
A Descriptor contains the methods for message authentication, encryption and
hashing, and the lifetime of the Security Association. A number of descriptors are
pre-configured in the SpeedTouch™. The user can modify these descriptors, or
define additional descriptors to fit his requirements.
IKE session Descriptor The IKE descriptor contains the following parameters:
Encryption method
Message integrity method (also called message authentication)
Diffie-Hellman group used for key generation
Lifetime of the Security Association.
Chapter 2
SpeedTouch™ IPSec terminology
IPSec Descriptor The IPSec descriptor contains the following parameters:
Encryption method
Message integrity method (also called message authentication)
Selection to use Perfect Forward Secrecy, or not
Lifetime of the Security Association
Encapsulation method.
E-DOC-CTC-20051017-0169 v1.0
17
Chapter 2
SpeedTouch™ IPSec terminology
2.3 Authentication Attribute
What is ... Two main methods for authentication are supported in the SpeedTouch™:
pre-shared key
certificates
The authentication parameters used for the IKE negotiations are bundled in the
SpeedTouch™ in a descriptor with a symbolic name.
This symbolic descriptor is called the Authentication Attribute, and is encountered
when you configure the SpeedTouch™ via the Command Line Interface.
For pre-shared key authentication, this attribute holds the pre-shared key. For
authentication with certificates it simply indicates the authentication method.
18
E-DOC-CTC-20051017-0169 v1.0
SpeedTouch™ IPSec terminology
2.4 Peer (Phase 1)
What is ... The Peer is a term that refers to the remote Security Gateway to which the IPSec
secure tunnel(s) will be established. In a first phase, an IKE Security Association is
negotiated between the SpeedTouch™ and a remote Security Gateway (peer). In
the configuration of the SpeedTouch™, the Peer bundles all the parameters
required to negotiate an IKE Security Association (Phase 1 SA), such as:
Address
The public IP address of the remote IPSec peer. Eventually a backup address
can be defined.
Local ID
The identity of the local peer, which is presented to the remote peer during the
Phase 1 negotiation. Various identity types are supported, such as: IP address,
Distinguished Name. FQDN, etc.
Remote ID
Similar to the Local ID, this parameter identifies the remote peer during the
Phase 1 negotiation. Various identity types are supported, such as: IP address,
Distinguished Name. FQDN, etc.
Authtype
Authentication method used: preshared key or with certificates.
XAuth user and password
Allows for a secondary authentication based on a legacy authentication
system
Descriptor
Refers to the Phase 1 security descriptor
The complete list of parameters is found in section “4.4 Peer” on page 118 and in
the CLI Reference Guide.
Chapter 2
E-DOC-CTC-20051017-0169 v1.0
19
Chapter 2
SpeedTouch™ IPSec terminology
2.5 Connection (Phase 2)
What is ... Bundles all the parameters required for the Phase 2 SA (IPSec) negotiation:
Peer
Reference, pointing to the peer configuration to be used. In fact, this refers to
the IKE channel used for the Phase 2 negotiations.
Local/remote range
Range of red IP addresses to which the IPSec policy applies.
Reference to the Network Descriptors.
Descriptor
Reference to the Phase 2 Security Descriptor grouping the security
parameters.
20
E-DOC-CTC-20051017-0169 v1.0
SpeedTouch™ IPSec terminology
2.6 Network descriptor
What is ... The concept of Network Descriptors is introduced for the first time in the
SpeedTouch™ R5.3. Not only the classical idea of an IP network or subnet is
comprised in this concept, but also the protocol and port number of the messages
can be specified, such that access to the VPN can be restricted to certain hosts,
protocols and port numbers.
Both the origin and destination traffic policies are expressed by referring to a
Network Descriptor. To this end, a symbolic name is attributed to a Network
Descriptor.
The definition of relevant Network Descriptors is linked with the topology of the VPN
that is constructed with the IPSec configuration. The Network Descriptors determine
the type of messages that will trigger the IPSec module.
Chapter 2
E-DOC-CTC-20051017-0169 v1.0
21
Chapter 2
SpeedTouch™ IPSec terminology
22
E-DOC-CTC-20051017-0169 v1.0
Configuration via Local Pages
3 Configuration via Local Pages
Prerequisites In order to use the VPN features in the SpeedTouch™608(WL)/620, you should
enable the VPN software module.
To activate this VPN module, you have to acquire the optional software activation
key. To check whether the software activation key is present, browse to the
SpeedTouch™ Web pages and go to Expert Mode > SpeedTouch > Add-On. This
page shows which keys are enabled. For more information , see the SpeedTouch™
Operator’s Guide.
IPSec Web Pages All IPSec configurations can be built by means of the SpeedTouch™ local Web
pages.
Application-oriented configuration pages gives you direct access to all relevant
parameters. Getting your IPSec configuration up and running is as easy as selecting
your application and filling out a few Web pages. The application-oriented pages
cover the most common application scenarios.
Additional Web pages are component-oriented and allow to control advanced
settings, such as certificates management and debugging options. The Advanced
Web pages allow you to build an operational IPSec configuration by combining
configuration components in a similar way as the underlying CLI commands.
Chapter 3
VPN Menu All IPSec related configuration pages are accessed via Expert Mode > VPN.
LAN to LAN
VPN Client
VPN Server
Certificates Access to the Certificate configuration
Advanced Access to the Advanced configuration
Debug Debugging pages, allowing you to
Access to user-friendly configuration
pages for these specific application
scenarios.
pages.
pages, reflecting the commands and
command groups of the CLI.
diagnose VPN connection problems.
E-DOC-CTC-20051017-0169 v0.1
23
Chapter 3
Configuration via Local Pages
In this section The following topics are discussed in this section:
Topic Page
3.1 LAN to LAN Application 25
3.2 VPN Client 51
3.3 VPN Server 63
3.4 Certificates 73
3.5 Advanced VPN Menu 75
24
E-DOC-CTC-20051017-0169 v0.1
3.1 LAN to LAN Application
Reference network A simple LAN-to-LAN network configuration is shown here.
Internet
Chapter 3
Configuration via Local Pages
SpeedTouch A SpeedTouch B
10.0.0.254 20.0.0.254
Host
10.0.0.1
100.100.0.1 200.200.0.1
Host
20.0.0.5
Network 10.0.0.0/24 Network 20.0.0.0/24
The figure shows two LAN networks connected via a SpeedTouch™ to the public
Internet. In each LAN segment, the IP addresses of the terminals are typically
managed by a DHCP server, which may be the built-in DHCP server of the
SpeedTouch™.
Making use of the VPN capabilities of the SpeedTouch™, it is possible to connect
the two LAN segments via a secure VPN tunnel over the public Internet. At each
peer the SpeedTouch™ serves as an IPSec Security Gateway.
A dedicated set of user-friendly configuration pages allows you to quickly and easily
implement this scenario. Selections are made in accordance to the data known to
the user, and the VPN layout.
The GUI pages are organized along two main alternative paths.
Path 1: You know exactly to which Remote Gateway you want to establish a
VPN connection. You know its location in the public Internet (either the IP
address or the domain name). This generally is the case in a symmetrical LANto-LAN scenario.
Path 2: Your SpeedTouch™ is located in a central facility where services are
provided to remote locations that require a secure connection. For the
moment, you have no idea which Remote Gateway may want to establish a
secure connection. In this case, your SpeedTouch™ always has the role of
responder in the VPN connection establishment negotiations. It can not initiate
the establishment of a VPN connection. This leads to an asymmetrical LAN-toLAN scenario, where one peer is always the responder, while the remote
peer(s) is/are the initiator. You can think of a corporate head quarter that
constructs a hub and spoke VPN network with its branch offices. It is
convenient to configure the SpeedTouch™ at the head quarter in such a way
that it will accept new branch offices in the VPN without requiring any
adaptation to its configuration.
E-DOC-CTC-20051017-0169 v0.1
25
Chapter 3
Configuration via Local Pages
Selecting the LAN to
LAN application
In Expert Mode, click VPN > LAN to LAN. As a result, the following page is shown
This page contains two main tab pages. Select one of the alternative pages,
according to which VPN context best describes your situation.
When you know the network address or domain name of the remote Security
Gateway, your SpeedTouch™ can either take the initiative to set up an IPSec
tunnel to that remote Gateway, or it can wait until the remote gateway
requests to set up a tunnel.
If this is the VPN context that best describes you situation, then select
Remote Gateway Address Known.
and proceed with section “3.1.1 Remote Gateway Address Known Page” on
page 27.
Alternatively, there may be no need to take the initiative to set up a VPN
tunnel. In your situation you rather wait until a remote Gateway requests you
to set up a tunnel. In this situation you may not even know the location of the
Remote Gateway. In this case, select
Remote Gateway Address Unknown.
and proceed with section “3.1.2 Remote Gateway Address Unknown Page” on
page 35.
In a simple LAN to LAN connection where two peers are connected, at least one of
the peers should be configured via Remote Gateway Address Known.
Outline of a
configuration procedure
26
Perform the following steps to configure your LAN to LAN application:
1 On the LAN to LAN Web page, select either Remote Gateway Address Known
or Remote Gateway Address Unknown.
2 Configure the Remote Gateway parameters.
3 Define the Connection parameters.
4 Save the configuration.
The configuration pages you encounter during this procedure are described in more
detail below.
E-DOC-CTC-20051017-0169 v0.1
Chapter 3
Configuration via Local Pages
3.1.1 Remote Gateway Address Known Page
VPN context You know the location of the Remote Gateway in the public Internet, either by its IP
address or its FQDN. In this case, the SpeedTouch™ can connect either as an
initiator or as a responder. As an initiator of a connection you are capable of starting
a secure connection from your SpeedTouch™. As a responder, a connection will be
started when the remote Security Gateway initiates the negotiations.
When this description fits best your VPN context, then the Remote Gateway
Address Known page is your starting page for the configuration of your LAN to LAN
scenario.
Initial page When you click Remote Gateway Address Known, the following page is displayed:
The page contains a number of buttons and fields to complete.
It is recommended to fill out the page from top to bottom, starting with the Remote
Gateway address parameters.
When you click a button, the page layout changes, revealing other fields and
buttons. More information about the various fields and buttons is found below.
E-DOC-CTC-20051017-0169 v0.1
27
Chapter 3
Configuration via Local Pages
Buttons You can use one of the following buttons:
Click ... To ...
Use Preshared Key Authentication Reveal additional parameter fields
required for the configuration of
Preshared Key Authentication.
Use Certificate Authentication Reveal additional parameter fields
required for the configuration of
Certificate Authentication.
Specify Additional Descriptors Reveal additional fields where you can
specify alternative IKE Security
Descriptors.
Add Add a completely configured peer to the
configuration
Remote Gateway The Remote Gateway parameters identify the peer Security Gateway in the IP
network.
Address or FQDN:
Fill out the publicly known network location of the remote Gateway. You can
specify the public IP address, if it is invariable and known. More often, the
publicly known FQDN (such as vpn.corporate.com) will be used.
Backup Address or FQDN:
This field can optionally be filled out in a configuration with a backup remote
Security Gateway. If no backup gateway is available, you leave this field open.
28
E-DOC-CTC-20051017-0169 v0.1
Loading...