Secure Computing SnapGear Application Note

PUT LOGO HERE

A PPLICATION N OTE

www.securecomputing.com

Setting up

SnapGear for VoIP

This note describes how to set up
SnapGear as an IPSec VPN gateway
for Voice over Internet Protocol.

2 86-0948364-A

Table of Contents

Setting up SnapGear for VoIP

About this note .................................................3

Powering on ..................................................... 4

Connecting ....................................................... 4

Logging in and configuring ................................... 5

Using QoS traffic shaping .................................. 11

Enabling and configuring ToS prioritization ............ 13

Setting the Ethernet MTU for QoS ........................ 15

Using the SnapGear VPN solution ........................ 16

Updating firmware ............................................ 20

Downloading a TSR .......................................... 21

Setting up SnapGear for VoIP

About this note

86-0948364-A 3

About this note This application note describes how to set up SnapGear as an IPSec VPN

gateway for Voice over Internet Protocol traffic. It also describes how to take
advantage of SnapGear’s Quality of Service (QoS) bandwidth management
features to maintain voice quality. The following is included:

• Powering on

• Connecting

• Logging in and configuring

• Using QoS traffic shaping

• Enabling and configuring ToS prioritization

• Setting the Ethernet MTU for QoS

• Using the SnapGear VPN solution

• Updating firmware

• Downloading a TSR

Note: This document provides one method for configuring SnapGear for VoIP.

Additional configurations are detailed in the SnapGear Administration Guide, which
is available at www.securecomputing.com > Support > Product
documentation > Product Manuals.

Setting up SnapGear for VoIP

Powering on

4 86-0948364-A

Powering on 1 Do not connect any Ethernet cables. Plug the 5V DC mini-plug into the

back of the SnapGear appliance.

2 Plug the AC plug (the three-prong plug) of the power adapter into an

electrical outlet.

3 After 25 to 30 seconds, confirm the unit is in factory default mode by

resetting it. To reset, gently press the

Erase button on the rear panel twice

within three seconds, one second apart. The unit will reboot into the factory
default mode.

Figure 1 shows the SG565 after a reset, but before being connected to the
network. All models except the SG300 power on with the front LEDs blinking
green when in the factory default mode.

Figure 1: SG565 after a

reset

Note: When powering down the appliance, it is a good practice to unplug the AC

plug first in order to drain the power adapter, before unplugging the DC mini-plug.

Connecting To connect the appliance to the network:

1 Connect the supplied cable into Ethernet port A1 on the appliance.
2 Connect the other end of the cable to a PC or workstation Ethernet jack.

The PC or workstation should have a Java-enabled Internet browser such
as Microsoft Internet Explorer or Mozilla Firefox installed.

Setting up SnapGear for VoIP

Logging in and configuring

86-0948364-A 5

Logging in and
configuring

To log in and configure the appliance, follow the process described in Table 1,
“Configuration sequence” below.

Table 1: Configuration sequence

Configuration window Actions

Configure the PC for IP address 192.168.0.2 by doing the
following:

1 Select Start > Settings > Control Panel.
2 Double-click Network Connections.
3 Right-click Local Area Network, and then click

Properties.

4 Select the Use the following IP address option, and

then enter 192.168.0.2 in the IP address field.

The default gateway IP address is the factory default address
of the SnapGear unit (192.168.0.1). DNS settings are not
required at this time.

Note: Because the PC and the SnapGear are isolated
during the initial configuration process, you can use any PC
IP address in the range of 192.168.0.2 through

192.168.0.254.

Log into the unit by doing the following:

1 Enter http://192.168.0.1 into a Web browser.
2 Enter the default user name root in the User name field.
3 Enter the default password default in the Password field.
4 Click OK.

More...

Setting up SnapGear for VoIP

Logging in and configuring

6 86-0948364-A

It is good practice to change the default root password.
The SnapGear firmware automates this step after a reset:

1 Enter a new password in the New Password field.
2 The characters you type are masked, so you are required

to enter the new password the same way twice to ensure
it is changed as intended. Re-enter the password in the
Confirm Password field.

Note: This password will be required for all administ rative
access until additional adminis trative account s are created. If
forgotten before these accounts are added, the appliance
must be reset to the factory default mode to regain access.

3 Click Submit.
To subsequently change the root password:

1 Click Users under the System menu.
2 Edit the root user. Y ou can also create new administrative

accounts in this area.

It is good practice to cable the Ethernet port B for Internet
access prior to running the Quick Setup Wizard. The Wizard
can automatically configure some circuit types if the port is
cabled prior to completing the Internet steps.

1 Connect the other end of the Ethernet cable to the cable

modem, DSL router, or other device supplied by the ISP.

2 Cabl e and power that device as instructed by the ISP.

After setting the new root password, the Quick Setup
Wizard starts on the LAN page. All of the settings
established by the Wizard can be changed later using
the regular menu system.

1 Type a unique hostname in the Hostname field. This

name will identify the unit.

2 Leave the LAN Direct Connection Settings set to the

default selection of Manual configuration.

3 Click Next.

More...

Configuration window Actions

Setting up SnapGear for VoIP

Logging in and configuring

86-0948364-A 7

1 Enter the SnapGear LAN address into the IP Address

field. This is the address that all other hosts on the LAN
will use as their default gateway, e.g. 192.168.0.254.

2 Enter the network mask into the Subnet Mask field. The

example to the left showing the 24-bit mask length can
also be entered as 255.255.255.0. SnapGear supports
both Class-full and custom subnet masks.

3 If the other hosts on the LAN will receive their address

assignments from this unit using the Dynamic Host
Control Protocol, enter the DHCP Server Address
Range starting with the lowest address followed by a
dash and the highest address.

4 Click Next.

1 Select an Internet Port Configuration for Ethernet

Port B. Typically this port will be wired to a cable modem,
a DSL or ADSL router, or some other router type that
uses a direct connection. The window at left illustrates
cable modem connection.

2 Click Next.

Note: Click the round ? icon in any configuration window
and select Open in a new wind ow to read more detail about
the task being performed. Selecting a new wi ndow or t a b will
avoid losing any work in the configuration window.

1 Select the Generic Cable Modem Provider option for

most cable services.

2 Click Next.

Note: It is not advisable for a SnapGear to automatically
acquire both its LAN and Internet IP addresses. At least one
IP address should be static fo r proper admin istrat ive access.
Attempting to use dynamic addresses on both the LAN and
Internet interfaces will fail when using a cable modem.

More...

Configuration window Actions

Setting up SnapGear for VoIP

Logging in and configuring

8 86-0948364-A

1 Switch A should be left at the default setting of 4 LAN

Ports if there is no requirement for multiple Internet links.

It can always be changed later. For the greatest flexibility
in setting up the SnapGear’s Quality of Service (QoS)
features, do not configure more than one LAN/DMZ
segment. Using 4 LAN Ports lets you plug up to four
devices directly into the SnapGear. A SnapGear LAN port
can also be expanded by cascading to an additional
switch or hub.

2 Click Next.

Note: QoS is important for the quality of VoIP calls. The
SnapGear’s QoS Autoshaper and ToS Packet Priority rules
can prioritize real-time streaming protocols like VoIP.

The last step in the Quick Setup Wizard is the review page. It
is especially important to confirm the new LAN settings. If the
LAN IP address has been moved from the 192.168.0.0/24
network, communication with the PC will cease after the
Finish button is clicked. In th is example, all you have to do is
adjust the web address in a Web browser to http://

192.168.0.254.
Remember to plan for any required changes to your PC’s

Ethernet configuration prior to clicking the Finish button.
When all changes are complete, click Finish.

The Quick Setup Wizard completes with a page containing
links to the Save/Restore page and the Secure Computing
SnapGear registration site. Assuming the cable modem is
properly configured and attached, you can right-cli c k the
registration link and choose Open in New Window to
register the SnapGear unit (not illustrated here).

Note: It is good practice to use the register online link

http://my.securecomputing.com

to register the unit serial

number, activate Technical Support, and access the SnapGear
Knowledge Base.

More...

Configuration window Actions

Setting up SnapGear for VoIP

Logging in and configuring

86-0948364-A 9

Clicking the Backup/Restore menu option opens the Remote
Configuration Backup/Restore page. Enter and confirm a
backup Password, then click Save.

Click the Save button in the File Download window and
browse to the workstation file system to save the backup.

Internet access and DNS services are confirmed if you were
able to browse to the registration site described earlier. If you
were not able to browse to the site, under the System menu,
select Diagnostics. Under the System tab, check the
Connections table for Port B. If the State entry is Checking,
the connection has not been completely negotiated.

Confirm all Internet cabling, power, and Internet Service
Provider (ISP) instructions. Check the cabling for the ISP
circuit; it can be a coaxial cable, a DSL phone line and filter
adapter, or another cable type. Power cycle the ISP device
and monitor the indicator lights on the device. Some cable
modem providers recommend leaving their devices off for
five minutes or more to insure new circuit negotiation.

More...

Configuration window Actions

Setting up SnapGear for VoIP

Logging in and configuring

10 86-0948364-A

You may also check the connection by selecting Network
Setup from the Network Setup Menu. On the Network Setup
page, click the Retry button labeled Retry unsuccessful
connections, then recheck the data on the Diagnostics,
Connections table.

In the example to the left, the Connections table now shows
that the Internet is up, and that an IP address has been
assigned by the cable modem. The Internet listing above the
Connections table also shows the data for the Internet
Gateway and DNS servers on the ISP networks. If Internet
browsing still fails, connectivity and DNS services can be
further checked using this data. Additionally, you may

• Ping the ISP Gateway and DNS server IP’s to confirm
server availability on the Networks Tests tab.

• Trace Web browsing attempts on the Packet Capture tab.

• Click the Help icon for additional instructions for using
these tabs.

Configuration window Actions

Setting up SnapGear for VoIP

Using QoS traffic shaping

86-0948364-A 11

Using QoS traffic
shaping

QoS (Quality of Service) traffic shaping is an advanced feature provided to
allow the fine-tuning of network connections. T raffic shaping allows you to give
preference to certain types of network traffic to maintain quality of service when
a network connection is under heavy load.

Enabling QoS Autoshaper

The Autoshaper uses a set of built-in traffic shaping rules that create rate­controlled queues based on the upstream and downstream bandwidth to your
ISP. It works in conjunction with the ToS Packet Priority configuration. (See
“Using the SnapGear VPN solution” on page 16.) To activate traffic shaping
and control rules, do the following:

1 Under the Network Setup menu, select QoS Traffic Shaping . If the QoS

Autoshaper tab reads like Figure 2, you have failed to configure a LAN or
Internet connection, or you have configured more than one LAN, for
example, a wireless LAN.

If you must use the wireless LAN, additional LANs, or a DMZ, the QoS
Autoshaper cannot be used. Some QoS priorities can still be set using the
ToS Packet Priority tab. You may still use more than one Internet connec­tion by setting the bandwidth for each connection as discussed below.

Figure 2: QoS

Autoshaper in non-

configurable state

2 If the QoS Autoshaper tab reads like Figure 3, click the Pencil & Paper icon

on the far right side of the row to configure each connection.

Figure 3: QoS

Autoshaper in

configurable state

Setting up SnapGear for VoIP

Using QoS traffic shaping

12 86-0948364-A

3 Set the Outbound Speed according to your ISP type.

a If you are running a DSL/ADSL connection to the Internet, enter

bandwidth numbers approximately 80-90% of the most conservative
measured speed.

b If you have a cable modem or other type of direct IP connection to the

Internet, enter values much closer to 90-100%.

Use inbound or outbound speeds provided by your ISP, or tune these val­ues by measuring actual conditions using your PC and any one of the free
sites listed below. These sites allow you to select local or distant test serv­ers to get a practical snapshot of how your V oIP bandwidth may be ef fected
by call destination. It is good practice to use the most conservative figures
for the most distant call destination that is used during routine business.
This prevents other outbound applications from using too much of the avail­able bandwidth and degrading call quality.

http://www.speedtest.net/ (international)
http://myvoipspeed.visualware.com/ (limited international)
http://www.speakeasy.net/speedtest/ (U.S. national)

On a cable modem, several sites provided a measured download (Inbound)
speed of 6300 kilobits per second and an upload (Outbound) speed of 360
kilobits per second. In the example shown Figure 3 on page 11, you would
set an Outbound Speed of

324 Kbps (360 Kbps x 0.9).

4 Setting the inbound speed has a less pronounced effect on call quality

because the SnapGear must begin processing everything it receives in the
order it is received, even if it is at different prioritized rates. You may wish to
determine if your ISP offers inbound QoS options that will let you prioritize
VoIP traffic over other inbound applications before the packets are sent to
the SnapGear.

5 Set the full Inbound speed, for example 6300 Kbps, and click Finish.

Figure 4: Summary table

6 Review the Summary table.
7 Repeat the steps listed above for each Internet connection.

Setting up SnapGear for VoIP

Enabling and configuring ToS prioritization

86-0948364-A 13

Enabling and
configuring ToS
prioritization

The ToS Packet Priority configuration works in conjunction with the QoS
Autoshaper. (See “Enabling QoS Autoshaper” on page 11.) The ToS Packet
Priority configuration can also be used when the Autoshaper is not available.

1 Under the Network Setup menu, select QoS Traffic Shaping .
2 Select the ToS Packet Priority tab.

Figure 5: ToS Packet

Priority tab

3 Click the Enable ToS Prioritization check box.
4 Set the Default priority to Medium or Low.
5 Click Submit.
6 The SnapGear unit can transmit ToS flagged packets according to ToS

rules governed by VoIP service ports, source or destination address, or a
combination of these factors. To set up rules, on the ToS Packet Priority
tab, click the

New button.

Figure 6: Edit ToS

Packet Priority rule

window

7 Select TCP or UDP from the Protocol list.
8 Click the New button next to the Ports window and enter the VoIP

application port range. If the VoIP service port range is not known, you can
still set a VoIP gate way IP as a source or destination address with a service
of

Any.

Setting up SnapGear for VoIP

Enabling and configuring ToS prioritization

14 86-0948364-A

9 Select a predefined Source Address and Destination Address or click the

New button to define new addresses.

10 Set the Priority to High, Medium, or Low. Only one or two critical

applications should have a ToS Priority of High.

11 Click Finish. You are returned to the ToS Packet Priority tab.

Figure 7: ToS Packet

Priority tab

12 Continue to define medium and low priority ToS rules as needed. T oS rules

are not required for QoS, but they can solve problems if your VoIP
application does not respond well to the QoS Autoshaper.

13 Services, sources, destinations, and groups of services, endpoints, or

interfaces can also be defined from the

Definitions menu. Once created,

these objects appear in option lists throughout the SnapGear interface.
To create these definitions, from the Firewall menu, select

Definitions.

Note: Objects created with the New button will also be available.

Figure 8: Service Group

tab

Setting up SnapGear for VoIP

Setting the Ethernet MTU for QoS

86-0948364-A 15

Setting the
Ethernet MTU for
QoS

To optimize traffic shaping performance for VoIP on slower connections, set
the outgoing interface MTU to 600, overriding the default, by doing the fol­lowing:

1 From the Network Setup menu, on the Connections tab, click the Paper &

Pencil icon and open the Ethernet configuration window for each Internet

connection, starting with Port B.

Figure 9: Connections

tab

2 Click the Ethernet Configuration tab.

Figure 10: Ethernet

Configuration tab

3 Set the MTU field to 600.
4 Click the Update button.

Setting up SnapGear for VoIP

Using the SnapGear VPN solution

16 86-0948364-A

Using the
SnapGear VPN
solution

The SnapGear unit can provide an economical, rapidly deployable VPN
solution to carry VoIP traffic, especially when all of the VPN gateways are
SnapGear units.

1 From the VPN menu, select IPSec.

Figure 11: IPSec menu

option

2 Select the Enable IPSec check box.
3 Leave the MTU setting blank.
4 Click Submit.

The remainder of these steps assume a SnapGear-to- SnapGear VPN with
fixed IP addresses on their Internet interfaces. Other configurations are pro­vided in the SnapGear Administration Guide found at:

http://www.securecomputing.com/techpubs_download.cfm?id=2136

5 Click Quick Setup.

Figure 12: IPSec VPN

Setup window

6 Enter a unique Tunnel name to identify this VPN circuit.

Setting up SnapGear for VoIP

Using the SnapGear VPN solution

86-0948364-A 17

7 Click the Enable this tunnel check box.
8 Enter The remote party’ s IP address using the Internet IP address of the far

end SnapGear. Use IP addresses specific to your networks. Examples
shown are for demo purposes only, and not part of a public test network.

9 Click the Predefined button next to the Local Network field.
10 Select Access all networks (default gatewa y) from the Local Network list.
11 Click the Predefined button across from the Remote Network field.
12 Select Access all networks (default gatewa y) from the Remote Network

list.

13 Enter a Local Endpoint ID for this SnapGear using the format

uniquename@yourcompany.com.

14 Enter a Remote Endpoint ID using the same format.
15 Enter a Preshared Secret of at least 21 characters that will be used in both

endpoint configurations. Keep this preshared secret confidential.

16 Click Finish.

Figure 13: Tunnel status:

Down example

Unless both VPN endpoints are configured, and have Internet access, the
VPN connection status in the Tunnel List will display a status of

Down (see

Figure 13). If both endpoints are configured with reciprocal settings, the st a­tus quickly transitions from

Negotiating Phase 1 to Negotiating Phase 2

and then to

Running.

The VPN Quick Setup works best when the principle of reciprocal settings
is understood.

In Figure 14, the Local Endpoint ID is Branch27@yourcom-

pany.com.

Setting up SnapGear for VoIP

Using the SnapGear VPN solution

18 86-0948364-A

Figure 14: Reciprocal

settings local endpoint ID

This same data shows up as the Remote Endpoint ID in the HQ SnapGear
VPN Quick Setup, shown in Figure 15. These are reciprocal settings and the
principle is repeated in the remote party’s IP address. It is important to
understand that the settings for a VPN tunnel are the same at both ends, but
that the data for local and remote will change places for the far-end SnapGear.

Figure 15: Reciprocal

settings remote endpoint

ID

Note: The sample configuration is unusual in that it forms a dedicated VoIP VPN

circuit between HQ and Branch27 SnapGear units due to the Access all networks
(default gateway) settings used in the Local Network and Remote Network fields.
This is the simplest possible setup and requires no knowledge of the local networks
protected by each SnapGear, but it routes all outbound traffic between HQ and
Branch27. There is no conventional Internet access without additional policy route
configuration. Local Internet access and more granular LAN security can be
achieved by selecting the Custom buttons and entering specific local and remote
networks. Remember, a specific local network on the HQ SnapGear becomes the
reciprocal remote network on the Branch27 SnapGear. Using specific networks
only allows traffic destined for the remote network into the VPN tunnel.

Setting up SnapGear for VoIP

Using the SnapGear VPN solution

86-0948364-A 19

Figure 16: Typ i c a l VP N

failure

A typical VPN failure is illustrated in Figure 16, where one end of the VPN is
stuck in Negotiating Phase 1.

Right-click the

Status link and choose Open in New Window to scroll down

the IPSec Log.

Figure 17: IPSec log

The Connection Details and Negotiation State listings usually provide the
best clues as to what is wrong. In Figure 17, the EVENT_RETRANSMIT in
2 s (seconds) indicates that the HQ SnapGear cannot reach the Branch27
SnapGear.

Figure 18: Tunnel status

Running example

A quick phone call to the Branch27 manager reminding them not to unplug
the SnapGear when plugging in the coffee pot solved the problem as
shown in Figure 18. More complex problems may require a call to Secure
Computing Technical Support at

1-800-700-8328. Please have a registered

SnapGear serial number handy when you call.

Setting up SnapGear for VoIP

Updating firmware

20 86-0948364-A

Updating
firmware

If your SnapGear unit has different screens than those described in this or
another SnapGear guide, or if it is missing some features, you may check your
firmware version by selecting the

Diagnostics option under the System menu.

Figure 19: Diagnostics

page

The SnapGear version that is currently running on the unit is displayed on the
System tab. To download a newer firmware version, open a Web browser to

http://my.securecomputing.com/

.

Note: Firmware upgrades for SnapGear products are available for download by

customers who have registered their products and are entitled to software support.
First ensure that you have a username and password for http://

my.securecomputing.com/ and that you have registered your SnapGear products.

Once you have registered an account and have logged into the site, the link for
firmware downloads should be visible within the left navigation pane.

Before downloading firmware to your SnapGear appliance, we recommend
that you read article

2725 in the SnapGear Knowledge Base. Use an Exact

Phrase search for SnapGear: Upgrading your unit. The Knowledge Base is

found at http://sgkb.securecomputing.com

.

Setting up SnapGear for VoIP

Downloading a TSR

86-0948364-A 21

Downloading a
TSR

It is a good practice to download a Technical Support Report (TSR) from your
SnapGear, and send it to Secure Computing Technical Support if you contact
them with a support issue. To download a TSR:

1 From the System menu, select the Help & Support option.
2 Select the Technical Support tab.

Figure 20: Technical

Support tab

3 Click the Download the Technical Support Report link.

Figure 21: File

Download window

4 Click the Save button in the File Download window, then browse to the

workstation file system to save the report.

Technical Support can be reached at 1-800-700-8328. Be sure to have a
registered SnapGear serial number handy when you call.

Product names used within are trademarks of their respective owners.
Copyright © 2008 Secure Computing Corporation. All rights reserved.