VSU-5000
VPNwar e Service Unit
User Guide
VPNet Technologies, Inc.
VSU-5000 User Guide
Licenses, Warranties, Copyrights, and Trademarks
THE SPECIFICATIONS REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO
CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND
RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE
PRESENTED WITHOUT W ARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST
TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
Licenses
Software
VPNet Technologies, Inc. (“VPNet”) and its suppliers grant to Customer (“Customer”) a nonexclusive and non-transferable license to use V S U V P N o s
single VPNware VSU de vi ce owned or leased by Custom er.
Customer may make on e (1) archival copy of the Softwa re provided Customer affixes to such al l
copyright, con f identiality an d proprietary notic es that appear on the original. EXCE PT AS
EXPRESSLY AUTHORIZED ABOVE, CUSTOMER SHALL NOT: COPY, IN WHOLE OR IN
PART, SOFTWARE OR DOCUMENTATION; MODIFY THE SOFTWARE; REVERSE COMPILE
OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR RENT, LEASE,
DISTRIBUTE, OR CREATE DERIVATIVE WORKS OF THE SOFTWARE.
Customer agrees that aspects of th e licensed materials, includi n g the specific des ign and structure of
individual programs, cons titute trade se crets and/or copyrighted material of VPNet. Customer agr ees
not to disclose, provide, or otherwise make available such trade secrets or copyrighted material in any
form to any third party without the prior written consent of VPNet. Customer agrees to implement
reasonable sec uri ty measur es to prote ct su ch tr ade s ecre ts and co pyr igh t ed mate rial . Title to Sof tware
and documentation shall remain solely with VPNet.
The license is effective until terminated. Customer may terminate this License at any time by
destroying all copies of Softwa re including any documenta t ion. This License will terminate
immediately without notice from VPNet if Customer m ust destroy all copies of Software.
Software, including t ec hni cal data, is subject to U.S. ex port control laws, including th e U . S. E xport
Administration Act and its associated regulations, and may be subject to export or import regulations
in other countries. Custom er agrees to comply strictly wi th a ll such re gulations and acknowledg es
that it has the responsibility obtain lice nses t o export, re-export, or import Softwa re .
This License sh all be governed by and con s trued in accord an ce w i th the laws of the Stat e of
Californi a, U nited States of Amer ica, as if performed wholly within th e st ate and without gi ving
effect to the principles of conflict of law. If any portion hereof is found to b e vo id or unenforceable,
the remaining provisions of this License shall remain in full force and effect. This license constitutes
the entire Li cense between th e parties with resp ect to the use of th e S oftware.
(“Software”) in objec t co de form on a
Restricted Rights – VPNet’s software is provided to non-DOD agencies with RESTRICTED
RIGHTS and its supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or
disclosure by the Governm en t is subj e ct to th e re stri ct ions set forth in subparagrap h ‘C’ of the
Commercial Comput er Software – Restricted Rights cl a use at FAR 52.227-19. In the vent the sale is
to a DOD agency, the government’s rights in software, supporting documentation and technical data
are governed b y the restrictions in the Technical Data Commercial Items cla us e DFARS 252.2277015 and DFARS 227.7202.
VSU-5000 User Guide
Limited Warranty
Hardware
VPNet Technologies, Inc. (“VPNet”) warrants that for a period of one (1) ye a r from the da te of
shipment from VPNet that the Hardware will be free from defects in material and workmanship under
normal use. This limited warranty extends only to Customer as the original purchaser. Customer’s
exclusive remedy and the entire liability of VP N e t and its suppliers under this lim i te d w arranty will
be, at VPNet or its service center's option, repair or replacement within te n (10) business days or
refund of the Hardware if returned to the party supplying the Hardware to Customer, freight and
insurance prepaid. VPN e t re placement parts used in Har d ware repair may be new or equi valent to
new.
Restrictions. This warranty does not apply if the produc t (a ) has been altered, except by VPNe t (b)
has not been installed, opera te d, rep ai red, or maintained in accordance with instructions supplied by
VPNet, (c) has been subjected to ab normal physical or electrical stress, misuse, negligence, or
accident, or (d) is used in ultrahazardous activit ie s .
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS
OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING,
WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT
ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL VPNET OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE,
PROFIT, OR DATA, OR FOR SPECIAL INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR
PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF
LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE PRODUCT EVEN IF
VPNET OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall VPNet's or its suppliers’ liability to Customer, whether in contract, tort
(including neglige nce), or otherwise, excee d th e price paid by Customer. The foregoing limita ti ons
shall apply even if the above-stated warranty fails of its essential purpose.
Software
VPNet warrants that for a pe ri od of ninety (90) days from the date of shipment from VPNet: (i) the
media on which the Software is furnished will be free of defects in materials and workmanship under
normal use; and (ii) the Software substantially conforms to its published specifications. Except for the
foregoing, the Software is prov ided AS IS. This limited warranty extends only to Customer as the
original licensee. Custome r’s exclusive remedy and the entire liab il ity of V PN e t and its suppliers
under this limited warranty will be, at VPNet or its service center’s option, repair, replacement, or
refund of the Software if reported (or, upon request, returned) to the party supplying the Soft w ar e to
Customer. In no event does VPNet warrant that the Software is error fr ee or that Customer will be
able to operate the Softw a re w i thout problems or interrupt ion s .
Restrictions. This warranty does not apply if the produc t (a ) has been altered, except by VPNe t, (b)
has not been installed, opera te d, rep ai red, or maintained in accordance with instructions supplied by
VPNet, (c) has been subjected to ab normal physical or electrical stress, misuse, negligence, or
accident, or (d) is used in ultrahazardous activit ie s .
DISCLAIMER OF WAR RANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL
EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WA RRA NTIES
INCLUDING, WITHOUT LIMITATION, ANY IMPL IED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OR
ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE, ARE HERBY
EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL VPNET OR ITS SUPPLIES BE LIABLE FOR ANY LOST REVENUE,
PROFIT, OR DATA, OR FOR SPECIAL INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR
PUNITIVE DAMAGES HOWEVER CAUSED AND REGRADLESS OF THE THEORY OF
VSU-5000 User Guide
LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE PRODUCT EVEN IF
VPNET OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall VPNet’s or its suppliers’ liability to Customer, whether in contract, tort
(including neglige nce), or otherwise, excee d the price paid by the Customer. The foregoing
limitations shall apply ev en if the above-stated warrant y fai ls of its essential purpose.
VPNware, VSU-1200, VSU-1100, VSU-1000, VSU-10, VPNmanager, VPNremote, VPLink, and
VPNet are trade marks belonging to VPNet Technologies, Inc. MD5 Message Digest Algorithm
Copyright RSA Security, Inc. All other product nam es m en ti one d in this manual are trademarks or
registered trademarks of their re s pective manufact urers.
Compliance
The following information is for FCC compliance of Class A devices: This equipment has been tested
and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules.
These limits are designed to provide reasonable protection against harm ful interference when the
equipment is operated in a commercial environment. This equipment generates, uses, and can radiate
radio-frequency en ergy and, if not installed and used in acco rdance with the instruction ma nual, may
cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case users will be required to correct the interference
at their own expense.
BMSI (Chinese Warning Label)
Hardware, includi ng technical data, is subjec t to U. S. export control laws, in cl udi ng the U.S. Export
Administration Act and its associated regulations, and may be subject to export or import regulations
in other countries. Custom er agrees to comply strictly wi th a ll such re gulations and acknowledg es
that it has the responsibility to obt ai n li c ense s to e xport, re-export, or import hardw a re.
Trademarks
VSU, VPNmanager, VPNremote, VPLink, VPNos, and VPNet are trademarks belonging to VPNet
Technologies, Inc. MD5 Message Digest Algorithm copyrig ht RS A Data Security, Inc. All other
product names mentioned in this manual are trademarks or registered trademarks of their respective
manufacturers.
Copyright
VSU-5000 VPN Service Un it U ser G ui de
Copyright 2001 VPNet Technologies, Inc.
All rights reserved. Printed in USA.
January 2001
P/N 09-0043-02
Table of Contents
Preface
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Plug-and-Play Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
How This Book Is Organized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Change History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Product Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Contacting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Chapter 1 Preparing for Installation
Safety Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
General Site Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Environmental Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Required Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Required Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Chapter 2 Installing the VSU-5000
Physical Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview of Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Connecting the VSU-5000 to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Chapter 3 Preparing the VSU-5000 for Configuration
Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
General Firmware Upgrade Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Chapter 4 Troubleshooting
Power Supply. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Chassis Cooling Fan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Ethernet Interface Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
APPENDIX A Specifications
Physical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Environmental Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Electrical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Compliance Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
Additional Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
APPENDIX B 10/100BASE-T UTP Crossover Cable Pinouts
Glossary
VSU Acronyms
Pr eface
This user guide provides installation and configuration information for the
VSU-5000 VPNware Service Units.
The VSU-5000 adds compression, encryption, authentication, and key
management to public data links to ensure privacy and integrity of corporate
data, and to enable the efficient and secure operation of virtual private networks
(VPNs). It is designed to perform complex operations, in real time, without
compromising network performance, and in many cases can actually increase
data throughput.
Security
The VSU-5000 provides data stream privacy by employing cryptographic
algorithms and keys powerful enough for the most sensitive business
communications. It supports DES and Triple DES encryption, as well as the
ISAKMP and SKIP key management standards. Using SKIP, the VSU-5000 is
able to change keys frequently during transmission.
i
Performance
VSU-5000 User Guide
Data authenticity is assured by using MD5™ or SHA-1 hashing to reject altered
or forged packets. All s ecurity mechan isms employed by the VSU-5000 conform
to IPSec standards, in order to provide interoperability and broaden the use of
VPN technology.
The VSU-5000 supports IP over 10BASE-T or 100BASE-T local area networks
(LAN). Up to 5000 concurrent site-to-site IPSec sessions are supported. When
packets are encrypted and authenticated according to IPSec guidelines, additional
bytes—in the form of IPSec headers—must be added to packets. In many cases,
the additional packet overhead imposes a performance penalty in return for
security. The extra bytes tend to lengthen packets and reduce the throughput
(measured in packets per second). Of even greater impact is the tendency for
packets lengthened by IPSec headers to be fragmented by network routers,
causing further reductions in performance and additional latency. Real-time
compression performed by the VSU-5000 eliminates packet fragmentation and
produces fewer, smaller packets, which can significantly enhance network
throughput and performance.
Plug-and-Play Installation
The VSU-5000 can be placed anywhere in a 10/100BASE-T LAN to provide
VPN functionality. Native support for IP ensures that the VSU-5000
interoperates transparently with the broadest range of intranet and other network
applications.
The graphical VPNmanager™ (available separately) steps network managers
through the setup process and allows them to configure a VPN in minutes. The
VPNmanager also supports extensive facilities for VPN monitoring and
troubleshooting, and for establishing multi-company extranets. The VSU-5000
provides support for the RADIUS protocol, enabling VPNs that support
thousands of remote users and a variety of mechanisms for remote user
authentication.
How This Book Is Organized
Chapter 1,
equipment requirements, as well as guidance in planning a VSU-5000
installation.
Preparing for Installation
, includes safety, environmental, and
ii
VSU-5000 User Guide
Change History
Chapter 2,
an overview of the back panel, and a procedure for physical installation,
including placement and connection to the network.
Chapter 3,
setting up VSU-5000 addressing and enabling remote connectivity for using the
VPNmanager, VPNet’s VPN network management application.
Appendix A,
compliance specifications, as well as additional features.
Appendix B,
VSU-5000 crossover cabling between the VSU-5000 and Router.
Version Date Changes
09-0043-01 August 2000 Initial Release
09-0043-02 January 2001 Chapter 3 - Modif ied VSU Quick Setup section,
Installing the VSU-5000
Preparing the VSU-5000 for Configuration
Specifications
10/100BASE-T UTP Cro ssover Cab le Pinouts
, documents physical, environmental, electrical, and
, provides VSU rack mounting instructions,
, provides instructions for
, provides pinouts for
Added FIPS Mode an d Gen e r a l Firmw a re
Upgrade Imformation
Product Registration
To register the VSU-5000, navigate to
Wide Web.
Contacting Technical Support
Technical support is available to registered users of the VSU-5000.
Voice: 1-888-VPNET-88 (within U.S.) or 408-445-6600 (outside U.S.)
•
FAX: 408-404-1414
•
Email:
•
World Wide Web:
•
support@vpnet.com
http://www.vpnet.com
http://www.vpnet.com
on the World
iii
VSU-5000 User Guide
iv
Chapter 1 Pr eparing for Installation
This chapter includes safety, environmental, and equipment requirements, as
well as guidance in planning the VSU-5000 installation.
Safety Recommendations
When using the VSU-5000, follow these safety guidelines:
Keep the chassis area clear and dust-free during and after installation.
•
Keep the VSU-5000 ventilation gratings clear of any blockages.
•
Do not rest equipment in excess of 10 lbs. on top of the VSU-5000 chassis.
•
Disconnect all power before doing the following:
•
Changing the Ethernet or serial port connection
•
Removing a chassis
•
Never assume power is disconnected from a circuit. Always check.
•
NOTE:
NIST FIPS 140-1 Level Physical Security and may be replaced only by an
authorized service technician.
The VSU-5000 is enclosed in a tamper-evident case that meets U.S.
General Site Requirements
This section desc ribes the requirements your sit e must meet for safe installation
and operation of your system. Ensure that your site is properly prepared before
beginning installation.
Preparing for Installation 1-1
VSU-5000 User Guide
Configuring Equipment Racks
The VSU-5000 can be placed on a desktop or mounted in a rack. The location of
the chassis and the layout of your equipment rack or wiring room are extremely
important for proper system operation. Equipment placed too close together,
inadequate ventilation, and inaccessible panels can cause system malfunctions
and shutdowns, and can make system maintenance difficult.
The following information will help you plan an acceptable equipment rack
configuration.
Enclosed racks must have adequate ventilation. Ensure that the rack is not
•
overly congested because each unit generates heat. An enclosed rack should
have louvered sides and a fan to provide cooling air.
When mounting a chassis in an open rack, ensu re that the rack f rame does not
•
block the ventilation grates. If the chassis is installed on slides, check the
position of the chassis when it is seated all the way into the rack.
In an enclosed rack with a ventilation fan in the top, exces sive heat gen erated
•
by equipment near the bottom of the rack can be drawn upward and into the
ventilation grates of the equipment above it in the rack. Ensure that you
provide adequate ventilation for equipment at the bottom of the rack.
Power Supply Considerations
Check the power at your site to ensure that you are receiving “clean” power (free
of spikes and noise). Install a power conditioner if necessary.
1-2 Preparing for Installation
VSU-5000 User Guide
Circuit Breaker (15A) Warning
WARNING:
(overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120
VAC, 15A U.S. (240 VAC, 10A international) is used on the phase cond uctor (al l
current-carrying conductors).
This product relies on the building's installation for short-circuit
SELV Circuit Warning
WARNING:
contain safety extra-low voltage (SELV) circuits. Do not connect to a telephone
line.
The Ethernet 10/100BASE-T, serial, console, and auxiliary ports
Environmental Requirements
The VSU-5000 is intended for use in a normal office environment. For more
extreme conditions, verify that temperature, humidity, and power conditions
meet the specifications indicated in Table 1-1.
Table 1-1 Environmental Requirements
Item Operating Specification
Temperature 32-122°F, 0-50°C
Relative Humidity 5-90%, non-cond ensing
Altitude 0-12,000 feet, 0-3,660 meters
Volt a ge 10 0 -240 VAC
Input Frequency 50-60 Hz
AC input current 2.5 Amps
Additional VSU-5000 specifications are included in Appendix A.
Required Tools
The VSU-5000 chassis can be mounted in a standard 19-inch equipment rack.
Rack mounting requires a Phillips-head screwdriver, the VSU rack mount
bracket kit, and four screws to match the rack. (Screws for attaching the
mounting brackets to the chassis are provided.) Instructions for rack mounting
are provided in the section “Rack Mount” on page 2-1.
Preparing for Installation 1-3
Required Equipment
The VSU-5000 shipping carton contains:
To use the VSU-5000 in a typical VPN application, the customer must supply:
VSU-5000 User Guide
Quantity Part Description
1 VSU-5000 VPN Service Unit
1 VSU-5000 VPN Service Unit User Guide
1 UTP Crossover Cable (for connection to a router, switch, or hub)
1 Null Modem Cable (for connection to the VSU Console port)
1 Power cord (110V) or
Power cord (230V)
1 Rack mount kit
4 Rubber feet for desktop installations
Routers providing connectivity to a WA N su ch as the Internet
•
An asynchronous ASCII terminal supporting RS-232 or a PC running
•
terminal emulation software
Host computers capable of communicating with the routers via a LAN
•
(e.g. 10/100BASE-T Ethernet)
10/100BASE-T Ethernet hubs
•
CAT 3 or 5 UTP cable to interconnect router, VSU-5000, and hub(s)
•
1-4 Preparing for Installation
Chapter 2 Installing the VSU-5000
This chapter provides instructions for the physical installation of the VSU-5000,
including rack mounting, placement, and connection to the network.
Physical Installation
The VSU-5000 can be placed on a desktop or mounted in a rack.
Desktop
To install on a desktop, allow sufficient depth in the rear for cabling and on the
sides for ventilation flow.
Rack Mount
The VSU-5000 ships with a VSU rack mount bracket kit, which includes two
L-shaped brackets that attach to the sides of the VSU-5000 and to the fron t of the
rack.
Installing the VSU-5000 2-1
VSU-5000 User Guide
To attach the VSU-5000 to a standard 19-inch equipment rack:
From one side of the VSU-5000, remove the two front side screws
1.
(Figure 2-1).
Figure 2-1 Removing the Rack Mount Screws
Using the flat-head screws provided with the bracket, attach the backet to the
2.
VSU-5000 (Figure 2-2).
Figure 2-2 Attaching the Rack Mount Backets
Repeat bracket installation on the other side of the VSU-5000.
3.
Install the VSU-5000 into a standard 19-inch rack, using screws that fit the
4.
rack (not provided).
2-2 Installing the VSU-5000
VSU-5000 User Guide
Overview of Front Panel
Figure 2-3 show the front panel view of the VSU-5000.
Status Indicator
Fault Indicator
Console
Port
Public Port
Aux Port
Ethernet Port
Status Indicators
Figure 2-3 Front Panel of the VSU-5000
Console and Auxiliary Ports
The auxiliary port on the VSU-5000 is used for factory testing only and has no
function in normal operation.
Private Port
The console port accepts an RS-232 DB-9 connection from an asynchronous
ASCII terminal or a PC running terminal emulation software. The connection
requires a null modem cable, which is supplied.
The communication settings for a device interfacing with the console port are
provided in Table 2-1.
Table 2-1 Terminal Settings
Parameter Setting
Baud 9600
Data Bits 8
Stop bits 1
Parity None
Flow control Hardware (RTS/CTS)
Installing the VSU-5000 2-3
VSU-5000 User Guide
Public and Private Ports
The Public port provides an interface to the public network, while the Private
port provides an interface to the private network.
The Public and Private ports are Ethernet 10/100BASE-T compliant host ports.
They accept category 3 or 5 UTP cabling terminated in an RJ-45 connector per
IEEE 802.3 requirements for 100/10BASE-T. The Ethernet ports do not provide
a cross-over function and thus expect to be connected via straight through UTP
cables to a 10/100BASE-T hub or switch.
Ethernet Port Status Indicators
The status indication of the four LEDs on the Ethernet card is listed below:
Table 2-2 Ethernet Card LED Indicators
LED Indication
LK10 Lights up = 10 Mbps connection
LK100 Lights up = 100 Mbps connection
FDX Lights up = Full Duplex Mode
ACT Blinks = Transmit/Receive data
2-4 Installing the VSU-5000
VSU-5000 User Guide
Connecting the VSU-5000 to the Network
Figure 2-4 shows a typical network using the VSU-5000.
VSU-5000
Crossover
Router
DSU/CSU
Private LAN
Cable
Private LAN
VSU-5000
Crossover
Cable
Router
DSU/CSU
Figure 2-4 Example of Two VSU-5000 Hardware Installations
Installing the VSU-5000 2-5
Public
Network
VSU-5000 User Guide
Connect the gateway router to the VSU-5000.
1.
Using the supplied UTP crossover cable conn ect one en d to th e public p ort on
the VSU-5000. Connect the other end of the UTP crossover cable to the
router’s Ethernet port (Figure 2-5).
Connect UTP Crossover Cable between
the VSU-5000 Public Port and the Router
Private LAN
Connection
Figure 2-5 Attaching a Router to the VSU-5000
Connect the VSU-5000 private (unencrypted) port to the LAN hub or switch
2.
using the supplied straight-through cable.
Connect an asynchronous ASCII terminal or PC running terminal emulation
3.
software to the VSU-5000.
Connect the female DB-9 connector of the null modem cable to the Console
port on the VSU-5000. Connect the other female DB-9 connector to the
terminal. The terminal’s communications parameters should be set to 9600
baud, 8 data bits, 1 stop bit, no parity, and hardware flow control.
Power on the router, and configure if necessary.
4.
Power on the VSU-5000 and proceed to Chapter 3,
5.
for Config uration
2-6 Installing the VSU-5000
Preparing the VSU-5000
.
Chapter 3 Pr eparing the VSU-5000 for
Configuration
Preparation
Before the VSU-5000 can be incorpo rated into a Virtual Private Network (VPN),
it must be configured through the VPNmanager. However, to enable
communication between the VPNmanager and the VSU-5000, you must first
assign an IP address, subnet mask, and default route to the VSU-5000.
This chapter describes how to set up the VSU-5000 addressing and remote
connectivity capabilities in preparation for remote configuration using the
VPNmanager software. This preliminary configuration is performed using a
terminal (or a PC running terminal emulation software) connected to the RS-232
console port.
The following procedure assumes that the VSU-5000 has been physically
installed on the network, according to the instructions provided in Chapter 2
Configuration
Beginning with VPNware 3.1, the following information is configured through
the VSU console Quick Setup:
The VSU’s IP address and mask.
•
The VSU’s secondar y IP address and mask (Optional).
•
The VSU’ s defau lt route.
•
The VSU console password. Beginning with VPNware 3.1, if you forget this
•
password and need console access, it can be changed through the
VPNmanager’s Configuration console. Select the VSU Advanced Action tab,
then the Reset Password dialog box.
Preparing the VSU-5000 for Configuration 3-1
VSU-5000 User Guide
The SuperUser name. This is the name that is a uthor i zed to perfo rm any ki nd
•
of configuration request on a VSU. This name is provided by the
VPNmanager administrator the first time the VSU is added into the
VPNmanager database. The SuperUser name is case sensitive.
The SuperUser password. This password authenticates the SuperUser name.
•
The SuperUser password is case sensitive. If the VPN administrator forgets
the SuperUser password, the VSU may still be reconfigured through the VSU
console Quick Setup menu as long the administrator has access to the VSU
console and knows the VSU console password.
Configuration of blockin g mode. This in volves selecting one of three filter ing
•
choices according to your organization’s security policy:
Permit all non-VPN traffic - When checked (default), all non VPN traf fic is
allowed to pass through the VSU.
Deny all IP non-VPN traffic - When checked, all non-IP traffic is passed
through the VSU. All non-VPN IP traffic is dropp ed except f or the following:
ICMP, IGMP, GGP, EGP, IGP, DGP, EIGRP, and OSPF. NOTE:
This mode
should be used when the VSU dedicated to VPN traffic and is the only device
between the private and the public networks.
Deny all non-VPN traffic - When checked, all non-VPN traffic is prevented
from passing through the V SU. This mode blocks n on-IP traf fic and non-VPN
IP traffic including broadcast traffic (e.g. ARPs), IP-multicast traffic (e.g.
OSPF updates) and other traffic cont aining routing information. NOTE:
This
mode should be used when the VSU is dedicated to VPN traffic and is in
parallel with another device (such as a router or fir ewall) that will enfor ce the
network's non-VPN traffic policy. This mode should not be used when the
VSU is the only path between network devices and a router with which those
devices need to communicate.
Setting the unit to run in FIPs-compliant mode or not.
•
The current time and date.
•
NOTE:
Each of these items are preserved over firmware upgrades.
When the VSU-5000 is powered on for the first time, the terminal screen should
display the initial power on bootup screen shown in Figure 3-1.
3-2 Preparing the VSU-5000 for Configuration
VSU-5000 User Guide
VPNet Service Unit Model XXXX 3DES ENCRYPTION
Runtime System version x.x.xx, x/xx/2000
Copyright (C) 1996-2000 VPNet Technologies, Inc. All Rights
Reserved.
-- Month Day 2000, 17:06:01 --ethernet0: MAC Address
00:60:a1:00:23:f9
ethernet1: MAC Address 00:60:a1:00:23:fa
ethernet2: MAC Address 00:60:a1:00:16:9a
ethernet3: MAC Address 00:60:a1:00:16:9b
Checking Non Volatile RAM integrity... OK
Checking Configuration Database... OK
Checking Certificate Database... OK
Calibrating CPU performance monitor... OK
Power/Cooling subsystems Monitor initializing...
Power Subsystem is Good.
Cooling Subsystem Good.
...Done.
VPNet Technologies - VSU XXXX 3DES ENCRYPTION - Main Menu
1) Configuration
2) Statistics
3) Utilities
4) Logout
5) Quick Setup
Your choice [1-5]:
Figure 3-1 Initial Power On Bootup Screen for VSU
Preparing the VSU-5000 for Configuration 3-3
VSU-5000 User Guide
Preconfigure the VSU-5000 to communicate with the VPNmanager using the
Quick Setup menu selec tion as described below:
From the Main Menu, select
1.
VPNet Technologies - VSU XXXX- Main Menu
1) Configuration
2) Statistics
3) Utilities
4) Logout
5) Quick Setup
Your choice [1-5]: 5
5) Quick Setup.
You will be prompted for the information required to set up the VSU. To
accept the current value and go to the next prompt, press Return.
Enter the IP address and netmask assigned to the VSU.
2.
NOTE:
IP address: 192.0.2.1 Mask: 255.255.255.0
IP address: 210.1.18.135
IP mask: 255.255.255.0
Do you want a secondary IP address on this unit? [yn] y
The Secondary IP address and mask are optional.
Secondary IP address: Secondary Mask: 255.0.0.0
Secondary IP address: 10.0.0.1
Secondary IP mask: 255.255.255.0
Enter the default route for this VSU.
3.
Default Route is not configured.
Enter Default Route: 210.1.18.1
Typically, the default route is the IP address of the gateway router that
provides an IP route between the VSU-5000 and the public network (e.g.,
Internet).
3-4 Preparing the VSU-5000 for Configuration
VSU-5000 User Guide
To prevent unauthorized users from accessing the VSU-5000 through the
4.
console port, enter and confirm the new VSU console password.
VSU Console password may be up to 31 characters.
Enter new VSU console password: ******
Confirm new VSU console password: ******
CAUTION:
Do not forget this password. As a security measur e, the only way
to bypass an unknown console password is to return the VSU-5000 to the
factory at the customer’s expense.
The password may be up to 31 characters in length and is case-sensitive.
Once the password is set, it must be entered to gain future access to the VSU
console.
Pressing Return without typing anything at the “Enter new VSU console
password” and “Confirm new VSU console password” prompts will set the
VSU console password to empty (no password required).
A superuser name and password is required to allow the Network
5.
Administrator to initially configure this VSU through the VPNmanager
application.
This VSU's superuser name is: "root". Change superuser name?
[yn] y
This VSU's superuser name may be up to 31 characters.
Enter new superuser name: superuser
This VSU's superuser password may be up to 31 characters.
Enter new superuser password: ******
Confirm new superuser password: ******
Preparing the VSU-5000 for Configuration 3-5
Press Return or enter “n” to leave the superuser name at its default value of
root, or enter “y” to change the superuser name.
Both the superuser name and password may be up to 31 characters and are
case-sensitive. The name and password will be required later when first
setting up the VSU through the VPNmanager application. After the VSU has
been initially set up, the VSU may use the VPNmanager Directory Server to
authenticate a configuration request, at the Network Administrator’s option.
VSU-5000 User Guide
Non-VPN traffic mode: non-VPN traffic is currently
forwarded.
Non-VPN Traffic Configuration Menu
1) Permit all non-VPN traffic
2) Deny IP non-VPN traffic only
3) Deny all non-VPN traffic
P) Previous menu
Your choice [1-3]:
Select a traffic mode from the Traffic Configuration Menu.
6.
Permit all non-VPN traffic - When checked (default), all non VPN traf fic is
allowed to pass through the VSU.
Deny all IP non-VPN traffic - When checked, all non-IP traffic is passed
through the VSU.
Deny all non-VPN traffic - When checked, all non-VPN traffic is prevented
from passing through the VSU.
For additional info rmation re garding traffic modes, see page 3-2.
Do you want this unit to run in FIPs-compliant mode? [yn] y
Enter “n” if you do not want the VSU to run in FIPs-compliant mode. If you
7.
answer “n”, the code skips to the date and time configuration. Go to Step 7.
Enter “y” if you want the VSU to run in FIPs-compl iant mode. If yo u answer
“y”, answer the following configuration questions. For more information
regarding FIPS, see “FIPS Mode” on page 3-8.
FIPs-compilant mode may only be disabled via VPNmanager.
Please confirm that you want this unit to run in FIPscompilant mode. [yn] y
3-6 Preparing the VSU-5000 for Configuration
VSU-5000 User Guide
Enter the current date and time.
8.
Date: 3-9-2000
Enter date [MM-DD-YYYY]:
Time: 13:51:53
Enter time [HH:MM:SS]:
This date and time setting are primarily used to ensure accurate timestamps
when logging events. When changing either the date or time, all thr ee parts o f
the date (MM-DD-YYYY) or time (HH:MM:SS) must be entered. A 24-hour
clock is used when setting the time. For example, 13:00:00 is equivalent to
1:00 PM.
Reboot the VSU-5000.
9.
Reboot is required to complete Quick Setup. Reboot Now? [yn]
y
Y ou r VSU-5000 is now prepared for configuration by using the VPNmanager.
The VSU initially passes all traffic between its Public and Private ports. This
would be a good time to verify connectivity by pinging the VSU from public
and private machines, and by passing traffic between public and private
machines.
Proceed to the
VPNmanager Administrator Guide
to continue configuring
your VSU.
Preparing the VSU-5000 for Configuration 3-7
FIPS Mode
FIPS (Federal Information Processing Standards) Mode forces the VSU to
operate in a FIPS 140-1 Level 2 compliant mode. It is recommended that this
mode only be used if your organization’s policy requires FIPS 140-1 Level 2
certification for cryptographic devices.
Note that in the FIPS mode (as dictated by the FIPS 140-1 requirements
specification), the following are NOT supported:
SKIP VPNs
•
VPNremote 2.5x Clients
•
Any encryption algorithm other than DES or 3DES
•
Any authentication algorithm other than SHA-1
•
General Firmware Upgrade Information
VSU-5000 User Guide
Configuration Items Left to the VPNmanager
The following items are likely to be configured by most administrators, but are
left to VPNmanager or other VSU console menu items to keep the Quick Setup
menu minimal:
LDAP servers used to authenticate VPNmanager console users.
•
Disable a VSU’s SuperUser account.
•
Flushing the configuration on VPNware 3.1
In the event you flush the configuration (via VSU console menu item
Configuration->Flush Configuration) on a VSU running VPNware 3.1 the
following occurs:
The superuser name wil l be “root”.
•
There will be no superuser password.
•
If a VSU console password is configured, it will be preserved.
•
The secondary IP address will be empty.
•
The blocking mode will be set to forward all non-VPN traffic.
•
3-8 Preparing the VSU-5000 for Configuration
Chapter 4 T r o ubleshooting
This chapter includes troubleshooting and replacement procedures for the
VSU-5000 power supply module, cooling fan and dual-port Ethernet module.
Power Supply
The standard VSU-5000 includes a single power supply module.
NOTE:
module types. Replacement procedures for both types are covered in this section.
The VSU-5000 is provisioned with one of two different power supply
Fault Indication
If the power supply module fails, an audible alarm will sound and the green LED
status indicator on the power supply subsystem extinguishes. The audible alarm
automatically silences after a preset time. Contact your customer service
representative to obtain a replacement for the defective power supply module.
WARNING:
work correctly,
have a replacement unit available
To ensure that the power supply ventilatio n s ystem continues to
do not remove the defective power supply module until you
.
Troubleshooting 4-1
VSU-5000 User Guide
Power Supply Removal and Replacement
Referring to Figure 4-1, perform the following steps to replace the power supply
module:
Unscrew the thumbscrew next to the hinged fan assembly on the back of the
1.
unit and swing the fan assembly open to expose the power supply modules.
NOTE:
The warning b uz zer w ill co nt i nue t o b uzz a s lo ng as t he fan assembly
door is opened.
If the power supply is defective, the green LED indicator on the power supply
2.
module will be OFF.
Set the ON/OFF (I/O) switch on the power supply to OFF.
3.
Grasp the handle on the power supply and gently pull the module out of its
4.
enclosure.
Figure 4-1 Power Supply Removal and Replacement
Set the ON/OFF (I/O) switch on the new power supply module to OFF, then
5.
slide the new power supply module into the enclosure and press firmly on the
front of the module to securely seat the module.
WARNING:
tools, etc., as dangerous voltages exist on the connectors.
Set the ON/OFF (I/O) switch of new power supply module to the ON
6.
position, then close and secure the fan assembly door.
4-2 Troubleshooting
Do not insert any object into the power supply slot, such as fingers,
VSU-5000 User Guide
Alternate Power Supply Removal and Replacement
Referring to Figure 4-2, perform the following steps to replace the power supply
module:
If the power supply is defective, the green LED indicator on the power supply
1.
module will be OFF.
Set the ON/OFF (I/O) switch of the defective power supply to OFF.
2.
Grasp the handle on the power supply, slide the retaining lock button to the
3.
right, and gently pull the defective module out of its enclosure.
Set the ON/OFF (I/O) switch on the new power supply module to OFF.
4.
Slide the new power supply module into the enclosure and press firmly on the
5.
front of the module to securely seat the module. Be sure the retaining lock is
engaged to secure the module.
WARNING:
tools, etc., as dangerous voltages exist on the connectors.
6.
Chassis Cooling Fan
The VSU-5000 includes a cooling fan on the rear panel to cool the chassis.
This cooling fan is hot-swappable and can be replaced without powering down
the VSU-5000. Contact your customer service representative to obtain a
replacement for the defective fan. Operation can quickly be verified by holding
an open hand near the fan to sense airflow.
Fan Removal and Replacement
Referring to Figure 4-2, perform the following steps to replace the cooling fan:
1.
Do not insert any object into the power supply slot, such as fingers,
Set the ON/OFF (I/O) switch of new power supply module to the ON
position.
Unscrew the two thumbscrews in the lower left and upper right corner of the
fan, then pull the fan straight out of the unit.
2.
Troubleshooting 4-3
Making sure that the fan’s power connector is aligned with its socket, slide
the new fan into place and tighten the two thumbscrews to secure it to the
unit.
Figure 4-2 Chassis Cooling Fan Removal and Replacement
Ethernet Interface Module
The VSU-5000 includes a dual-port 10/100BASE-T Ethernet card, with the
public and private interface ports paired on the card.
VSU-5000 User Guide
Fan
Removal and Replacement
The dual-port 10/100BASE-T Et hernet modu le is enclos ed in the tamper- evident
case and may be replaced only by an authoriz ed se rvice techn ician. Contact you r
customer service representative or VPNet technical support for instructions on
getting the unit serviced.
4-4 Troubleshooting
APPENDIX A
This appendix provides physical, environmental and electrical specifications for
the VSU-5000, as well as standards compliance information.
Physical Specificati ons
Table 1-1 VSU-5000 Physical Specifications
Parameter Specification
Dimensions 17"W x 16"D x 3.5"H
Weight 14.75 lbs, 6.7kg
LAN Interface 10/100BASE-T Ethernet
Management Interfaces 10/100BASE-T Ethernet,
Specifications
43.2 cm x 35.6 cm x 8.9 cm
(rack-mountable)
RS-232 (Console)
Specifications A-1
Environmental Specifications
Table 1-2 Environmental Specifications
Parameter
Temperature 32-122°F, 0-50°C
Relative Humidity 5-90%, non-cond ensing
Altitude 0-12,000 feet, 0-3,660 meters
Electrical Specifications
Table 1-3 Electrical Specifications
Parameter Specification
Volta g e 90-264 VAC
Input Frequency 50-60 Hz
AC input current 2.5A (100-240VAC)
VSU-5000 User Guide
Operating
Specification
CAUTION:
Danger of explosion if memory backup battery is incorrectly
replaced. Replace only with the same or equivalent type recommended by the
manufacturer. Dispose of used batteries according to the manufacturer’s
instructions. Note that the battery in this unit is a n on- serviceable part.
A-2 Specifications
VSU-5000 User Guide
Compliance Specifications
Table 1-4 Compliance Specifications
Parameter Specification
Safety
Certification
EMI/RFI FCC Part 15, Class A
Standards
Compliance
IPsec ICSA 1.0 Certified (ICSA 1.1 pending)
UL, C-UL, CE, AS3260, CB SCHEME
EN55022 Class A
EN50082-1
AS38548
VCCI
IEEE 802.3, Ethernet
SKIP Compliance:
RFC 1825 Security Architecture for the Internet Protocol
RFC 1826 IP Authentication Header
RFC 1827 IP Encapsulating Security Payload
RFC 1828 IP Authentication using Keyed MD5
RFC 1829 The ESP DES-CBC Transform
RFC 1851 The ESP Triple DES Transform
IPSec Compliance:
RFC 2401 Security Architecture for the Internet Protocol
RFC 2402 IP Authentication Header
RFC 2403 The Use of HMAC-MD5-96 within ESP an d AH
RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH
RFC 2405 The ESP DES-CBC Cipher Algorithm with Explicit IV
RFC 2406 IP Encapsulating Security Payload
RFC 2407 Internet IP Security Domain of Interpretation for ISAKMP
RFC 2408 Internet Security Association and Key Management
(ISAKMP)
RFC 2409 I nternet Key Exchange (IKE)
RFC 2410 The NULL Encryption Algorithm and Its Use with IPSec
RFC 2412 The OAKLEY Key Determination Protocol
RFC 2451 The ESP CBC-Mode Cipher Algorithms
Specifications A-3
Additional Features
VSU-5000 User Guide
Table 1-5 Additional Features
Parameter Specification
Encryption DES and Triple DES hardware encryption. DES uses a 56 -bit
key; Triple DES uses three 56-bit independent keys for an
effective key length of 112 bits.
All weak and semi-weak keys are automatically discarded.
Authentication Keyed MD5™ Message Digest (RFC 1321)
HMAC-MD5 and HMAC SHA-1 (RFC 2104)
Key Management SKIP (Simple Key-Management For Internet Protocol).
ISAKMP (Internet Security Association Key Management
Protocol).
Manual master key distribution. All packet, traffic and
authenticating keys auto mati cally ge nera te d.
Supports “bypass mode” and network address translation for
firewall support.
Compression Stac™ Lempel-Ziv hardware data compression
User
Authentication
Dgital Certificates X.509v3 for netw ork management and IPsec communcation
Software Upgrade Via built-in flash ROM
RADIUS (Ascend Access Control™, Security Dynamics ACE/
Server Access Manager, BaySecure™ Access Control, Funk
Steel Belted RADIUS)
CHAP
SecurID™ Tokens
Compatible with cetificates generated by VeriSign, GTE
Cybertrust, Entrust, and Frontier Technologies
A-4 Specifications
APPENDIX B
10/100BASE-T UTP
Cr ossover Cable
Pinouts
The 10/100BASE-T UTP Crossover Cable defined below is provided with the
VSU-1100.
Signal Name Male RJ-45 Male RJ-45
TX+ 1 3
TX- 2 6
RX+ 3 1
RX- 6 2
10/100BASE-T UTP Crossover Cable Pinouts B-1
VSU-5000 User Guide
10/100BASE-T UTP Crossover Cable Pinouts B-2
GLOSSARY
VSU Acr onyms
CBC – Cipher Block Chaining encryption
DES – Data Encryption Standard encryption
DNS – Domain Name Server (a distributed database system used to map host
names to IP addresses and vice versa)
DCE – Data Communication Equipment
DSU/CSU – Data Service Unit/Channel Service Unit
DTE – Data Terminal Equipment
ECB – Electronic Code Book encryption
HDLC – High-level Data Link Control
ISAKMP – Internet Security Association Key Management Protocol
IPSEC – Internet Protocol SECurity
MD5 – Message Digest Algorithm
VSU-5000 User Guide G-1
PPP – Point to Point Protocol
RADIUS – Remote Authentication Dial-In User Server
RFC – Request For Comment
SHA – Secure Hash Algorithm
SKIP – Simple Key Management for Internet Protocol
SNMP – Simple Ne t work Management Protocol
SSL – Secure Socket Layer
TCP/IP – Transmission Control Protocol / Internet Protocol
URL – Uniform Resource Locator
UTP – Unshielded Twisted Pair
VPN – Virtual Private Network
VSU – Virtual Service Unit
G-2 VSU-5000 User Guide
Index
environmental requirements 1-3
environmental specification A-2
equipment
provided by customer 1-4
provided by VPNnet 1-4
F
FAX support iii
A
authentication specification A-4
auxiliary por t 2-3
B
back panel 2-3
auxiliary port 2-3
console po r t 2-3
LEDs 2-4
private port 2-4
public port 2-4
bootup screen 3-2
C
compliance specifications A-3
compression specification A-4
configuration
preparation 3-1
configuring
using quick setup menu 3-4
connections
Ethernet LAN 2-6
router 2-6
console pas s w or d 3-5
console po rt 2-3
contacting VPNet iii
D
date and time 3-7
default route 3-4
DES 1-i
E
electrical specifications A-2
email support 1-iii
encryption specification A-4
I
installation
desktop 2-1
preparation 1-1
rackmount 2-1
IP address 3 -4
IPSec standards 1-i
K
key management specification A-4
L
LAN connect i on s 2-6
LEDs 2-4
N
netmask 3-4
P
password
VSU console 3-5
performance ii
phone support iii
physical specification A-1
plug-and-play installation ii
power on bootup screen 3-2
private port 2-4
product registration iii
public port 2- 4
Q
quick setup menu 3-4
R
rackmount installation procedure 2-1
reboot 3-7
recommendations
safety 1-1
registration iii
required tools 1-3
requirements
environmental 1-3
router connections 2-6
S
safety recommendations 1-1
security i
SHA1 i
SKIP i
software upgrade specification A-4
specifications A-1
authentication A-4
compliance A-3
compression A-4
electrical A-2
encryption A-4
environmental A-2
key management A-4
physical A-1
software upgrades A-4
T
technical support i ii
terminal settings 2-3
time 3-7
tools
fuse 1-3
rackmount 1-3
triple DES 1-i
V
ventilation 2-1
VPNmanager 3-1, 3-7
VSU console password 3-5
W
world wide web support iii
Loading...