Page 71 / 123 Scroll up to view Page 66 - 70
68
Chapter 8
VPN
This Chapter describes the VPN capabilities and configuration required for
common situations.
Overview
This section describes the VPN (Virtual Private Network) support provided by your TW100-
BRV204.
A VPN (Virtual Private Network) provides a secure connection between 2 points, over an
insecure network - typically the Internet. This secure connection is called a
VPN Tunnel
.
There are many standards and protocols for VPNs. The standard implemented in the TW100-
BRV204 is
IPSec
.
IPSec
IPSec is a near-ubiquitous VPN security standard, designed for use with TCP/IP networks. It
works at the packet level, and authenticates and encrypts all packets traveling over the VPN
Tunnel. Thus, it does not matter what applications are used on your PC. Any application can
use the VPN like any other network connection.
IPsec VPNs exchange information through logical connections called
SA
s (Security Associa-
tions). An SA is simply a definition of the protocols, algorithms and keys used between the
two VPN devices (endpoints).
Each IPsec VPN has two SAs - one in each direction. If
IKE
(Internet Key Exchange) is used
to generate and exchange keys, there are also SA's for the IKE connection as well as the IPsec
connection.
There are two security modes possible with IPSec:
Transport Mode
- the payload (data) part of the packet is encapsulated through encryp-
tion but the IP header remains in the clear (unchanged).
The TW100-BRV204 does NOT support Transport Mode.
Tunnel Mode
- everything is encapsulated, including the original IP header, and a new IP
header is generated. Only the new header in the clear (i.e. not protected). This system pro-
vides enhanced security.
The TW100-BRV204 always uses Tunnel Mode.
IKE
IKE (Internet Key Exchange) is an optional, but widely used, component of IPsec. IKE pro-
vides a method of negotiating and generating the keys and IDs required by IPSec. If using IKE,
only a single key is required to be provided during configuration. Also, IKE supports using
Certificates
(provided by CAs - Certification Authorities) to authenticate the identify of the
remote user or gateway.
If IKE is NOT used, then all keys and IDs (SPIs) must be entered manually, and Certificates
can NOT be used. This is called a "Manual Key Exchange".
When using IKE, there are 2 phases to establishing the VPN tunnel:
8
Page 72 / 123
VPN
69
Phase I
is the negotiation and establishment of the IKE connection.
Phase II
is the negotiation and establishment of the IPsec connection.
Because the IKE and IPsec connections are separate, they have different SAs (security associa-
tions).
Policies
VPN configuration settings are stored in
Policies
.
Each policy defines:
The address of the remote VPN endpoint
The traffic which is allowed to use the VPN connection.
The parameters (settings) for the IPsec SA (Security Association)
If IKE is used, the parameters (settings) for the IKE SA (Security Association)
Generally, you will need at least one (1) VPN Policy for each remote site for which you wish
to establish VPN connections.
It is possible, and sometimes necessary, to have multiple Policies for the same remote site. In
this case, the order (sequence) of the policies is important. The policies are examined in turn,
and the first matching policy will be used.
VPN Configuration
The general rule is that each endpoint must have matching Policies, as follows:
Remote VPN address
Each VPN endpoint must be configured to initiate or accept con-
nections to the remote VPN client or Gateway.
Usually, this requires having a fixed Internet IP address. However,
it is possible for a VPN Gateway to accept incoming connections
from a remote client where the client's IP address is not known in
advance.
Traffic Selector
This determines which outgoing traffic will cause a VPN connec-
tion to be established, and which incoming traffic will be accepted.
Each endpoint must be configured to pass and accept the desired
traffic from the remote endpoint.
If connecting 2 LANs, this requires that:
Each endpoint must be aware of the IP addresses used on the
other endpoint.
The 2 LANs MUST use different IP address ranges.
IKE parameters
If using IKE (recommended), the IKE parameters must match
(except for the SA lifetime, which can be different).
IPsec parameters
The IPsec parameters at each endpoint must match.
Page 73 / 123
TW100-BRV204 User Guide
70
Common VPN Situations
VPN Pass-through
Figure 44: VPN Pass-through
Here, a PC on the LAN behind the Router/Gateway is using VPN software, but the
Router/Gateway is NOT acting as a VPN endpoint. It is only allowing the VPN connection.
The PC software can use any VPN protocol supported by the remote VPN.
The remote VPN Server must support client PCs which are behind a NAT router, and so
have an IP address which is not valid on the Internet.
The Router/Gateway requires no VPN configuration, since it is not acting as a VPN
endpoint.
Client PC to VPN Gateway
Figure 45: Client PC to VPN Server
In this situation, the PC must run appropriate VPN client software in order to connect, via the
Internet, to the TW100-BRV204. Once connected, the client PC has the same access to LAN
resources as PCs on the local LAN (unless restricted by the network administrator).
IPsec is not the only protocol which can be used in this situation, but the TW100-BRV204
supports IPsec ONLY.
Windows 2000 and Windows XP include a suitable IPsec VPN client program. Configura-
tion of this client program for use with the TW100-BRV204 is covered later in this
document.
Page 74 / 123
VPN
71
Connecting 2 LANs via VPN
Figure 46: Connecting 2 VPN Gateways
This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the
remote LAN.
The 2 LANs MUST use different IP address ranges.
The VPN Policies at each end determine when a VPN tunnel will be established, and what
systems on the remote LAN can be accessed once the VPN connection is established.
It is possible to have simultaneous VPN connections to many remote sites.
Page 75 / 123
TW100-BRV204 User Guide
72
VPN Configuration
This section covers the configuration required on the TW100-BRV204 when using Manual
Key Exchange (Manual Policies) or IKE (Automatic Policies).
Details of using Certificates are covered in a later section.
VPN Policies Screen
To view this screen, select
VPN Policies
from the VPN menu. This screen lists all existing
VPN policies. If no policies exist, the list will be empty.
Figure 47: VPN Policies
Note that the order of policies is important if you have more than one policy for particular
traffic. In that case, the first matching policy (for the traffic under consideration) will be used.
Data - VPN Policies Screen
Policy Name
The name of the policy. When creating a policy, you should select a
suitable name.
Enable
This indicates whether or not the policy is currently enabled. Use the
"Enable/Disable" button to toggle the state of the selected policy.
Remote VPN
Endpoint
The IP address of the remote VPN endpoint (Gateway or client).
Key Type
This will indicate "Manual" (manual key exchange) or "IKE" (Internet
Key Exchange)
Add
To add a new policy, click the "Add" button. See the following section
for details.
Edit
To Edit or modify an existing policy, select it and click the "Edit"
button.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top