Revising a BANDIT Product s VPN Configuration

Transcription

1 encor! enetworks TM Version A.1, March Encore Networks, Inc. All rights reserved. Revising a BANDIT Product s VPN Configuration T he BANDIT s standard VPN configuration is developed during the initial Quickstart configuration. You may wish to configure additional VPN records for the BANDIT device. This document provides quick guidelines for reconfiguring VPNs. Note: This document discusses revision of an existing VPN configuration. For the initial configuration of VPNs, see Configuring a BANDIT Product for Virtual Private Networks. All BANDIT VPN products can use DES or 3DES for VPN tunnels. The high-end products the BANDIT II, the BANDIT III, and the VSR-1200 can use AES (or DES or 3DES) for VPN tunnels. The VPN products can use Selective Layer Encryption (SLE, patent pending) in VPN connections that traverse satellite networks. For details of SLE, see Section 3.5, Configuring Selective Layer Encryption in VPNs. For more information about virtual private networks, see The BANDIT Products in Virtual Private Networks. For sample configurations of connections between VPN endpoints, see the following: For a quick VPN setup, conforming to the recommendations of the VPN Consortium (VPNC), see VPNC Scenario for IPsec Interoperability. For a sample setup of a BANDIT VPN gateway operating with a remote VPN client, see Scenarios for Operation with a VPN Client. 3.1 Dynamic Tunnel Configuration in the BANDIT II, the BANDIT III, and the VSR-1200 In most BANDIT devices, configuration of a VPN tunnel requires that you save (Write) the configuration and Reset the device before you can use the tunnel. But a reset drops active calls. However, in some BANDIT devices, there is a way to use newly configured tunnels without resetting. The BANDIT II, the BANDIT III, and the VSR-1200 can configure and start up new VPN tunnels without resetting the device, if the tunnels IP routing entries are already configured and working. This allows active VPN tunnels to remain up, so that calls are not dropped. A VPN tunnel needs a policy table entry and a VPN profile entry; both entries must be properly configured in order for a VPN tunnel to work properly. The following steps provide an overview for configuring VPN tunnels dynamically in a BANDIT II, BANDIT III, or VSR For information on trademarks, safety, limitations of liability, and similar topics, see Notices. Home Module: VPN Configuration Document 3

2 Page 2 VPN Configuration, Document 3 1 When a VPN profile is added or edited in the VPN Profile Table (for a BANDIT II, a BANDIT III, or a VSR-1200), the menu displays a prompt asking whether to keep the changes. Do you want to keep your change? (Y/N): If you answer yes, another prompt asks whether to activate the changes (without resetting). Do you want to activate the change? (Y/N): If you answer yes to this second prompt, the changes take effect the next time the tunnel comes up; no system reset needs to be executed. 2 In like manner, when you add or edit an IP Policy Table record (for a BANDIT II, a BANDIT III, or a VSR-1200) with an associated VPN tunnel, the menu displays a prompt asking whether to keep the changes. Do you want to keep your change? (Y/N): If you answer yes, another prompt asks whether to activate the changes (without resetting). Do you want to activate the change? (Y/N): If you answer yes to this second prompt, the system implements the changes the next time the tunnel comes up; no system reset needs to be executed. Note: Filtering must be enabled in order for tunnel configurations to have any effect. In the situations mentioned above, changes made to an active tunnel do not take effect until the tunnel goes down. When the tunnel comes up the next time, it uses the new configuration. 3.2 Navigating to Menus for VPN Reconfiguration 1 To configure VPN connections, do the following: a Log in to the BANDIT device. (For details, see Section 3.2, Connecting a Supervisory Terminal and Logging in to the BANDIT.) The Main Menu is displayed. Note: There are two routes to get to the VPN menus:

3 Revising a BANDIT Product s VPN Configuration Page 3 Through the Typical Configurations menu. See Step 2. Through the Advanced Configurations menu. See Step 3. 2 To get to the VPN menus via the Typical Configurations menu, select Typical Configurations. The Typical Configurations menu is displayed. Go to Step 4. Typical Configurations Menu ) System Configuration 2) IP Interfaces 3) IP Static Routes 4) VPN Profiles 5) IP/VPN Policies 6) NAT Profiles 7) DNS/DHCP Servers 8) Configure Firewall 9) IP QoS (Quality of Service) L) LAN : EtherNet No DHCP ETHERNET W) WAN : EtherNet No DHCP ETHERNET M) MODEM : Point-to-Point MODEM INTERNAL S) SERIAL : Frame Relay SERIAL V.24/RS232 DCE B) RDU Ports... P) More Ports... Enter Choice : 5 3 To get to the VPN menus through the Advanced Configurations menu, do the following: a On the Main Menu, select Advanced Configurations. (For details, see Section 3.4, Using the Main Menu.) The Advanced Configurations menu is displayed. b On the Advanced Configurations menu, select Routing. (For details, see Section 3.5.4, The Advanced Configurations Menu.) The Configure Routing menu appears. c On the Configure Routing menu, select IP Routing. (For details, see Section 1.2, The Routing Menu.) The IP Routing Configuration menu appears. d On the IP Routing Configuration menu, select IP/VPN Routing. (For details, see Section 2.1.1, Configuring IP Routing.) The Virtual Private Network Configuration menu appears. Go to Step 4.

4 Page 4 VPN Configuration, Document 3 Virtual Private Network Configuration ) VPN Profiles 2) IP/VPN Policy Table Enter choice : 4 On the Typical Configurations menu or on the Virtual Private Network Configuration menu, do each of the following: a To see the BANDIT device s list of VPN connections and associated security protocols, select VPN Profiles. The VPN Profile Table appears. Go to Section 3.3, Adding or Reconfiguring VPN Profiles. VPN Profile Table No. Name Mode VPN Gateway Phase1 Proposal#1 Ping User ID ) profile 1 AGGR ESP HMAC-MD5 3DES OFF 2) profile 2 AGGR psk-g1-des-md5 OFF 3) profile 3 MAIN psk-g2-des-md5 OFF 4) profile 4 MAIN psk-g5-des-md5 OFF 5) Remote AGGR psk-g2-des-md5 OFF bandit 6) AGGR_G2 AGGR None psk-g2-3des-sha1 OFF 7) AGGR_G1 AGGR None psk-g1-des-md5 OFF 8) MAIN_G2 MAIN None psk-g2-des-md5 OFF 9) MAIN_G5 MAIN None psk-g5-des-md5 OFF Enter 'm' to modify, 'd' to delete, 'c' to copy or <ESC> to exit: b To see the device s list of security policies for VPN connections, select IP/VPN Policy Table. The IP/VPN Policy menu appears. Go to Section 3.4, Reconfiguring the IP/VPN Policy Table. Source Src Destination Dest Protocol # Address Port Address Port /Flag Path Name I/O Action * * * * * * * Tunnel To Remote 1 Action: Initiate VPN Profile: Remote 2 * * * * * * * * * * * Allow ALL Action: Allow Add, Modify, Insert, Copy or Delete an Entry? - (A/M/I/C/D) : a Note: You must also configure an IP routing table for use by the virtual private network. See Section 3.6.1, IP Routing.

5 Revising a BANDIT Product s VPN Configuration Page 5 5 To return to the Main Menu, press Ctrl Z. 3.3 Adding or Reconfiguring VPN Profiles To reconfigure VPN profiles, do the following: 1 Follow the steps in Section 3.2, Navigating to Menus for VPN Reconfiguration, to reach the Typical Configurations menu or the Virtual Private Network Configuration menu. 2 On the Typical Configurations menu or on the Virtual Private Network Configuration menu, to see the BANDIT s list of VPN connections and associated security protocols, select VPN Profiles. The VPN Profile Table appears. Each VPN profile lists the following: The record number (line number) The VPN connection s profile name The tunneling mode the profile uses The IP address of the remote VPN gateway (the gateway at the other end of the VPN connection) The first negotiation scheme this local BANDIT device proposes for the connection Note: For autokeyed connections, the table shows the negotiation scheme s authentication mode, authentication group, encryption protocol, and authentication protocol for Proposal 1 in Phase 1. Ping status The user ID of the person allowed to use this VPN profile Note: If you want more than one person to use a profile, copy the profile record, as described in Step 3c, and change the User ID in the new record. VPN Profile Table No. Name Mode VPN Gateway Phase1 Proposal#1 Ping User ID ) profile 1 AGGR ESP HMAC-MD5 3DES OFF 2) profile 2 AGGR psk-g1-des-md5 OFF 3) profile 3 MAIN psk-g2-des-md5 OFF 4) profile 4 MAIN psk-g5-des-md5 OFF 5) Remote AGGR psk-g2-des-md5 OFF bandit 6) AGGR_G2 AGGR None psk-g2-3des-sha1 OFF 7) AGGR_G1 AGGR None psk-g1-des-md5 OFF 8) MAIN_G2 MAIN None psk-g2-des-md5 OFF 9) MAIN_G5 MAIN None psk-g5-des-md5 OFF Enter 'm' to modify, 'd' to delete, 'c' to copy or <ESC> to exit: 3 Do one of the following: a To return to the higher-level menu, press the Escape key.

6 Page 6 VPN Configuration, Document 3 The Typical Configurations menu or the Virtual Private Network Configuration menu is redisplayed. b To change part of a profile, type m. A prompt similar to the following is displayed. Go to Step 4. Enter the entry number to modify (1 to 7) c To add a profile, type c. A prompt similar to the following is displayed. Go to Step 5. Enter the entry number to Copy FROM:(1 to 5)[1] : d To delete a profile, type d. A prompt similar to the following is displayed. Go to Step 6. Enter the entry number to delete (1 to 7) Note: In the default [Quickstart Config Builder] configuration, you cannot delete records 1 4 from the VPN Profile Table. 4 To modify an entry in the VPN Profile Table, do all of the following: a Type the line number of the profile to modify, and press Enter. (Line numbers are listed under the heading label No.) The fields for the selected VPN profile are displayed. VPN PROFILE ENTRY ) Profile Name: AGGR_G2 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: ) User ID: 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal 10) Phase 2 Proposal Enter the number of the item to change:

7 Revising a BANDIT Product s VPN Configuration Page 7 Note: Although all VPN profile records have all fields, the screen displays only the fields used in the keying specified autokeying (IKE) or manual. (The BANDIT VPN products do not use manual keying in normal operation. If you want a VPN device to use manual keying, contact your Encore Networks sales representative.) b Type the line number of the field whose value you wish to change, and press Enter. If you select a phase 1 or phase 2 proposal, a menu similar to the following is presented. Go to Section 3.3.1, Configuring Phase Proposals for IKE Autokeying. Phase 1 Proposals ) Proposal 1: Preshared - DH GROUP G2 - DES - HMAC-MD5 2) Proposal 2: Preshared - DH GROUP G2 - DES - HMAC-SHA1 3) Proposal 3: Preshared - DH GROUP G2-3DES - HMAC-MD5 4) Proposal 4: Preshared - DH GROUP G2-3DES - HMAC-SHA1 Enter your choice: If you select any other field, the field is presented, so that you may enter a new value. Note: (This example shows the VPN Gateway field, to enter the IP address or DNS for the remote VPN gateway.) Enter Peer VPN Gateway (1 = IP, 2 = DNS URL), [1]: c Type the new value for the field, and press Enter. The new value is accepted, and the selected profile is redisplayed, with the field s new value. VPN PROFILE ENTRY ) Profile Name: AGGR_G2 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: ) User ID: N/A 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal 10) Phase 2 Proposal Enter the number of the item to change: Note: You can configure a VPN profile to use pings to maintain or monitor connections. See Section 3.3.2, Configuring Pings in VPN Profiles.

8 Page 8 VPN Configuration, Document 3 d Do one of the following: i If you wish to modify another field s value, return to Step 4b. ii When you have finished modifying this profile, press Escape to save the new values. The following prompt is displayed: Do you want to keep your change? (Y/N): e Do one of the following: i To save the changes, press y. ii To discard the changes and keep the prior information, press n. Whether you answer y or n, the VPN Profile Table is redisplayed. Return to Step 3. 5 To add a profile to the VPN Profile Table, do all of the following: a Type the line number of an existing profile you wish to copy as a model for the new profile, and press Enter. The following message appears, listing the name of the profile you have copied, and asking for a name to identify the new profile. You selected COPY FROM profile name : profile 1 Please enter COPY TO profile name : b Type a unique name for the new profile, and press Enter. Make sure the profile name fits into the field (10 or fewer characters). Note: Get all profile names from your network administrator. You may use profile names (of 1 10 characters) that are meaningful in your network for example, profile01, Springfld, or BizTravlr3. The software adds the new profile to the VPN Profile Table, and the VPN Profile Table is redisplayed, with the new profile at the bottom of the list. c Return to Step 3. (Then select m to modify the new profile.) 6 To delete a profile from the VPN Profile Table, type the line number of the profile to delete, and press Enter. Note: Line numbers are listed under the heading label No. A prompt similar to the following is displayed. Do you want to delete this profile? (Y/N):

9 Revising a BANDIT Product s VPN Configuration Page 9 a Do one of the following: i To delete the profile, press Y. ii To discard the changes and keep the profile, press N. Whether you answer Y or N, the VPN Profile Table is redisplayed. Return to Step Configuring Phase Proposals for IKE Autokeying In VPN connections that use automatic keying (for example, Internet Key Exchange, or IKE), the BANDIT VPN device negotiates keys and proposals for data transmission. You can configure the proposals presented for each phase in the Internet Key Exchange. To configure phase proposals for automatic keying, do the following: 1 In Section 3.3, Adding or Reconfiguring VPN Profiles: Follow Step 1 through Step 3b, then perform Step 4a, to reach the VPN Profile Entry menu. VPN PROFILE ENTRY ) Profile Name: AGGR_G2 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: ) User ID: 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal 10) Phase 2 Proposal Enter the number of the item to change: 2 On the VPN Profile Entry menu, select the phase you wish to modify. The proposals already configured for the phase are listed. Sample Phase 1 Proposals list: Phase 1 Proposals ) Proposal 1: Preshared - DH GROUP G2 - DES - HMAC-MD5 2) Proposal 2: Preshared - DH GROUP G2 - DES - HMAC-SHA1 3) Proposal 3: Preshared - DH GROUP G2-3DES - HMAC-MD5 4) Proposal 4: Preshared - DH GROUP G2-3DES - HMAC-SHA1 Enter your choice:

10 Page 10 VPN Configuration, Document 3 Sample Phase 2 Proposals list: Phase 2 Proposals ) Proposal 1: PFS ON - ESP - DES - HMAC-MD5 2) Proposal 2: PFS ON - ESP - DES - HMAC-SHA1 3) Proposal 3: PFS ON - ESP - DES - HMAC-SHA1 4) Proposal 4: PFS ON - ESP - DES - HMAC-MD5 Enter your choice: 3 Do one of the following: a To return to the profile display, press Escape. The profile s list of fields is redisplayed. Go to Step 4d in Section 3.3, Adding or Reconfiguring VPN Profiles. b Select the proposal you wish to modify for this phase. The proposal s values are listed. Sample Phase 1 Proposal menu: Phase 1 Proposal ) Authentication Mode : Preshared 2) DH Group: DH GROUP G2 3) Encryption: DES 4) Authentication: HMAC-MD5 5) Life: 100 sec 6) Life Units: sec Enter your choice: Sample Phase 2 Proposal menu: Phase 2 Proposal ) PFS : DH GROUP G2 2) Security Protocol: ESP 3) Encryption: DES 4) Authentication: HMAC-MD5 5) Life: 100 sec 6) Life Units: sec Enter your choice: 4 Select the field whose value you wish to change, and press Enter. Possible values for the field are listed. (The values shown are for Authentication Mode in a phase 1 proposal.)

11 Revising a BANDIT Product s VPN Configuration Page 11 Enter Authentication (1 = HMAC-MD5, 2 = HMAC-SHA1, 3 = NULL) [1]: 5 Enter a new value for the field, and press Enter. The field s new value is accepted, and the proposal s values are listed again. 6 Do one of the following: a To change another field s value, repeat Step 4. b To return to the list of proposals configured for the selected phase, press Escape. The list of configured proposals is displayed again. Return to Step Configuring Pings in VPN Profiles You can configure pings as part of a VPN profile, in order to maintain connections. In the VPN Profile Entry menu, pings can be configured for the following purposes: The Phase 1 Ping keeps Phase 1 tunnels up. The Phase 2 Ping keeps Phase 2 tunnels up. The Monitor Ping (also called the backup ping ) monitors the status of the tunnel after set-up. If the tunnel is dropped, the BANDIT can use dial backup to re-establish the tunnel connection. (Dial backup must have already been configured in order to reestablish the connection.) VPN PROFILE ENTRY ) Profile Name: AGGR_G2 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: ) User ID: 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal 10) Phase 2 Proposal Enter the number of the item to change: To configure a ping, do the following: 1 In Section 3.3, Adding or Reconfiguring VPN Profiles: Follow Step 1 through Step 3b, then perform Step 4a, to reach the VPN Profile Entry menu.

12 Page 12 VPN Configuration, Document 3 2 On the VPN Profile Entry menu, select one of the following: Phase 1 Ping Phase 2 Ping Monitor Ping The selected ping s configuration menu is displayed. Phase1 Ping ) IP Address : ) Packet Size : 50 Bytes 3) Interval : 20 Seconds 4) Idle Time : 120 Seconds Enter Choice : 3 Select IP Address and configure the IP address of a device in the remote network. (Although this can be the remote VPN gateway, we recommend that this be another device in the remote network.)! Caution: This must be the IP address of a device that is always up on the network. If a device is regularly powered down or removed from the network, the ping will initiate a dial backup connection because it is not receiving a reply. Enter PING IP Address: 4 Select Packet Size and configure the size of the packet to send when pinging. Enter PING Packet Size(50 to 100)[50] : 5 Select Interval and configure the amount of time between pings. Enter PING Interval(seconds)(5 to 300)[30] : 6 Select Idle Time. If the ping receives no reply from the remote device, this is the amount of time the BANDIT waits before initiating a dial backup. Type the number of seconds to wait, and press Enter. Enter Receive Idle Time(Seconds)(30 to 30000)[90] :

13 Revising a BANDIT Product s VPN Configuration Page 13 7 When you have finished configuring this ping, press Enter to return to the VPN Profile Entry menu. 3.4 Reconfiguring the IP/VPN Policy Table You may reconfigure the device s IP/VPN policies. These policies include gateway connection information and the VPN profile that a connection uses. If the connections will include VPNs across satellite networks, the BANDIT VPN device will use Selective Layer Encryption. Before configuring the IP/VPN Policy Table, read Section 3.5, Configuring Selective Layer Encryption in VPNs. To reconfigure the IP/VPN Policy Table, do the following: 1 Follow the steps in Section 3.2, Navigating to Menus for VPN Reconfiguration, to reach the Typical Configurations menu or the Virtual Private Network Configuration menu. 2 On the Typical Configurations menu or on the Virtual Private Network Configuration menu, select IP/VPN Policy Table. The IP Policy menu is displayed. IP Policy ) Status : Disabled 2) Policy Table 3) Remote Logging : Disabled Enter Choice : 3 On the IP Policy menu, do the following: a Select Status, and Enable the IP/VPN policy table. b Then select Policy Table. If the IP Policy Table does not yet have entries, it requests information for the first record. Go to Step 7b. If the IP Policy Table already has entries, the table is displayed. Source Src Destination Dest Protocol # Address Port Address Port /Flag Path Name I/O Action * * * * * * * Tunnel To Remote 1 Action: Initiate VPN Profile: Remote 2 * * * * * * * * * * * Allow ALL Action: Allow Add, Modify, Insert, Copy or Delete an Entry? - (A/M/I/C/D) : a

14 Page 14 VPN Configuration, Document 3 4 Do one of the following: a To modify an entry, type m. Go to Step 5. b To copy an entry, type c. Go to Step 6. c To add an entry to the bottom of the list, type a. Go to Step 7. d To add (insert) an entry at a specified point in the list, type i. Go to Step 8. e To delete an entry, type d. Go to Step 9. f To return to the higher-level menu, press the Escape key twice. The Typical Configurations menu or the Virtual Private Network Configuration menu is redisplayed. 5 Do one of the following: a To modify an entry, do all of the following: i Type the line number of the entry you wish to modify. The entry s list of values appears. ii Select the field you wish to change. The possible values for the field are listed. iii Select the new value for the field. The new value is accepted, and the entry s list of values is redisplayed. Repeat Step 5. b To return to the IP/VPN Policy Table, do all of the following: i Press the Escape key. A prompt asks whether you wish to save the changes you made. ii Answer yes if you wish to keep the changes or no if you do not wish to keep the changes. The IP/VPN Policy Table is redisplayed. Return to Step 4. 6 Do one of the following: a To copy an entry, type the line number of the entry you wish to copy. The new entry is added to the bottom of the IP/VPN Policy Table. Return to Step 4. b If you do not wish to copy an entry, press the Escape key. The IP/VPN Policy Table is redisplayed. Return to Step 4. 7 Do one of the following: a If you do not wish to add another entry, press Escape. The IP/VPN Policy Table is redisplayed, with each new entry (if any) added to the bottom of the list. Return to Step 4.

15 Revising a BANDIT Product s VPN Configuration Page 15 b To add an entry, do the following: i When screen prompts request information for this connection and its policy, type the information for each field, and press Enter. Note: When the menu asks for the profile name that this connection policy uses, you must enter a profile name that already exists in the VPN Profile Table. (To create new VPN profiles, see Section 3.3, Adding or Reconfiguring VPN Profiles.) When all information has been entered, the menu asks for a description. ii Type a descriptive name for the connection policy. The entry is accepted. A prompt appears for another new entry. Repeat Step 7. 8 When a prompt asks for the line number an inserted entry will follow, do one of the following: a To abandon the new entry, press Escape. The IP/VPN Policy Table is redisplayed. Go to Step 4. b To insert an entry, do all of the following: i Type the line number the entry will follow, and press Enter. Subsequent prompts request information for this connection and its policy. ii Type the information for each field, and press Enter. Note: When the menu asks for the profile name that this connection policy uses, you must enter a profile name that already exists in the VPN Profile Table. (To create new VPN profiles, see Section 3.3, Adding or Reconfiguring VPN Profiles.) When all information has been entered, the menu asks for a description. iii Type a descriptive name for the connection policy. The entry is accepted, and the IP/VPN Policy Table is redisplayed, with the new entry inserted in the list at the specified location. Go to Step 4. 9 To delete an entry, type the entry s line number. The entry is deleted, and the IP/VPN Policy Table appears. Return to Step When you have finished configuring the software, save (Write) the configuration and restart (Reset) the BANDIT device. For details, see the Using the ELIOS Software. 3.5 Configuring Selective Layer Encryption in VPNs Encore Networks has developed a proprietary technology, Selective Layer Encryption (SLE, patent pending), for VPNs that traverse a satellite network. SLE works with a satellite modem s performance-enhancing proxy (PEP) and maintains VPN security over satellite networks. The use of SLE with PEP significantly increases VPN performance over satellite networks. Note: For more information about SLE, see Section 1.4, VPNs over Satellite Networks, in The BANDIT Products in Virtual Private Networks. Figure 3-1 shows a sample satellite network combining PEP and SLE.

16 Page 16 VPN Configuration, Document 3 Figure 3-1. Sample Satellite Network Configuration Using Encore Networks SLE VPN SLE Configuration When you order your BANDIT device, you determine the type of IPsec VPN tunnels you want it to use. Note the following about the types of IPsec VPN software available for the BANDIT products: ELIOS s IPsec VPN software with SLE has everything; tunnels can use IPsec VPN with SLE or regular IPsec VPN (without SLE). Both types of VPN tunnels can be active at the same time. ELIOS s regular IPsec VPN software does not have SLE; IPsec VPN tunnels in this software do not use SLE. The software for SLE differs slightly from the standard BANDIT software. However, the menus do not differ, and configuration remains the same for most parameters in the BANDIT. Any BANDIT device that supports VPNs can support IPsec VPN with SLE (for use over satellite networks) or regular IPsec VPN (without SLE, for ground-based networks) or both, depending on the software installed in the device. (You order the type of software when you order the BANDIT device.) Most devices that support VPNs also support legacy protocols across IP.

17 Revising a BANDIT Product s VPN Configuration Page 17 Note: For VPN with SLE over satellites, there must be another BANDIT product using VPN with SLE on the other side of the network, handling SLE for the remote side of the connection. Over ground-based networks, the BANDIT VPN products can use non-sle software and can interoperate with non-bandit IPsec VPN gateways. For details of IPsec interoperability, see the document VPNC Scenario for IPsec Interoperability. The BANDIT III and the VSR-1200 are high-performance routers. Each can function especially well as a hub for a large terrestrial (ground-based) or satellite network (or for a combined satellite terrestrial network) Sample IP Policy Table Illustrating IPsec VPN Tunnels with SLE and without SLE In the BANDIT s IPsec VPN software with SLE, all VPN tunnels use SLE unless you specify otherwise. For the example (illustrated in Figure 3-1), note the following: Figure 3-2 shows part of the IP Policy Table for the BANDIT (A) in Figure 3-1. In Figure 3-2, note the following: - Record 3 is a catch-all policy for VPN with SLE. Because it is a catch-all, it must follow all other records for VPN with SLE. - Record 4 is a catch-all for VPN without SLE and must follow all other records for VPN without SLE. (No other records for non-sle VPN exist in this example.) In the IP Policy Table (Figure 3-2), if you select a record, the record s detail screen appears. Figure 3-3 through Figure 3-6 show details of the records in Figure 3-2 s IP Policy Table. (Note the parameter names in a detailed listing for example, in record 1, shown in Figure 3-3.) Source Src Destination Dest Protocol # Address Port Address Port /Flag Path Name I/O Action * * * * * * * H-3 Action: Allow * * * * * * * Tunnel To Remote 1 Action: Initiate VPN Profile: REMOTE 3 * * * * * * * * * * * H-1 All SLE Action: Allow 4 * * * * * * * * * * * I-Allow ALL non-sle Action: Allow Figure 3-2. Sample Entries in IP Policy Table for BANDIT in Figure 3-1, Including SLE over Satellite Networks

18 Page 18 VPN Configuration, Document 3 As stated above, in the BANDIT s IPsec VPN software with SLE, all VPN tunnels use SLE unless you specify otherwise. Observe the following points when configuring IPsec VPN connections: You configure both types of IPsec VPNs (with SLE and without SLE) the same way, except for the name in the Description parameter. All other items needed are configured automatically. (However, you need to supply the appropriate IP addresses.) 1 To configure an IPsec VPN that does not use SLE, give the record a name (Description) that begins with the letter I (upper case) or i (lower case). Note: Record 4 of the IP Policy Table, detailed in Figure 3-6, has the Description name I-Allow ALL non-sle, beginning with the letter I, indicating that this IPsec VPN connection does not use SLE. Because this connection does not use SLE, it cannot travel over the satellite network shown in Figure 3-1. It must travel over a ground-based IP network. 2 To configure an IPsec VPN that uses SLE, give the record a name (Description) that begins with any character other than I or i. Note: Records 1 through 3 of the IP Policy Table, detailed in Figure 3-3 through Figure 3-5, establish IPsec VPN connections that use SLE. Because these connections use SLE, they can travel over the satellite network shown in Figure ) Source Address Low : Source Address High : Source TCP/UDP Port Low : * Source TCP/UDP Port High : * Destination Address Low : Destination Address High : Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Allow VPN Profile name : N/A Description : H-3 Figure 3-3. Detail of Record 1 in IP Policy Table, for SLE over Satellite Networks 2) Source Address Low : Source Address High : So Address Low : Destination Address High : Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Initiate VPN Profile name : REMOTE Description : Tunnel To Remote 1 Figure 3-4. Detail of Record 2 in IP Policy Table, for SLE over Satellite Networks

19 Revising a BANDIT Product s VPN Configuration Page 19 3) Source Address Low : * Source Address High : * Source TCP/UDP Port Low : * Source TCP/UDP Port High : * Destination Address Low : * Destination Address High : * Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Allow VPN Profile name : N/A Description : H-1 All SLE Figure 3-5. Detail of Record 3 in IP Policy Table, Catch-All Entry for SLE over Satellite Networks 4) Source Address Low : * Source Address High : * Source TCP/UDP Port Low : * Source TCP/UDP Port High : * Destination Address Low : * Destination Address High : * Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Allow VPN Profile name : N/A Description : I-Allow ALL non-sle Figure 3-6. Detail of Record 4 in IP Policy Table, Catch-All Entry for IPsec VPN Traffic without SLE 3.6 Augmenting the BANDIT s IP Configuration You may wish to configure additional IP components to use a BANDIT device as a network gateway or a VPN gateway. The following sections provide quick overview procedures. The items are addressed in detail in IP Routing in the BANDIT Products. 1 On the Advanced Configurations menu, select Routing. 2 On the Routing menu, select IP Routing. The IP Routing Configuration menu appears. 3 See the following: Section 3.6.1, IP Routing Section 3.6.2, Network Address Translation Section 3.6.3, Firewall

20 Page 20 VPN Configuration, Document IP Routing To use the VPN feature to its capacity, you must configure the device s IP routing. Do the following: 1 On the IP Routing Configuration menu, select the IP Routing Method you wish to use (RIP or Static). 2 On the IP Routing Configuration menu, do the following: a If the IP routing method is RIP, select and configure RIP Routing. Follow the procedure for RIP routing in IP Routing in the BANDIT Products. Entry IP Address Net Mask Gpt Name Next Router Mode MTU MODEM Off 1500 Add, Modify, or Delete an Entry? (Enter A, M, or D): b If the IP routing method is Static, select and configure Static Routing. Follow the procedure for static routing in IP Routing in the BANDIT Products. Entry IP Address Net Mask Next Router Path Name Hops Unnumbered a 1 Add, Modify, or Delete an Entry? (Enter A, M, or D): For more information, see IP Routing in the BANDIT Products Network Address Translation You can use the BANDIT products for network address translation (NAT). To use network address translation, do the following: 1 On the IP Routing Configuration menu, select Network Address Translation. 2 On the Network Address Translation menu, do the following: a Select a NAT configuration scheme. b Enable and configure the NAT configuration scheme according to your network plan e.g., for masquerading, or for a NAT table. For more information, see IP Routing in the BANDIT Products Firewall The default settings for the BANDIT III do not use the firewall feature. If you wish to configure the firewall, do the following. 1 On the Main Menu, select Typical Configurations. 2 On the Typical Configurations menu, select Configure Firewall.

21 Revising a BANDIT Product s VPN Configuration Page 21 3 On the Configure Firewall menu, configure the policy table, NAT profiles, and IP interfaces for your network s dynamic firewall. For more information, see IP Routing in the BANDIT Products. 3.7 Simple Network Management Protocol You can use the Simple Network Management Protocol (SNMP) to manage the BANDIT III from a remote site. See the document Using SNMP in the BANDIT Products. 3.8 Saving (Writing) the Device s Configuration Note: If you do not save the configuration before you reset or exit the BANDIT III (or before the connection times out), the configuration will be lost. After the unit has been configured, save (write) the configuration. Do the following: 1 On the Main Menu, select Write Configuration. 2 Select Yes. The device will notify you when it has saved the configuration. Note: If the device s software detects an error in the configuration, it will not save it. Review the configuration. After you have revised the configuration to your satisfaction, save it. 3 Press Enter. 3.9 Restarting (Resetting) the Device To use the saved configuration, you must reset the BANDIT III. Do the following: Note: If you want to use your new configuration, you must save (write) the configuration before resetting the unit. Otherwise, the new configuration will be lost. 1 On the Main Menu, select Reset Unit. 2 Select Yes. Note: If you have not yet saved the new configuration, the system asks whether to save it. Answer yes or no. The device resets. 3 Regardless of screen instructions, do not type anything until you see the banner: BANDIT, ENCORE NETWORKS INC. Then press Enter. The Main Menu is displayed.

22 Page 22 VPN Configuration, Document Exiting a Session After the software has been configured, save (write) the configuration. Then exit the session before disconnecting the PC, so that communication is not disrupted.! Caution: Before you exit, make sure you save (write) the configuration. Otherwise, the changes you configured will be lost. See Section 3.8, Saving (Writing) the Device s Configuration. To exit the session, do the following: 1 On the Main Menu, select Exit Session. 2 Select Yes. Note: If the configuration has not been saved, the device asks you whether it should save the new configuration. Answer Yes (or No, if you prefer not to save the configuration). The system notifies you that it is ending the session. 3 To reconnect to the device, press Enter. The Main Menu is displayed.