Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Transcription

1 Basic ViPNet VPN Deployment Schemes Supplement to ViPNet Documentation

2 Infotecs Americas. All rights reserved. Version: ENU This document is included in the software distribution kit and is subject to the same terms and conditions as the software itself. No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means electronic, mechanical, recording, or otherwise for any purpose, without the prior written consent of Infotecs Americas Inc. ViPNet is a registered trademark of Infotecs Americas Inc., New York, USA. All brands and product names that are trademarks or registered trademarks are the property of their owners. Global contacts page

3 Contents Introduction... 5 About This Document... 6 Audience... 6 Document Conventions... 6 Feedback... 8 Guidelines... 9 Basic ViPNet VPN Deployment Schemes Before You Begin Chapter 1. Connection between a Remote Client and an Office Overview Configuring Network Structure in ViPNet Network Manager Creating a ViPNet Network Configuring a ViPNet Network Checking Settings on a Firewall Checking Settings on a Coordinator Checking Settings on Clients in the Office Checking Settings on a Remote Client Chapter 2. Remote Client to Remote Client Overview Configuring Network Structure in ViPNet Network Manager Checking Settings on a Firewall and a Coordinator Checking Settings on a Remote Client Chapter 3. Office to Office Connection Overview Configuring Network Structure in ViPNet Network Manager Checking Settings on Firewalls and Coordinators in Both Offices Checking Settings on Clients in Both Offices Chapter 4. Office to Office Connection with Tunneling Overview Configuring Network Structure in ViPNet Network Manager Checking Settings on Firewalls and Coordinators in Both Offices Checking Routing Settings on Tunneled Hosts... 42

4 Checking Settings on a Remote Client Chapter 5. Mobile Device to Office Connection Overview Configuring a Network in ViPNet Network Manager Configuring a Coordinator for Windows Verifying Settings on an External Firewall Configuring Mobile Devices Configuring an Apple Mobile Device Configuring an Android Mobile Device Chapter 6. Office to Office Connection Both with the ViPNet and IPsec Technologies Overview Configuring Network in ViPNet Network Manager Settings Check on a Remote Gateway... 60

5 Introduction About This Document 6 Feedback 8 Guidelines 9 Basic ViPNet VPN Deployment Schemes 10 Before You Begin 11 Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 5

6 About This Document This document is a supplement to ViPNet VPN. User s Guide. It contains 6 basic schemes of deploying a protected ViPNet VPN network. Each scheme is attended with step-by-step instructions helping you to create and configure a network in ViPNet Network Manager and then, on your ViPNet hosts, check whether the settings you made in ViPNet Network Manager are correct. Audience This document is intended for the network administrators intending to deploy and configure ViPNet VPN virtual private networks in their organizations. You don't have to be an IT professional to read and understand this document. However, you should have a general idea of computer networks, IP protocols, firewalls, tunneling, and cryptography. Document Conventions This document uses the following conventions: Table 1. Document conventions Icon Description Warning: Indicates an obligatory action or information that may be critical for continuing user operations. Note: Indicates a non-obligatory, but desirable action or information that may be helpful for users. Tip: Contains additional information. Table 2. Conventions for highlighted information Icon Name Key+Key Menu > Submenu > Command Description The name of an interface element. For instance, the name of a window, a box, a button, or a key. Shortcut keys. To use the shortcut keys, press and hold the first key and press other keys. A hierarchical sequence of elements. For instance, menu items or sections in the navigation pane. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 6

7 Icon Code Description A file name, path, text file (code) fragment or a command executed from the command line. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 7

8 Feedback Finding Additional Information For more information about Infotecs products and technologies, see the following resources: ViPNet documentation web portal Information about current Infotecs products Information about Infotecs solutions Contacting Infotecs We value any feedback from you. If you have any questions concerning Infotecs products and solutions, any suggestions, complains or other feedback, feel free to contact us by means of the following: Global contacts page Telephone (Germany): +49 (0) Telephone (USA): +1 (646) Errata Infotecs makes every effort to ensure that there are no errors or misprints in the text of all documents supplied with ViPNet software. However, no one is perfect, and mistakes do occur. If you find an error in one of our documents, like a spelling mistake or some inaccuracy in describing user scenarios or system features, we would be very grateful for your feedback. By sending in errata you may save other reader hours of frustration, and at the same time you will be helping us provide documentation of even higher quality. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 8

9 Guidelines Here are the guidelines of working with the document: 1 Choose a scheme that fits the required logical network structure (see Basic ViPNet VPN Deployment Schemes on page 10). If you want to connect two offices of your organization through a protected network, we recommend you to create a single corporate ViPNet network including computers of both offices. If you need to establish secure connection between two different organizations, we recommend you to create two different ViPNet networks and establish partner network connection between them (see ViPNet VPN. User's Guide, chapter 6). Warning: In this document, we will consider communication between head and branch offices hosts via a single corporate ViPNet network. 2 On a ViPNet administrator's workstation, you should first install ViPNet Network Manager and then ViPNet Client or ViPNet Coordinator (see ViPNet VPN. User's Guide, chapter 2, Deploying the ViPNet Network Administrator's Workstation ). 3 In ViPNet Network Manager, create logical network structure according to the recommendations in this document, and then create key sets for ViPNet hosts. 4 On the hosts that will function as coordinators, install the ViPNet Coordinator software (see ViPNet VPN. User's Guide, chapter 2, Installing ViPNet Coordinator on ViPNet Network Servers ) and install the key sets created in ViPNet Network Manager. 5 On ViPNet users' computers, including remote ones, install the ViPNet Client software (see ViPNet VPN. User's Guide, chapter 2, Deploying the ViPNet Network User's Workstations ) and install the key sets created in ViPNet Network Manager. 6 Check connection between coordinators and remote clients, between different remote users, between coordinators from different networks. 7 If connection has not been established, follow the recommendations in this document to check ViPNet Coordinator and ViPNet Client program settings on ViPNet hosts. Note: To change any settings for a coordinator or a client, in ViPNet Network Manager: In the navigation pane, choose a ViPNet host, whose settings you are going to change. Go through the tabs in the view pane and make the required settings. Create key sets, copy them to a removable drive, and manually update keys on ViPNet hosts. 8 Check connection again. If the connection is still not established, the failure may be caused by wrong firewall configuration or incompatible software. Contact Infotecs technical support. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 9

10 Basic ViPNet VPN Deployment Schemes Below, we describe six typical network schemes you can deploy with ViPNet VPN: 1 Connection between a remote client and an office (on page 13) Follow these steps to deploy a ViPNet network and establish a protected connection between a remote user and an office. A remote user is a laptop user connecting to the Internet from different locations: home, workplace, a Wi-Fi cafe, and so on. It could also be a desktop PC in a branch office or at home (or in some other place from where a coordinator is not accessible directly). 2 Remote client to remote client (on page 24) Follow these steps to deploy a ViPNet network with two remote clients and establish a direct clientto-client connection between them. 3 Office to office connection (on page 29) Follow these steps to deploy a ViPNet network and establish a protected point-to-point connection between two ViPNet hosts located in two different offices of an organization. 4 Office to office connection with tunneling (on page 35) Follow these steps to deploy a ViPNet network and establish a protected connection between such network devices located in two different offices of an organization, where you can't install the ViPNet software for some reasons. These hosts can be computers with Apple Mac OS, network devices like printers, VoIP appliances, NAS, surveillance cameras, and other. 5 Mobile Device to Office Connection (on page 45) Follow these steps to deploy a ViPNet network and establish connection between Apple or Android mobile users and an office. 6 Office to office connection both with the ViPNet and IPsec technologies (on page 55) Follow these steps to deploy a ViPNet network and establish connection with another ViPNet network. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 10

11 Before You Begin Decide beforehand, where your will install the ViPNet Coordinator software (those hosts will be ViPNet network servers) and the ViPNet Client software (one of those hosts will be the ViPNet network administrator's workstation). A coordinator must always be accessible to its clients. This means, a coordinator host must always be online with ViPNet Coordinator software running on it. Static port forwarding should be enabled on the firewall used by this coordinator to access public (Internet) resources. On the ViPNet network administrator's workstation, run the ViPNet VPN setup program and first install ViPNet Network Manager, then ViPNet Client or ViPNet Coordinator (see ViPNet VPN. User's Guide, chapter 2, Deploying the ViPNet Network Administrator's Workstation ). ViPNet Network Manager allows you to create, configure and maintain a protected ViPNet network that may include hosts located in the head office, branch offices, and remote computers. To establish connection between head office computers and branch office computers, partner company computers or remote users, there should be at least one coordinator in a ViPNet network which is always accessible from outside by either an external (public) static IP address or a DNS name. In the first two scenarios described in this document, there is only one coordinator on the network, while in the last two scenarios, the described functions are performed by a coordinator located in the head office. In the first two and the second two scenarios described in this document, there is only one coordinator on the network, while in the third and the fourth scenarios, the described functions are performed by a coordinator located in the head office. If your coordinator does not have a public static IP address, use the dynamic DNS service, which translates your firewall s public dynamic addresses to a specified DNS name (for example, you may use a service). Warning: Before configuring settings on ViPNet hosts, check network parameters, as described below. Check network parameters on the computers functioning as coordinators and on the firewalls: Make sure the coordinator's network interface connected to the firewall has a static local IP address. Make sure you know the public static IP address or the DNS name of the head office coordinator. Make sure the following filtering rules are configured on the firewalls behind which your coordinators are located: allow all traffic incoming to the UDP port specified in coordinator's options (55777 by default) and forward it to the coordinator's local IP address; To learn the number of your coordinators UDP packets encapsulation port: o In the ViPNet Coordinator Monitor main window, on the Service menu, click Options. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 11

12 Figure 1. Viewing the UDP packets encapsulation port number o In the Private Network section, in the UDP packets encapsulation port box, check the specified port number. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 12

13 1 Connection between a Remote Client and an Office Overview 14 Configuring Network Structure in ViPNet Network Manager 15 Checking Settings on a Firewall 18 Checking Settings on a Coordinator 19 Checking Settings on Clients in the Office 20 Checking Settings on a Remote Client 22 Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 13

14 Overview This chapter describes a scheme of establishing connection between a remote user and the head office using the ViPNet VPN software. A remote user is a laptop user connecting to the Internet from different locations (home, workplace, a Wi-Fi cafe, and so on), or a desktop PC user working at any place from where he or she can't connect to the coordinator directly. Figure 2. Connection between a remote client and an office Suppose there are a coordinator and several clients in the head office. The clients use the coordinator as a firewall. The coordinator is located behind a firewall with static NAT. Port forwarding rules (see Checking Settings on a Firewall on page 18) for the coordinator are configured on the firewall. A remote ViPNet user establishes connection to the office over the Internet (see. figure 2 on page 14). Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 14

15 Configuring Network Structure in ViPNet Network Manager Creating a ViPNet Network Create the initial ViPNet network structure using the ViPNet Network Creation Wizard (see ViPNet VPN. User s Guide, chapter 3, section Creating a ViPNet Network ): 1 Specify the required number of coordinators and clients. To implement the scheme of connecting a remote user to an office (see. figure 2 on page 14), you need one coordinator. 2 Choose how your ViPNet hosts will be linked with each other. 3 Edit the created network structure and links if necessary. 4 To configure access parameters for the coordinator, select the Using a firewall Internet connection type (see the Configuring Access to a Coordinator section, the Configuring Access to a Coordinator behind a Firewall topic) and specify the firewall's IP addresses or DNS name. If you want to configure the firewall parameters later, select the Configure in ViPNet Network Manager main window option. Note: With the ViPNet Network Creation Wizard, you may configure access parameters only for the first created coordinator (where the ViPNet administrator's workstation is registered by default). If you need to set up access parameters for another coordinator, use the main ViPNet Network Manager window. 5 Configure random password options. 6 On the last page of the Wizard, clear the Create key sets upon completing ViPNet Network Creation Wizard check box and click Close. Configuring a ViPNet Network To configure ViPNet hosts: 1 In the navigation pane of the main ViPNet Network Manager window, select the coordinator to be used for communication with external hosts. Click the Access IP addresses tab. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 15

16 Figure 3. Assigning an IP address for a coordinator If you have configured access options for the coordinator (see Creating a ViPNet Network on page 15) when creating a network, then the firewall is already configured. To add an IP address or DNS name, in the corresponding group, click Add. In the IP Address or DNS name window, add a new IP address or DNS name and click OK. Figure 4. Adding an IP address 2 Click the Firewall tab. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 16

17 Figure 5. Configuring firewall parameters If you have configured access options for the coordinator (see Creating a ViPNet Network on page 15) when creating a network, then the required firewall parameters are already specified. Otherwise, follow the steps below: o o Select the Use firewall check box. In the Firewall type list, select With static address translation. 3 In the navigation pane, choose the client. Open the Links tab and make sure that the list includes all ViPNet hosts this client should communicate with. 4 On the Tools menu, select Keys, and then click Save Key Sets. Copy the created key sets to a removable drive and use them to install the ViPNet keys on the coordinator and clients. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 17

18 Checking Settings on a Firewall We recommend that the firewall (or another NAT device) has a static public IP address. If the firewall does not have a public static IP address, use the dynamic DNS service, which translates your firewall s public dynamic addresses to a specified DNS name (for example, you may use a service). On the firewall, configure the following rules: 1 Specify the UDP access port to exchange protected traffic with any networks. Note: By default, the ViPNet software uses port number 55777, but you can change it if needed. 2 Create the following port forwarding rule for incoming and outgoing UDP traffic: allow any UDP traffic incoming to the specified port and forward it to the corresponding coordinator. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 18

19 Checking Settings on a Coordinator Make sure the coordinator has been configured correctly. To do this: 1 In the main window of the ViPNet Coordinator program, on the Service menu, click Options. The Options dialog box will be displayed. Figure 6. Checking settings on a coordinator 2 Make sure that, in the Private Network section, the Use external firewall check box is selected. 3 Make sure that, in the Firewall type list, With static NAT is selected. 4 Make sure that, in the UDP packets encapsulation port box, the same port number is specified as the one in port forwarding rules on the firewall. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 19

20 Checking Settings on Clients in the Office To check settings on clients located in the office: 1 In the ViPNet Client Monitor program, log on as an administrator. 2 On the Tools menu, click Options. The Options dialog box will be displayed. 3 In the Options dialog box, make sure that, in the Private Network section, a coordinator installed in the office is selected as the coordinator for connections. Figure 7. Private network settings 4 Click OK. 5 In the navigation pane of the main ViPNet Client window, select the Private Network section. 6 In the Private Network section, in the hosts list, double-click the coordinator chosen as this client's coordinator for connections. The ViPNet Host Properties dialog box will be displayed. 7 In the ViPNet Host Properties dialog box, click the IP Addresses tab. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 20

21 Figure 8. Viewing coordinator's IP addresses 8 Make sure that, in the IP Addresses list, in the Real IP addresses column, the correct coordinator's address is specified. If DNS names are used, make sure that the Use DNS name check box is selected and, in the DNS name list, the correct coordinator's DNS name is specified. 9 Check connection to the coordinator. To do this, in the Private Network section, select the coordinator and, on the toolbar, click Connection or press F5. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 21

22 Checking Settings on a Remote Client To check settings on a remote client: 1 In the ViPNet Client Monitor program, log on as an administrator. 2 On the Tools menu, click Options. The Options dialog box will be displayed. 3 In the Options dialog box, make sure that, in the Private Network section, a coordinator installed in the office is selected as the coordinator for connections. 4 Click OK. 5 In the navigation pane of the main ViPNet Client window, select the Private Network section. 6 In the Private Network section, in the hosts list, double-click the coordinator chosen as this client's coordinator for connections. The ViPNet Host Properties dialog box will be displayed. 7 In the ViPNet Host Properties dialog box, click the Firewall tab. Figure 9. Access IP addresses 8 In the Access IP addresses list, a public IP address of the firewall behind which the coordinator is installed must be specified. If the firewall has no static public IP address, verify its DNS name (step 12). Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 22

23 9 In the ViPNet Host Properties dialog box, click the IP Addresses tab (see. figure 8 on page 21). 10 Make sure that, in the IP Addresses list, in the Real IP addresses column, the correct coordinator's address is specified. If DNS names are used, make sure that the Use DNS name check box is selected and, in the DNS name list, the correct DNS name of the firewall behind which the coordinator is installed is specified. 11 Check connection to the coordinator. To do this, in the Private Network section, select the coordinator and, on the toolbar, click Connection or press F5. If all the settings have been configured correctly, connection between a remote client and the head office will be established. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 23

24 2 Remote Client to Remote Client Overview 25 Configuring Network Structure in ViPNet Network Manager 26 Checking Settings on a Firewall and a Coordinator 27 Checking Settings on a Remote Client 28 Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 24

25 Overview This chapter describes a scheme of establishing connection between two remote users using the ViPNet VPN software. Figure 10. Remote client to remote client connection This scheme has much in common with the previous one (see Connection between a Remote Client and an Office on page 13). Suppose there are a coordinator and several clients in the head office. The coordinator is installed behind a firewall with static NAT. Port forwarding rules (see Checking Settings on a Firewall on page 18) for the coordinator are configured on the firewall. A remote ViPNet user and a home ViPNet user establish connection with each other and with the office over the Internet. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 25

26 Configuring Network Structure in ViPNet Network Manager First, create the required ViPNet network structure, as described in Creating a ViPNet Network (on page 15). To implement the above-described scheme (see figure on page 25), create one coordinator, the required number of clients that will work in the office, and two more clients that will work remotely. To configure the created network structure, in ViPNet Network Manager: 1 In the navigation pane of the main ViPNet Manager window, select the coordinator to be used for communication with external hosts. Open the Access IP addresses (see figure on page 16) tab. If you have configured access options for the coordinator (see Creating a ViPNet Network on page 15) when creating a network, the IP address of the coordinator is already specified. If you didn't specify the IP address in the IP addresses group, click Add. In the IP Address window, add the coordinator's address and click OK. If the firewall is accessible from the Internet by a DNS name (for example, the dyndns service is used), in the DNS names group, click Add and type the DNS name of the firewall. 2 Click the Firewall tab (see figure on page 17). If you have configured access options for the coordinator (see Creating a ViPNet Network on page 15) when creating a network, the firewall parameters are already specified. Otherwise, follow the steps below: o o Select the Use firewall check box. In the Firewall type list, select With static address translation. 3 In the navigation pane, choose the client. Open the Links tab and make sure that the list includes all ViPNet hosts this client should communicate with. 4 Repeat steps 3 and 4 to configure the other remote client. 5 On the Tools menu, select Keys, and then click Save Key Sets. Copy the created key sets to a removable drive and use them to install the ViPNet keys on the coordinator and clients. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 26

27 Checking Settings on a Firewall and a Coordinator Make sure that the firewall has a static public IP address or a DNS name provided by a dynamic DNS service. Port forwarding rules (see Checking Settings on a Firewall on page 18) must be configured on the firewall. On the computer that functions as the coordinator, check the ViPNet Monitor settings (see Checking Settings on a Coordinator on page 19). Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 27

28 Checking Settings on a Remote Client Note: All remote clients of the ViPNet network should be configured as follows. To check settings on a remote client: 1 In the ViPNet Client Monitor program, log on as an administrator. 2 On the Service menu, click Options. The Options dialog box will be displayed. 3 In the Options dialog box, make sure that, in the Private Network section (see figure on page 20), a coordinator installed in the office is selected as the coordinator for connections. 4 Click OK. 5 In the navigation pane of the main ViPNet Client window, select the Private Network section. 6 In the Private Network section, in the hosts list, double-click the coordinator chosen as this client's coordinator for connections. The ViPNet Host Properties dialog box will be displayed. 7 In the ViPNet Host Properties dialog box, click the Firewall tab (see figure on page 22). 8 In the Access IP addresses table, check that a public IP address of the firewall, behind which the coordinator is located, is specified. If the firewall has no static public IP address, verify its DNS name (step 12). 9 In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21). 10 Make sure that, in the IP Addresses list, in the Real IP addresses column, the correct coordinator's address is specified. If DNS names are used, make sure that the Use DNS name check box is selected and, in the DNS name list, the correct DNS name of the firewall behind which coordinator A is installed is specified. 11 Make sure that, in the Private Network section, the other remote user and other ViPNet hosts your client should communicate with are included in the hosts list. 12 Check connection to the office coordinator and the other remote client. To do this, in the Private Network section, select the required ViPNet host and, on the toolbar, click Connection or press F5. If all the settings have been configured correctly, connection between remote clients with each other and between remote clients and the head office will be established. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 28

29 3 Office to Office Connection Overview 30 Configuring Network Structure in ViPNet Network Manager 31 Checking Settings on Firewalls and Coordinators in Both Offices 33 Checking Settings on Clients in Both Offices 34 Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 29

30 Overview This chapter describes a scheme of establishing protected connection between the head office and the branch office using the ViPNet VPN software. Figure 11. Office to office connection Suppose there are two offices in an organization: head and branch. A corporate ViPNet network includes hosts in both offices. Coordinator A located in the head office and Coordinator B located in the branch office establish a protected connection to each other over the Internet. Coordinator A is located behind a firewall on which a static port forwarding rule is configured for protected traffic exchange. Coordinator B is located behind a firewall with no specially configured settings for protected traffic exchange. Clients in the head office (one of them functions as a ViPNet network administrator's workstation) use coordinator A as a firewall. Clients in the branch office use coordinator B as a firewall. Only one office (in our example, the head office) should be accessible from the outside either by a public static IP address or by a DNS name (see Before You Begin on page 11). Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 30

31 Configuring Network Structure in ViPNet Network Manager First, create the required ViPNet network structure, as described in Creating a ViPNet Network (on page 15). To implement the above-described scheme (see figure on page 30), create two coordinators. On coordinator A, register the clients intended to be installed in the head office. On coordinator B, register the clients intended to be installed in the branch office. In ViPNet Network Manager, configure each coordinator: 1 In the main ViPNet Network Manager window, in the navigation pane, select coordinator A and click the Access IP addresses tab. Figure 12. Assigning an IP address for a coordinator If you have configured access options for the coordinator (see Creating a ViPNet Network on page 15) when creating a network, the IP address of the coordinator is already specified. If you didn't specify the IP address in the IP addresses group, click Add. In the IP Address window, type the IP address of the coordinator A (in this example, it is ) and click OK. If Coordinator A is accessed from the Internet by its DNS name (for example, the dyndns service is used), in the DNS names group, click Add and type the DNS name of the coordinator. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 31

32 2 Click the Firewall tab. If you have configured access options for the coordinator A (see Creating a ViPNet Network on page 15) when creating a network, the firewall parameters are already specified. Otherwise, follow the steps below: o o Select the Use firewall check box. In the Firewall type list, select With static address translation. 3 In the navigation pane of the main ViPNet Network Manager window, select coordinator B, open the Access IP addresses tab and, in the IP addresses group, click Add. In the IP Address window, type the local IP address of the coordinator B (in this example, it is ) and click OK. 4 Click the Firewall tab: o o Select the Use firewall check box. In the Firewall type list, select With dynamic address translation. o In the Coordinator to manage connections with external hosts list, select coordinator A. o Make sure that the Direct all VPN traffic with external hosts through the coordinator check box is cleared. 5 On the Tools menu, select Keys, and then click Save Key Sets. Copy the created key sets to a removable drive and use them to install the ViPNet keys on the coordinator and clients. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 32

33 Checking Settings on Firewalls and Coordinators in Both Offices Make sure that the head office firewall is accessible by a static public IP address or a DNS name provided by a dynamic DNS service. On this firewall, a port forwarding rule (see Checking Settings on a Firewall on page 18) must be configured for the local IP address of coordinator A (UDP, 55777). On the branch office firewall, no additional settings are required. To make sure both coordinators are configured correctly, on each coordinator: 1 In the ViPNet Coordinator main window, on the Service menu, click Options. 2 Make sure that, in the Private Network section, the Use external firewall check box is selected. 3 Make sure that, in the Firewall type list, on coordinator A, With static address translation is selected, while on coordinator B, the With dynamic address translation firewall type is selected. 4 Make sure that, on coordinator A, in the UDP packets encapsulation port box, the same port number is specified as the one in port forwarding rules on the firewall. 5 Make sure that, on coordinator B, in the Connection server list, coordinator A is selected. 6 On coordinator B, in the navigation pane of the main ViPNet Coordinator window, select Private Network. 7 In the view pane of the Private Network section, double-click coordinator A. The ViPNet Host Properties dialog box will be displayed. 8 If coordinator A is accessible by a static public IP address: 8.1 In the ViPNet Host Properties dialog box, click the Firewall tab (see figure on page 22). 8.2 In the Access IP addresses list, a static public IP address must be specified for the firewall behind which the coordinator of the other office is installed (in this example, it is ). 9 If the head office firewall does not have a static public IP address, make sure that the firewall's DNS name is specified. In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21). Make sure that the Use DNS name check box is selected and, in the DNS name list, the correct DNS name of the firewall behind which the coordinator of the other office is installed is specified. 10 On coordinator B, check connection to coordinator A. To do this, in the Private Network section, select coordinator A and, on the toolbar, click Connection or press F5. If all the settings have been configured correctly, connection between the coordinators of the head and branch offices will be established. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 33

34 Checking Settings on Clients in Both Offices Note: You should check the settings on every client in the head and branch offices as follows. To check the settings on a client: 1 In the ViPNet Client Monitor program, log on as an administrator. 2 On the Tools menu, click Options. The Options dialog box will be displayed. 3 In the Options dialog box, make sure that, in the Private Network (see figure on page 20) section, a coordinator installed in the office is selected as the coordinator for connections. 4 Click OK. 5 In the navigation pane of the main ViPNet Client window, select the Private Network section. 6 In the Private Network section, in the hosts list, double-click the coordinator chosen as this client's coordinator for connections. The ViPNet Host Properties dialog box will be displayed. 7 In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21). 8 Make sure that, in the IP Addresses list, in the Real IP addresses column, the correct coordinator's address is specified (in the head office: , in the branch office: ). 9 Check connection to the coordinator of the office where this client is installed. To do this, in the Private Network section, select the coordinator and, on the toolbar, click Connection or press F5. 10 Check connection to any ViPNet host in the other office. If all the settings have been configured correctly, connection between the head office and the branch office will be established. If there is no connection, the problem may be in the firewall or some incompatible software. Contact Infotecs technical support. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 34

35 4 Office to Office Connection with Tunneling Overview 36 Configuring Network Structure in ViPNet Network Manager 37 Checking Settings on Firewalls and Coordinators in Both Offices 40 Checking Routing Settings on Tunneled Hosts 42 Checking Settings on a Remote Client 44 Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 35

36 Overview This chapter describes a scheme of establishing protected connection between the head office and the branch office using the ViPNet VPN software and the tunneling technology. Tunneling is a method of protecting traffic passing through unprotected communications channels. IP packets go unencrypted between a tunneled host and a coordinator, and encrypted between a coordinator and other ViPNet hosts. A tunneled host is a network host without ViPNet software installed that should be accessible from an external network through a coordinator via a protected communications channel. It may be any device connected to the network that has an IP address: an Apple PC, a network printer, a Network Attached Storage (NAS), a VoIP device, IP-based manufacturing equipment, and so on. Figure 13. Office to office connection with tunneling Suppose there are two offices in an organization: head and branch. The corporate ViPNet network includes two coordinators, a network control center (ViPNet Network Manager host), and a remote ViPNet host. Coordinator A located in the head office and coordinator B located in the branch office establish a protected connection to each other over the Internet. Coordinator A is located behind a firewall on which a static port forwarding rule is configured for protected traffic exchange. Coordinator B is located behind a firewall where no special settings for protected traffic exchange have been made. Coordinator A tunnels several unprotected (without ViPNet software installed) computers and network devices located in the head office. Coordinator B tunnels several unprotected computers and network devices in the branch office. The remote client establishes connection to tunneled hosts in both offices. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 36

37 Configuring Network Structure in ViPNet Network Manager First, create the required ViPNet network structure as described in chapter 1 (see Creating a ViPNet Network on page 15). To implement the above-described scheme (see figure on page 36), create two coordinators and two clients (a ViPNet network administrator's workstation and a remote ViPNet host). Note: You may create more clients if you need more protected hosts to be used in offices or remotely. In ViPNet Network Manager, configure each coordinator: 1 In the main ViPNet Network Manager window, in the navigation pane, select the coordinator A and click the Access IP addresses tab (see figure on page 31). If you have configured access options for the coordinator A (see Creating a ViPNet Network on page 15) when creating a network, the IP address of the network adapter directly connected to the firewall is already specified. To assign an IP address, under IP addresses click Add. In the IP Address window, type the local IP address of the coordinator and click OK. If the coordinator is accessible from the Internet by a DNS name (for example, the dyndns service is used), under DNS names, click Add. Then, specify the coordinator's DNS name. 2 Click the Firewall tab (see figure on page 17). If you have configured access options for the coordinator A (see Creating a ViPNet Network on page 15) when creating a network, the firewall parameters are already specified. Otherwise, follow the steps below: o o Select the Use firewall check box. In the Firewall type list, select With static address translation. 3 In the navigation pane of the main ViPNet Network Manager window, select the coordinator B. Then, click the Access IP addresses tab and click Add. In the IP Address window, type a local IP address of the coordinator and click OK. 4 Click the Firewall tab: o o Select the Use firewall check box. In the Firewall type list, select With dynamic address translation. o In the Coordinator for incoming traffic list, select coordinator A. o Make sure that the Direct all VPN traffic with external hosts through the coordinator check box is cleared. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 37

38 For each coordinator: 5 Click the Tunnel tab. Figure 14. Specifying IP addresses of tunneled hosts o On the Tunnel tab, specify the IP addresses of the computers and network devices to be tunneled by this coordinator. We recommend that a coordinator and its tunneled hosts are located in the same network segment. Note: For our recommendations on the case when a coordinator and its tunneled hosts are placed in different network segments, see the document Common Scenarios of ViPNet VPN Administering. Supplement to ViPNet Documentation. To specify an IP address: Click Add. The IP Address or Range window will be displayed. If you want to add a single tunneled IP address, select IP address and type the required IP address in the box. If you want to add a range of tunneled IP addresses, select Range and type the starting and the ending IP addresses of the range in the boxes. Click OK. To configure a remote client: 1 In the navigation pane, select the client that is intended to be used remotely. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 38

39 2 Open the Links tab and make sure that the list includes all ViPNet hosts this client should communicate with. Links with tunneled hosts are always allowed. These hosts are not listed. On the Tools menu, select Keys, and then click Save Key Sets. Copy the created key sets to a removable drive and use them to install the ViPNet keys on the coordinator and clients. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 39

40 Checking Settings on Firewalls and Coordinators in Both Offices Make sure that the head office firewall is accessible by a static public IP address or a DNS name provided by a dynamic DNS service. On this firewall, a port forwarding rule (see Checking Settings on a Firewall on page 18) must be configured for the local IP address of coordinator A (UDP, 55777). On the branch office firewall, no additional settings are required. To make sure both coordinators are configured correctly, on each coordinator: 1 In the main window of the ViPNet Coordinator program, on the Service menu, click Options. 2 Make sure that, in the Private Network section, the Use external firewall check box is selected. 3 Make sure that, in the Firewall type list, on coordinator A, With static address translation is selected, while on coordinator B, the With dynamic address translation firewall type is selected. 4 Make sure that, on coordinator A, in the UDP packets encapsulation port box, the same port number is specified as the one in port forwarding rules on the firewall. 5 Make sure that, on coordinator B, in the Connection server list, coordinator A is selected. 6 For each coordinator: In the Options dialog box, select Tunneling. Figure 15. Checking tunneled IP addresses Check tunneled hosts' IP addresses. A coordinator and its tunneled hosts must be located in the same subnetwork. 7 On coordinator B, in the navigation pane of the main ViPNet Coordinator window, select Private Network. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 40

41 8 In the view pane of the Private Network section, double-click coordinator A. The ViPNet Host Properties dialog box will be displayed. 9 If coordinator A is accessible by a static public IP address: o In the ViPNet Host Properties dialog box, click the Firewall tab (see figure on page 22). o In the Access IP addresses list, the firewall's static public IP address must be specified. 10 If the head office firewall does not have a static public IP address, make sure that the firewall's DNS name is specified. In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21). Make sure that the Use DNS name check box is selected and, in the DNS name list, the correct DNS name of the firewall behind which the coordinator of the other office is installed is specified. 11 In the ViPNet Host Properties dialog box, click the Tunnel tab. Figure 16. Checking IP addresses tunneled by the other coordinator Make sure that, on the Tunnel tab, the Use IP addresses for tunneling check box is selected and IP addresses tunneled by the other coordinator are specified. If similar IP addresses are used in the head and branch offices, select the Use virtual IP addresses check box. This allows avoiding a conflict of IP addresses. 12 On coordinator B, check connection to coordinator A. To do this, in the Private Network section, select coordinator A and, on the toolbar, click Connection or press F5. If all the settings have been configured correctly, connection between the coordinators of the head and branch offices will be established. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 41

42 Checking Routing Settings on Tunneled Hosts We recommend you that each tunneled host should use its tunneling coordinator as its default gateway. In this case, no additional routing settings are required. On the hosts where you can't set the coordinator as the default gateway, add static routes to forward all traffic to be tunneled to the branch office through the coordinator. Figure 17. Viewing a virtual address To add a static route, in Windows Command Prompt, enter the following command: route add <destination IP address> mask <subnet mask> <gateway> -p, where: <destination IP address> is the virtual IP address of the destination subnetwork. <subnet mask> is a destination subnet mask value. <gateway> is the coordinator's local IP address. -p identifies that the route is static and will be the saved after each reboot. To learn the destination subnetwork IP address: 1 On the coordinator installed in the tunneled host's LAN, in the main ViPNet Coordinator Monitor window, click Private Network. 2 In the list of ViPNet hosts, double-click the coordinator of the other office. The ViPNet Host Properties dialog box will be displayed. 3 Click the Tunnel tab and make sure that the Use virtual IP addresses check box is selected. Use the network addresses displayed in the Virtual IP addresses column to set a static route (in our example, network 11). Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 42

43 For example, a tunneled host in the branch office should connect to tunneled hosts in the head office. Tunneled hosts of the head office are accessible by virtual IP addresses that belong to the network (see figure on page 42). The local IP address of the branch office coordinator is To set a static route on the branch office host, use the following command: route add mask p Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 43

44 Checking Settings on a Remote Client To check the settings on a remote client: 1 In the ViPNet Client Monitor program, log on as an administrator. 2 On the Tools menu, click Options. The Options dialog box will be displayed. 3 In the Options dialog box, make sure that, in the Private Network (see figure on page 20) section, a coordinator installed in the office is selected as the coordinator for connections. 4 Click OK. 5 In the navigation pane of the main ViPNet Client window, select the Private Network section. 6 In the view pane of the Private Network section, double-click coordinator A. The ViPNet Host Properties dialog box will be displayed. 7 In the ViPNet Host Properties dialog box, click the Firewall tab (see figure on page 22). 8 In the Access IP addresses list, a static public IP address of the firewall behind which coordinator A is installed must be specified. If the firewall has no static public IP address, verify its DNS name (step 10). 9 In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21). 10 Make sure that, in the IP addresses list, in the Real IP addresses column, the correct local address of coordinator A is specified. If DNS names are used, make sure that the Use DNS name check box is selected and, in the DNS name list, the correct DNS name of the firewall behind which coordinator A is installed is specified. 11 In the ViPNet Host Properties dialog box, click the Tunnel tab (see figure on page 41). Make sure that the Use IP addresses for tunneling check box is selected and the IP addresses tunneled by coordinator A are specified. 12 In the view pane of the Private Network section, double-click coordinator B. In the ViPNet Host Properties dialog box, click the Tunnel tab. Make sure that the Use IP addresses for tunneling check box is selected and the IP addresses tunneled by this coordinator are specified. 13 Check connection to each coordinator. To do this, in the Private Network section, select the coordinator and, on the toolbar, click Check connection or press F5. 14 Try to connect to some tunneled host using its IP address (for example, by executing the ping command). If all the settings have been configured correctly, connection between remote clients and tunneled hosts will be established. If there is no connection, the problem may be in the firewall or some incompatible software. Contact Infotecs technical support. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 44

45 5 Mobile Device to Office Connection Overview 46 Configuring a Network in ViPNet Network Manager 48 Configuring a Coordinator for Windows 50 Verifying Settings on an External Firewall 52 Configuring Mobile Devices 53 Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 45

46 Overview This chapter describes a connection scheme within a ViPNet VPN network, where Apple and Android device users establish connection to the office. Figure 18. Connection between office and mobile devices Your mobile device connects to a protected ViPNet host through a coordinator functioning as an IPsec- ViPNet gateway. The mobile device establishes connection to the coordinator over the IPsec protocol. Thus, there is a protected tunnel from this device to the coordinator. On the coordinator, an IP address from the specified range (in the scheme, it is ) is assigned to the mobile device. The coordinator is configured to tunnel the range of the IP addresses assigned to IPsec hosts (mobile devices) using the ViPNet technology. Thus, an IPsec host is accessible for ViPNet hosts either by the address the coordinator has assigned for it ( in the scheme), or by the corresponding virtual IP address of the tunneled host. ViPNet hosts will be accessible to the IPsec host by their visibility addresses on the coordinator (in the scheme, the visibility address is ). When IPsec and ViPNet hosts communicate as described in the scheme, no advanced route setup is required. The IP packets are transferred as follows. IP packets from mobile devices are sent over the IPsec protocol. On the coordinator, the packets are decrypted. Then, the ViPNet driver encrypts the packets again. The coordinator forwards the packets to the destination host in the ViPNet network. Response IP packets are transferred in the same way. The coordinator functioning as an IPsec server should meet the following requirements: Use a coordinator of one of the two following types: o o ViPNet Coordinator HW/VA coordinator. ViPNet Coordinator for Windows deployed on a computer with the operating system Windows Server 2008 R2. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 46

47 Note: The feature of an IPsec gateway can be also implemented by a computer working under Windows Server 2003 operating system. However, in this document, we cover configuration of an IPsec gateway only for Windows Server 2008 R2. For help on configuring an IPsec gateway for Windows Server 2003, contact Infotecs technical support (see Feedback on page 8). The coordinator must be accessible on the Internet by its IP address or DNS name (the name can be registered in the dynamic DNS service). Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 47

48 Configuring a Network in ViPNet Network Manager First, create the required ViPNet network structure, as described in Creating a ViPNet Network (on page 15). To implement this scheme, you need a network with a coordinator, clients, and mobile clients. This section describes a general workflow on configuring an IPsec gateway deployed on a coordinator running Windows OS or on a ViPNet Coordinator HW/VA coordinator. We recommend you to use a ViPNet Coordinator HW/VA coordinator because it requires few settings. You can configure a ViPNet Coordinator HW/VA host in ViPNet Network Manager only if your ViPNet Network Manager license allows it. In ViPNet Network Manager, make the following settings (for more information, see the document ViPNet VPN. User's Guide, the chapter Configuring IPsec Connection to Mobile Devices and Other Networks ): 1 Choose or create a coordinator (ViPNet Coordinator Windows or ViPNet Coordinator HW/VA) that will function as an IPsec gateway. 2 On the IPsec connection tab, configure IPsec connection to the coordinator. Figure 19. Configuring IPsec connection parameters 3 If you want to provide access for mobile devices to ViPNet hosts, specify the range of tunneled IP addresses for the mobile clients. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 48

49 4 Add a mobile client to the coordinator and, on the Profile tab, configure an IPsec profile for the mobile client. Though only the ios option is available on the Mobile client type list, you should make other settings even if the mobile device you are connecting runs Android. This is required because the IPsec gateway coordinator also uses these settings. Figure 20. Mobile client parameters 5 If the mobile client is an Apple device, send the configured profile to the mobile device. 6 If a coordinator for Windows is chosen as an IPsec gateway, save the profile configured on the IPsec connection tab of the coordinator. 7 If you choose a ViPNet Coordinator HW/VA coordinator as an IPsec gateway, send the keys to the ViPNet Coordinator HW/VA coordinator. If no key set has been installed on the coordinator, create a key set for it and give it to the coordinator host's administrator together with the hwinit_set.xml file. Next, if you use a ViPNet Coordinator HW/VA coordinator, start configuring the mobile device (see Configuring Mobile Devices on page 53). If you use a coordinator for Windows, first configure the coordinator (see Configuring a Coordinator for Windows on page 50), then start configuring the mobile device. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 49

50 Configuring a Coordinator for Windows On a coordinator running Windows Server 2008 R2, do the following: 1 In the Server Manager snap-in, run the Add Roles Wizard and set the Network Policy and Access Services role, selecting the Routing and Remote Access Services component. Figure 21. Selecting services to be installed 2 In the Server Manager snap-in, enable the Routing and Remote Access service by choosing the Remote access (dial-up or VPN) configuration in the wizard. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 50

51 Figure 22. Choosing a configuration 3 On the coordinator, apply the IPsec profile you created for it in ViPNet Network Manager. To do this, run the run.bat file on it. 4 In ViPNet Coordinator, configure a public network local filter, allowing you to connect mobile devices over the IPsec technology. Also: o as a destination, specify My ViPNet host and the coordinator's network interface connected to the Internet; o add the 50-ESP IP protocol and the UDP protocols 500-isakmp and If you need to ensure access of mobile devices to application servers and information resources located right on the coordinator, you should configure a local network filter for a public network, so that the traffic transferred over certain protocols and ports was allowed. Also: o o o as sources, specify the IP addresses range, from which addresses are distributed for mobile devices when they connect to the coordinator and which you specified in ViPNet Network Manager when configuring the IPsec gateway's profile; as a destination, specify My ViPNet host; add the TCP protocol 80-http. 6 After you configure the filters, in ViPNet Coordinator, in the Local Public Network Filters section, click Apply all. 7 To provide access to ViPNet hosts for mobile devices by DNS names, install and configure a DNS server on the coordinator and register DNS names of ViPNet hosts on it (see the document ViPNet VPN. User's Guide, the chapter Configuring and Using DNS and WINS Services in ViPNet Networks ). Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 51

52 Verifying Settings on an External Firewall If the coordinator is connected to the Internet via an external firewall, on this firewall (or a DSL router), you need to configure a rule for UDP packets transferred when the connection is established over the IPsec or L2TP technology. Do one of the following: Make sure that, on the device functioning as a firewall, the L2TP Passthrough and IPsec Passthrough modes are enabled (if such parameters are available on your device). No additional configuring is required after that. Figure 23. Router settings If the L2TP Passthrough and IPsec Passthrough parameters are not available on your device, configure the rule manually specifying the following parameter values: o o The IP address of the server with the ViPNet Coordinator software installed to which ports will be redirected. Protocol: UDP. o Ports: 500 and Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 52

53 Configuring Mobile Devices Configuring an Apple Mobile Device After you create an IPsec profile for a mobile client in ViPNet Network Manager, you should install it on your Apple device. To do this: 1 On your ipad or iphone, open the message with the attached IPsec profile (a file with the.mobileconfig extension). 2 Choose the attached file. The profile setup window will be displayed. 3 Click Install. When you are warned that the profile is not signed, click Install once again. 4 Type the user password specified for the mobile client in ViPNet Network Manager. This password should be received from the ViPNet network administrator. 5 The profile installation is finished. Click Finish. 6 To configure the parameters of the installed profile, open the Settings program and, in the navigation pane, choose VPN. 7 In the view pane, select the installed IPsec profile. 8 In the profile properties window, in the Proxy section, choose Off. 9 Click Save. The profile is installed and configured. To connect to the ViPNet network, on your device go to Settings > > General > Network > VPN. Then switch VPN to. To get access to hosts in the protected network, in your browser or other application, type the IP address or DNS name of the protected ViPNet host. Configuring an Android Mobile Device To connect an Android device to protected corporate resources: 1 On your Android device, add an IPsec profile: 1.1 Open the Settings application and tap Wireless & Networking > VPN. 1.2 Add a new VPN profile. 1.3 Specify the connection type L2TP/IPSec PSK. 1.4 To specify the server address, type the IP address or DNS name of the ViPNet Coordinator HW/VA host you specified in ViPNet Network Manager, on the IPsec connection tab. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 53

54 1.5 To specify the IPsec pre-shared key, type the pre-shared key you specified on the IPsec connection tab. 1.6 Save the VPN profile. 2 Tap the created VPN profile. User credentials will be requested: 2.1 Type the user name you specified in ViPNet Network Manager, on the mobile client's properties tab. 2.2 Type the password you specified on the mobile client's properties tab. 2.3 Tap Connect. Note: On your Android device, the names and positions of the options described in this section may be different. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 54

55 6 Office to Office Connection Both with the ViPNet and IPsec Technologies Overview 56 Configuring Network in ViPNet Network Manager 57 Settings Check on a Remote Gateway 60 Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 55

56 Overview This chapter describes a workflow for configuring connection between a ViPNet VPN network and a network, where the ViPNet technology isn't used. Assume that your corporate network is protected with ViPNet software. You need to create a protected communication channel with your partner company, but they do not use the ViPNet technology. In this case, you may establish a tunnel between the two corporate networks over the IPsec protocol. An IPsec tunnel is an encrypted traffic channel established between the two IPsec gateways deployed in each of the two networks. There is a variety of IPsec gateway software servers and appliances (Cisco appliances, servers running Linux, FreeBSD, Windows Server, and others). You may use a ViPNet Coordinator HW host as your network's IPsec gateway. Note: You can't configure a coordinator for Windows as a ViPNet IPsec gateway in ViPNet Network Manager. You configure a ViPNet Coordinator HW/VA coordinator as an IPsec gateway in ViPNet Network Manager. You can do it only if your ViPNet Network Manager license allows it. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 56

57 Configuring Network in ViPNet Network Manager First, do the following: 1 Create the required ViPNet network structure as described in Creating a ViPNet Network (on page 15). 2 Make sure that your ViPNet Network Manager license allows you to use a ViPNet Coordinator HW/VA coordinator in the network. Otherwise, contact a representative of Infotecs and make a request for a new license. 3 Create keys for the ViPNet Coordinator HW/VA coordinator and install them. In the navigation pane of the ViPNet Network Manager main window, select the ViPNet Coordinator HW/VA coordinator and do the following: 1 In the view pane, click the IPsec connection tab. 2 In the Network interface name list, select the network interface of the ViPNet Coordinator HW/VA host, which is accessible from the Internet. 3 Select the Use coordinator to establish protected IPsec connection for other networks check box. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 57

58 Figure 24. Adding an IPsec channel to another network 4 To configure a new IPsec connection to a remote network, click Add. The IPsec Gateway New window will be displayed. 5 On the Connection tab, in the Remote gateway name box, specify a unique name for the remote network connection. Figure 25. Specifying remote IPsec gateway properties 6 In the Remote gateway IP address box, type the access IP address of the remote IPsec gateway. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 58

59 7 Click Add and then, in the Local and Remote Network Addresses window, specify the IP addresses of the two networks that will be connected over the IPsec channel. The network addresses should be specified in the CIDR notation, for example: /24. Figure 26. Specifying local and remote networks If necessary, repeat this step to add more pairs of local and remote networks. 8 Click the Encryption tab and specify the connection encryption parameters: o In the Pre-shared Key box, type a string (8 to 63 characters) that will be used as the password for connection authentication. Warning: The pre-shared key should not contain the following characters: the question mark (?), the backslash (\), and the single quote ('). o If necessary, in other boxes, specify encryption and hashing algorithms, the Diffie Hellman parameter value, and key lifetime. Figure 27. Specifying encryption parameters Warning: Inform the administrator of the remote network that the same encryption parameters should be specified on the remote gateway. 9 In the view pane, on the Keys tab, click Send Keys to transfer the IPsec connection settings to the ViPNet Coordinator HW/VA host. 10 Then send key set updates to the ViPNet Coordinator HW/VA host and configure a forward rule allowing traffic exchange between the ViPNet network and the remote network. Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation 59