Vyatta Remote Access VPN
|
|
|
- Buddy Banks
- 10 years ago
- Views:
Transcription
1 22 June 2015 Vyatta Remote Access VPN Reference Guide Supporting Brocade Vyatta 5600 vrouter 3.5R3
2 2015, Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, HyperEdge, ICX, MLX, MyBrocade, OpenScript, The Effortless Network, VCS, VDX, Vplane, and Vyatta are registered trademarks, and Fabric Vision and vadx are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of others. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it. The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit
3 Contents Preface... 5 Document conventions...5 Text formatting conventions... 5 Command syntax conventions... 5 Notes, cautions, and warnings... 6 Brocade resources... 7 Contacting Brocade Technical Support...7 Document feedback... 8 Remote Access VPN Overview...9 Remote access in the network... 9 RA VPN using L2TP/IPsec with pre-shared key RA VPN using L2TP/IPsec with X.509 certificates...11 Planning considerations Remote access using OpenVPN...15 RA VPN with zone-based firewall Remote Access VPN Configuration RA VPN configuration overview L2TP/IPsec with pre-shared key Configuring the L2TP/IPsec VPN client on a Windows XP SP2 system Connecting to the VPN server...20 L2TP/IPsec with x.509 certificates Split tunneling on a windows client Monitoring Remote Access VPN...25 Showing interface information...25 Showing remote access VPN information...25 Remote Access VPN Commands...27 reset vpn remote-access all reset vpn remote-access interface <interface> reset vpn remote-access user <username>...30 show vpn remote-access security vpn l2tp security vpn l2tp remote-access authentication mode <mode> security vpn l2tp remote-access authentication local-users username <username> security vpn l2tp remote-access authentication radius-server <ipv4> key <key>...35 security vpn l2tp remote-access client-ip-pool start <ipv4> security vpn l2tp remote-access client-ip-pool stop <ipv4>...37 security vpn l2tp remote-access dhcp-interface <interface>...38 security vpn l2tp remote-access dns-servers server-1 <ipv4>...39 security vpn l2tp remote-access dns-servers server-2 <ipv4>...40 Vyatta Remote Access VPN Reference Guide 3
4 security vpn l2tp remote-access ipsec-settings authentication mode <mode> security vpn l2tp remote-access ipsec-settings authentication preshared-secret <secret>...43 security vpn l2tp remote-access ipsec-settings authentication x509 cacert-file <file-name>...44 security vpn l2tp remote-access ipsec-settings authentication x509 crlfile <file-name>...45 security vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file <file-name>...46 security vpn l2tp remote-access ipsec-settings authentication x509 server-key-file <file-name>...47 security vpn l2tp remote-access ipsec-settings authentication x509 server-key-password <password>...48 security vpn l2tp remote-access ipsec-settings ike-lifetime <lifetime>...49 security vpn l2tp remote-access mtu <mtu> security vpn l2tp remote-access outside-address <ipv4> security vpn l2tp remote-access outside-nexthop <ipv4> security vpn l2tp remote-access server-ip-pool start <ipv4>...53 security vpn l2tp remote-access server-ip-pool stop <ipv4>...54 security vpn l2tp remote-access wins-servers server-1 <ipv4> security vpn l2tp remote-access wins-servers server-2 <ipv4> List of Acronyms Vyatta Remote Access VPN Reference Guide
5 Preface Document conventions...5 Brocade resources... 7 Contacting Brocade Technical Support...7 Document feedback... 8 Document conventions The document conventions describe text formatting conventions, command syntax conventions, and important notice formats used in Brocade technical documentation. Text formatting conventions Text formatting conventions such as boldface, italic, or Courier font may be used in the flow of the text to highlight specific words or phrases. Format bold text italic text Courier font Description Identifies command names Identifies keywords and operands Identifies the names of user-manipulated GUI elements Identifies text to enter at the GUI Identifies emphasis Identifies variables Identifies document titles Identifies CLI output Identifies command syntax examples Command syntax conventions Bold and italic text identify command syntax components. Delimiters and operators define groupings of parameters and their logical relationships. Convention bold text italic text value Description Identifies command names, keywords, and command options. Identifies a variable. In Fibre Channel products, a fixed value provided as input to a command option is printed in plain text, for example, --show WWN. Vyatta Remote Access VPN Reference Guide 5
![Notes, cautions, and warnings Convention Description [ ] Syntax components displayed within square brackets are optional. Default responses to system prompts are enclosed in square brackets.](/docs-images/24/2894728/images/6-0.png "{ x y z A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must select one of the options.")
6 Notes, cautions, and warnings Convention Description [ ] Syntax components displayed within square brackets are optional. Default responses to system prompts are enclosed in square brackets. { x y z A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must select one of the options. In Fibre Channel products, square brackets may be used instead for this purpose. x y A vertical bar separates mutually exclusive elements. < > Nonprinting characters, for example, passwords, are enclosed in angle brackets.... Repeat the previous element, for example, member[member...]. \ Indicates a soft line break in command examples. If a backslash separates two lines of a command input, enter the entire command at the prompt without the backslash. Notes, cautions, and warnings Notes, cautions, and warning statements may be used in this document. They are listed in the order of increasing severity of potential hazards. NOTE A Note provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information. ATTENTION An Attention statement indicates a stronger note, for example, to alert you when traffic might be interrupted or the device might reboot. CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations. 6 Vyatta Remote Access VPN Reference Guide
7 Brocade resources Brocade resources Visit the Brocade website to locate related documentation for your product and additional Brocade resources. You can download additional publications supporting your product at Select the Brocade Products tab to locate your product, then click the Brocade product name or image to open the individual product page. The user manuals are available in the resources module at the bottom of the page under the Documentation category. To get up-to-the-minute information on Brocade products and resources, go to MyBrocade. You can register at no cost to obtain a user ID and password. Release notes are available on MyBrocade under Product Downloads. White papers, online demonstrations, and data sheets are available through the Brocade website. Contacting Brocade Technical Support As a Brocade customer, you can contact Brocade Technical Support 24x7 online, by telephone, or by e- mail. Brocade OEM customers contact their OEM/Solutions provider. Brocade customers For product support information and the latest information on contacting the Technical Assistance Center, go to If you have purchased Brocade product support directly from Brocade, use one of the following methods to contact the Brocade Technical Assistance Center 24x7. Online Telephone Preferred method of contact for nonurgent issues: My Cases through MyBrocade Software downloads and licensing tools Knowledge Base Required for Sev 1-Critical and Sev 2-High issues: Continental US: Europe, Middle East, Africa, and Asia Pacific: +800-AT FIBREE ( ) For areas unable to access toll free number: Toll-free numbers are available in many countries. [email protected] Please include: Problem summary Serial number Installation details Environment description Brocade OEM customers If you have purchased Brocade product support from a Brocade OEM/Solution Provider, contact your OEM/Solution Provider for all of your product support needs. OEM/Solution Providers are trained and certified by Brocade to support Brocade products. Brocade provides backline support for issues that cannot be resolved by the OEM/Solution Provider. Vyatta Remote Access VPN Reference Guide 7
8 Document feedback Brocade Supplemental Support augments your existing OEM support contract, providing direct access to Brocade expertise. For more information, contact Brocade or your OEM. For questions regarding service levels and response times, contact your OEM/Solution Provider. Document feedback To send feedback and report errors in the documentation you can use the feedback form posted with the document or you can the documentation team. Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. You can provide feedback in two ways: Through the online feedback form in the HTML documents posted on By sending your feedback to [email protected]. Provide the publication title, part number, and as much detail as possible, including the topic heading and page number if applicable, as well as your suggestions for improvement. 8 Vyatta Remote Access VPN Reference Guide
9 Remote Access VPN Overview Remote access in the network... 9 RA VPN using L2TP/IPsec with pre-shared key RA VPN using L2TP/IPsec with X.509 certificates...11 Planning considerations Remote access using OpenVPN...15 RA VPN with zone-based firewall Remote access in the network The Vyatta system currently supports two main VPN mechanisms: site-to-site IPsec VPN, and Remote Access VPN (RA VPN). A site-to-site IPsec VPN connection allows two or more remote private networks to be merged into a single network as shown in the following figure. FIGURE 1 Site-to-site IPsec VPN With RA VPN, the Vyatta system acts as a VPN server to a remote user with a client PC. A typical use for this capability is a traveling employee accessing the corporate network over the Internet. In this scenario, the remote employee's computer appears as another host on the corporate private subnet and is able to access all resources within that subnet. This scenario is shown in the following figure. Vyatta Remote Access VPN Reference Guide 9
10 RA VPN using L2TP/IPsec with pre-shared key FIGURE 2 Remote access VPN The Vyatta RA VPN implementation supports the built-in Windows VPN client: Layer 2 Tunneling Protocol (L2TP)/IPsec VPN. The Windows L2TP/IPsec client supports two IPsec authentication mechanisms: Pre-shared key (PSK), where the two IPsec peers can use a PSK to authenticate each other based on the assumption that only the other peer knows the key. X.509 certificates, which are based on public key cryptography specifically, digital signatures. The Vyatta system supports both pre-shared key and X.509 certificate authentication for L2TP/IPsec client; consequently, the Vyatta system supports two different RA VPN deployments: L2TP/IPsec authenticated with pre-shared key L2TP/IPsec authenticated with X.509 certificates RA VPN using L2TP/IPsec with pre-shared key The following figure shows establishment of an L2TP/IPsec VPN session. 10 Vyatta Remote Access VPN Reference Guide
11 RA VPN using L2TP/IPsec with X.509 certificates FIGURE 3 Remote access VPN-L2TP/IPsec with pre-shared key 1. The remote client first establishes an IPsec tunnel with the VPN server. 2. The L2TP client and server then establish an L2TP tunnel on top of the IPsec tunnel. 3. Finally, a PPP session is established on top of the L2TP tunnel, i.e., the PPP packets are encapsulated and sent/received inside the L2TP tunnel. With this solution, only user authentication is done at the PPP level (with username/password). Data encryption is provided by the IPsec tunnel. Furthermore, in order to perform encryption, IPsec also requires authentication (studies have shown that IPsec encryption-only mode is not secure) at the host level. When pre-shared key is used with L2TP/IPsec, all remote clients must be configured with the same PSK for IPsec authentication. This presents both a security challenge and an operations challenge, since when the key is changed, all remote clients must be re-configured. An alternative is to use L2TP/IPsec with X.509 certificates, as discussed in the next section. RA VPN using L2TP/IPsec with X.509 certificates The following figure shows a conceptual diagram of how digital signatures work. Vyatta Remote Access VPN Reference Guide 11
12 Remote Access VPN Overview FIGURE 4 Digital signature 1. Peers A and B are communicating. A has a public key and a private key. A gives her public key to B. 2. A signs (encrypts) a message using her private key and sends the signed (encrypted) message to B. 3. B can verify the signature by decrypting it using A's public key and checking the result against the original message. Therefore, B can authenticate A by asking A to sign a message and then verifying the signature using A's public key. Since A's private key is only known to A, only A can create a signature that can be verified using A's public key. One problem with this authentication scheme is that B cannot know whether the public key he obtained is in fact A's public key. For example, in the following figure, a malicious attacker C pretends to be A and gives B a different public key. 12 Vyatta Remote Access VPN Reference Guide
13 Remote Access VPN Overview FIGURE 5 Malicious attacker In practice, this problem is solved by using a Public Key Infrastructure (PKI), which is based on a trusted third party, the Certificate Authority (CA). The CA can be either a commercial CA, such as Verisign, or a CA set up internal to the organization. The following figure illustrates conceptually how PKI works. Vyatta Remote Access VPN Reference Guide 13
14 Remote Access VPN Overview FIGURE 6 Trusted third party: certificate authority 1. Both A and B trust CA. 2. A asks the CA to sign a message verifying A s public key. 3. The CA signs the message using its private key, resulting in a certificate. 4. A gives the certificate to B. 5. B can verify the certificate from A (and hence A s public key) using the CA s public key. X.509 is a standard that defines public key certificate formats, revocation, and so on. Given the above scheme, L2TP/IPsec VPN with X.509 certificates works as follows. 1. The network admin obtains a certificate signed by a CA for each remote user (A in the example) and distributes it, along with public/private keys for the user, to the user through a secure channel. 2. The network admin configures the VPN server (B in the example) with the CA s public key, among other things. 3. When the remote client connects to the VPN server, it presents its certificate. 4. The VPN server verifies the certificate using the CA s public key. If the authentication is successful, the result tells the server the client s public key. 5. The server can then use the client s public key for authentication as described previously. 6. If authentication is successful, the IPsec tunnel is established between the client and server. Then the L2TP and PPP operations are identical to the PSK case described previously. 14 Vyatta Remote Access VPN Reference Guide
15 Planning considerations Planning considerations The following points should be taken into consideration when planning a Remote Access VPN configuration: Dedicated subnet - At least one dedicated subnet should be used for remote access VPN users. This subnet should not overlap with existing subnets on the private network. Address pools must not overlap - As it is possible to define multiple address pools, care must be taken to not overlap the address ranges in these pools. In addition, the address pool ranges must be unique with the router configuration. Routes to VPN clients are required - In addition to configuring the remote access VPN server and clients, routers on the corporate network must be made aware of the VPN client subnet so that they know to forward traffic destined for clients through the VPN server. This can be done using static routes and route redistribution in local routing protocols. Concurrent use of site-to-site and L2TP remote access VPN - The L2TP remote access server must not be configured if an IPsec site-to-site peer address is set to Neither protocol will function properly in this scenario. This is a problem because it is unclear whether the incoming IKE connection requests are from a site-to-site client with a dynamic IP address, or an L2TP remote access client. Full Tunneling vs. Split Tunneling - Full Tunneling means that all traffic from the remote access VPN client (that is, traffic destined for the corporate network and traffic destined for the Internet) flows across the VPN. Split Tunneling means that only traffic destined for the corporate network flows across the VPN. Internet traffic goes directly from the client to the Internet. The advantage of Full Tunneling is that Internet access can be controlled centrally. The disadvantage is that it consumes more corporate bandwidth and VPN server resources to service the additional traffic. The advantage of Split Tunneling is that it it makes better use of network resources. The disadvantage is that Internet access control must be provided and maintained on the client. In addition, the routing configuration on the client becomes complicated and must be performed manually each time the client connects if the default classful route added by the client software (that is, a route to /8, /12, or /16) is insufficient (for example, if you need to reach both /24 and /24). If this is the case, and Split Tunneling is desired, OpenVPN is a better solution as it provides better Split Tunnel support. For more information on OpenVPN, see the Vyatta OpenVPN Reference Guide. Full Tunneling is the default with Windows (L2TP) clients. Split Tunneling is the default with OpenVPN clients. Remote access using OpenVPN The Vyatta system also supports remote access using OpenVPN. For more information on OpenVPN see Vyatta OpenVPN Reference Guide. RA VPN with zone-based firewall To configure the firewall to treat all Remote Access VPN users as a separate firewall zone, see documentation on zone-based firewall configuration in the Vyatta Firewall Reference Guide. Vyatta Remote Access VPN Reference Guide 15
16 RA VPN with zone-based firewall 16 Vyatta Remote Access VPN Reference Guide
17 Remote Access VPN Configuration RA VPN configuration overview L2TP/IPsec with pre-shared key L2TP/IPsec with x.509 certificates Split tunneling on a windows client RA VPN configuration overview This chapter provides configuration examples for three of the RA VPN scenarios supported: L2TP/IPsec with pre-shared key, and L2TP/IPsec with X.509 certificates. Each configuration example uses the diagram shown below as the deployment scenario: FIGURE 7 Remote access VPN example Vyatta Remote Access VPN Reference Guide 17
18 L2TP/IPsec with pre-shared key L2TP/IPsec with pre-shared key The first step in configuring a basic remote access VPN setup using L2TP/IPsec with pre-shared key between R1 and a Windows XP client is to configure R1 as an L2TP/IPsec-based VPN server. TABLE 1 Remote access VPN - L2TP/IPsec example Step Define the interface used for IPsec; in this case, dp0p1p1. Enable NAT traversal. This is mandatory. Set the allowed subnet. Commit the change. Show the ipsec configuration. Bind the L2TP server to the external address. Set the nexthop address. Command vyatta@r1# set security vpn ipsec ipsec-interfaces interface dp0p1p1 vyatta@r1# set security vpn ipsec nat-traversal enable vyatta@r1# set security vpn ipsec nat-networks allowed-network /24 vyatta@r1# commit vyatta@r1# show vpn ipsec ipsec-interfaces { interface dp0p1p1 nat-networks { allowed-network /24 { nat-traversal enable vyatta@r1# set security vpn l2tp remote-access outside-address vyatta@r1# set security vpn l2tp remote-access outside-nexthop Set up the pool of IP addresses that remote VPN connections will assume. In this case we make 10 addresses available (from. 101 to.110) on subnet /24. Note that we do not use the subnet on the LAN. vyatta@r1# set security vpn l2tp remote-access clientip-pool start vyatta@r1# set security vpn l2tp remote-access clientip-pool stop (Optional) Set the server pool of IP addresses used at the router. In this example we make 10 server side addresses available (from ) on subnet /24. Note that we do not use the subnet on the LAN. Set the IPsec authentication mode to pre-shared secret. Set the pre-shared secret. Set the L2TP remote access authentication mode to local. Set the L2TP remote access username and password. Commit the change. vyatta@r1# set security vpn l2tp remote-access serverip-pool start vyatta@r1# set security vpn l2tp remote-access serverip-pool stop vyatta@r1# set security vpn l2tp remote-access ipsecsettings authentication mode pre-shared-secret vyatta@r1# set security vpn l2tp remote-access ipsecsettings authentication pre-shared-secret!secrettext! vyatta@r1# set security vpn l2tp remote-access authentication mode local vyatta@r1# set security vpn l2tp remote-access authentication local-users username testuser password testpassword vyatta@r1# commit 18 Vyatta Remote Access VPN Reference Guide
19 Remote Access VPN Configuration TABLE 1 Step Remote access VPN - L2TP/IPsec example (Continued) Command Show the l2tp remote access configuration. vyatta@r1# show vpn l2tp remote-access authentication { local-users { username testuser { password testpassword mode local client-ip-pool { start stop server-ip-pool { start stop ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret!secrettext! outside-address outside-nexthop The next step is to configure the L2TP/IPsec VPN client on a Windows XP SP2 system (the remote user in the example). You can use the Windows New Connection Wizard as follows. 1. Select Start > Control Panel > Network Connections. 2. Click Create a new connection. The New Connection Wizard launches. Click Next. 3. Select Connect to the network at my workplace. Click Next. 4. Select Virtual Private Network connection. Click Next. 5. Enter a name for the connection; for example Vyatta-L2TP. Click Next. 6. Select Do not dial the initial connection. Click Next. 7. Type the VPN server address ( in the example). Click Next. 8. If asked, select Do not use my smart card. Click Next. 9. Click Finish. By default, after the VPN configuration is created, a pre-shared key is not configured and must be added. 1. Go to Network Connections in the Control Panel. 2. Right-click the Vyatta-L2TP (or whatever name you specified) icon. Select Properties. 3. Click the Security tab. Click IPsec Settings Check the Use pre-shared key for authentication checkbox. 5. Type the pre-shared key (!secrettext! in our example) in the Key field. 6. Click OK. Click OK. To connect to the VPN server, double-click the Vyatta-L2TP icon, type the user name (testuser in our example) and password (testpassword in our example), and then click Connect. The show interfaces and show vpn remote-access operational commands will display the connected user on an interface named l2tpx where X is an integer. NOTE You need to make sure that, between the remote client and the VPN server, nothing is blocking packets with protocol L2TP or UDP port 500. (Check firewall settings, home gateway, DSL modem, ISP, and so on.) Vyatta Remote Access VPN Reference Guide 19
20 Configuring the L2TP/IPsec VPN client on a Windows XP SP2 system Configuring the L2TP/IPsec VPN client on a Windows XP SP2 system The next step is to configure the L2TP/IPsec VPN client on a Windows XP SP2 system (the remote user in the example). You can use the Windows New Connection Wizard as follows. 1. Select Start > Control Panel > Network Connections. 2. Click Create a new connection. The New Connection Wizard launches. Click Next. 3. Select Connect to the network at my workplace. Click Next. 4. Select Virtual Private Network connection. Click Next. 5. Enter a name for the connection; for example Vyatta-L2TP. Click Next. 6. Select Do not dial the initial connection. Click Next. 7. Type the VPN server address ( in the example). Click Next. 8. If asked, select Do not use my smart card. Click Next. 9. Click Finish. Connecting to the VPN server 1. Go to Network Connections in the Control Panel. 2. Right click the Vyatta L2TP (or whatever name you specified) icon. Select Properties. 3. Click the Security tab. Click IPsec Settings Check the Use pre shared key for authentication checkbox. 5. Type the pre shared key (!secrettext! in our example) in the Key field. 6. Click OK. Click OK. To connect to the VPN server, double-click the Vyatta L2TP icon, type the user name (testuser in our example) and password (testpassword in our example), and then click Connect. The show interfaces and show vpn remote access operational commands will display the connected user on an interface named l2tpx where X is an integer. NOTE You need to make sure that, between the remote client and the VPN server, nothing is blocking packets with protocol L2TP or UDP port 500. (Check firewall settings, home gateway, DSL modem, ISP, and so on.) L2TP/IPsec with x.509 certificates The first step in configuring a basic remote access VPN setup using L2TP/IPsec with X.509 certificates between R1 and a Windows XP client is to obtain the files necessary for authentication using X.509 certificates. In general, the procedure for doing this is as follows: 1. Generate the private key and a certificate signing request (CSR) (based on the public key). This can be accomplished using generate vpn x509 key-pair name (for example, generate vpn x509 key- 20 Vyatta Remote Access VPN Reference Guide
21 Remote Access VPN Configuration pair R1, where R1.key is the private key and R1.csr is the certificate signing request file - both created in /config/auth). 2. Send the CSR file (for example, R1.csr) to the certificate authority (CA) and receive back a server certificate (for example, R1.crt), the CA certificate (for example, ca.crt), and potentially, a certificate revocation list (CRL) file. This procedure varies according to the CA being used. 3. The same procedure should be followed to obtain equivalent files for the Windows client machine (for example, windows.crt and windows.key). The same CA certificate (ca.crt) can be used on the Windows machine. NOTE If the CA can combine the windows.crt and windows.key files and export a PKCS #12 file (for example, windows.p12), it will save a step later on. Once the X.509-related files have been generated or acquired, the next step is to configure R1 as an L2TP/IPsec-based VPN server. TABLE 2 Step Remote access VPN - L2TP/IPsec example Command Define the interface used for IPsec; in this case, dp0p1p1. Enable NAT traversal. This is mandatory. Set the allowed subnet. Commit the change. Show the ipsec configuration. Bind the L2TP server to the external address. Set the nexthop address. Set up the pool of IP addresses that remote VPN connections will assume. In this case we make 10 addresses available (from.101 to. 110) on subnet /24. Note that we do not use the subnet on the LAN. vyatta@r1# set security vpn ipsec ipsec-interfaces interface dp0p1p1 vyatta@r1# set security vpn ipsec nat-traversal enable vyatta@r1# set security vpn ipsec nat-networks allowed-network /24 vyatta@r1# commit vyatta@r1# show vpn ipsec ipsec-interfaces { interface dp0p1p1 nat-networks { allowed-network /24 { nat-traversal enable vyatta@r1# set security vpn l2tp remote-access outside-address vyatta@r1# set security vpn l2tp remote-access outside-nexthop vyatta@r1# set security vpn l2tp remote-access client-ip-pool start vyatta@r1# set security vpn l2tp remote-access client-ip-pool stop Vyatta Remote Access VPN Reference Guide 21
22 Remote Access VPN Configuration TABLE 2 Step Remote access VPN - L2TP/IPsec example (Continued) Command (Optional) Set the server pool of IP addresses used at the router. In this example we make 10 server side addresses available (from ) on subnet /24. Note that we do not use the subnet on the LAN. Set the IPsec authentication mode to x509. Specify the location of the CA certificate. Specify the location of the server certificate. Specify the location of the server key file. Specify the password for the server key file. Set the L2TP remote access authentication mode to local. Set thel2tp remote access username and password. Commit the change. Show the l2tp remote access configuration. vyatta@r1# set security vpn l2tp remote-access server-ip-pool start vyatta@r1# set security vpn l2tp remote-access server-ip-pool stop vyatta@r1# set security vpn l2tp remote-access ipsec-settings authentication mode x509 vyatta@r1# set security vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file /config/auth/ca.crt vyatta@r1# set security vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file /config/auth/r1.crt vyatta@r1# set security vpn l2tp remote-access ipsec-settings authentication x509 server-key-file /config/auth/r1.key vyatta@r1# set security vpn l2tp remote-access ipsec-settings authentication x509 server-key-password testpwd-r1 testpwd-r1 vyatta@r1# set security vpn l2tp remote-access authentication mode local vyatta@r1# set security vpn l2tp remote-access authentication local-users username testuser password testpassword vyatta@r1# commit vyatta@r1# show security vpn l2tp remote-access authentication { local-users { username testuser { password testpassword mode local client-ip-pool { start stop server-ip-pool { start stop ipsec-settings { authentication { mode x509 x509 { ca-cert-file /config/auth/ca.crt server-cert-file /config/auth/r1.crt server-key-file /config/auth/r1.key server-key-password testpwd-r1 outside-address outside-nexthop Vyatta Remote Access VPN Reference Guide
23 Remote Access VPN Configuration Once R1 is configured, the next step is to configure the L2TP/IPsec VPN client on a Windows XP SP2 system (the remote user in the example). The first part of this is to import the key and certificate files created by the CA onto the Windows machine. Windows expects the key and server certificates to be wrapped into a single file in a PKCS #12 format (a.p12 file). NOTE If the CA does not provide this, then you will need to use a tool (e.g. openssl) to combine the key file and the certificate file for the Windows machine into a.p12 file. 1. Copy the ca.crt and windows.p12 files to the Windows machine. 2. On the Windows machine: Select Start > Run... The Run dialog opens. 3. Enter mmc at the Open: prompt. Click OK. The Console1 MMC console opens. 4. Select File > Add/Remove Snap in... The Add/Remove Snap in dialog opens. 5. Click Add... The Add Standalone Snap in dialog opens. 6. Select Certificates in the list of Available standalone snap ins. Click Add. The Certificates snap in dialog opens. 7. Select Computer account. Click Next. The Select Computer dialog appears. 8. Select Local computer (the computer this console is running on). Click Finish. Click Close. Click OK. Certificates (Local Computer) appears beneath Console Root in the Console1 MMC console. Now you can import the certificate, as follows. 1. Expand Certificates (Local Computer). 2. Right click Personal and select All Tasks > Import... The Certificate Import Wizard opens. 3. Click Next. Specify the location of the windows.p12 file. Click Next. 4. Enter the password for the private key. Click Next. Click Finish. 5. Right click Trusted Root Certification Authorities and select All Tasks > Import... The Certificate Import Wizard opens. 6. Click Next. Specify the location of the ca.crt file. Click Next. 7. Click Finish. Close the Console1 MMC console. At this point, the necessary key and certificate files have been imported to the Windows machine. The next part of configuring the L2TP/IPsec VPN client on the Windows XP SP2 system is to specify the VPN connection. You can use the Windows New Connection Wizard as follows. 1. Select Start > Control Panel > Network Connections. 2. Click Create a new connection. The New Connection Wizard launches. Click Next. 3. Select Connect to the network at my workplace. Click Next. 4. Select Virtual Private Network connection. Click Next. 5. Enter a name for the connection; for example Vyatta X509. Click Next. 6. Select Do not dial the initial connection. Click Next. 7. Type the VPN server address ( in the example). Click Next. 8. If asked, select Do not use my smart card. Click Next. 9. Click Finish. At this point, the configuration on the Windows machine is complete. To connect to the VPN server, double click the Vyatta X509 icon. Enter the User name and Password, then click Connect to establish the connection. The show interfaces and show vpn remote access operational commands will display the connected user on an interface named l2tpx where X is an integer. Vyatta Remote Access VPN Reference Guide 23
24 Split tunneling on a windows client NOTE You need to make sure that, between the remote client and the VPN server, nothing is blocking packets with protocol L2TP or UDP port 500. (Check firewall settings, home gateway, DSL modem, ISP, and so on.) Split tunneling on a windows client On a Windows client, by default, after the VPN configuration is created, the client is configured for Full Tunneling (all traffic flows across the VPN). If you want to configure the client for Split Tunneling (where Internet traffic does not flow across the VPN), you can modify the client VPN configuration as follows: 1. Select Start > Control Panel > Network Connections. 2. Right-click the icon for the VPN connection. Click Properties. 3. Click the Networking tab. Select Internet Protocol (TCP/IP), then click Properties. 4. Click Advanced. Uncheck the Use default gateway on remote network checkbox. 5. Click OK three times. 24 Vyatta Remote Access VPN Reference Guide
25 Monitoring Remote Access VPN Showing interface information...25 Showing remote access VPN information...25 Showing interface information To see high-level interface information, you can use the show interfaces operational mode command, as shown in the following example. For Remote Access VPN connections, in addition to the local interface and the IP address it is bound to, you will see the remote user's name and the IP address assigned to the remote user. Viewing interface information show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description dp0p2p /25 u/u dp0p5p /24 u/u dp0port /24 u/u lo /8 u/u ::1/128 ppp u/u L2TP user ppp u/u L2TP user vyatta@vyatta:~$ Showing remote access VPN information To see Remote Access VPN information specifically, you can use the show vpn remote-access operational mode command, as shown in the following example. Viewing remote access VPN information vyatta@vyatta:~$ show vpn remote-access Active remote access VPN sessions: User Proto Iface Tunnel IP TX byte RX byte Time bill L2TP ppp K 00h02m09s dave L2TP ppp K 00h02m32s vyatta@vyatta:~$ Vyatta Remote Access VPN Reference Guide 25
26 Showing remote access VPN information 26 Vyatta Remote Access VPN Reference Guide
27 Remote Access VPN Commands reset vpn remote-access all reset vpn remote-access interface <interface> reset vpn remote-access user <username>...30 show vpn remote-access security vpn l2tp security vpn l2tp remote-access authentication mode <mode> security vpn l2tp remote-access authentication local-users username <username>...34 security vpn l2tp remote-access authentication radius-server <ipv4> key <key> security vpn l2tp remote-access client-ip-pool start <ipv4> security vpn l2tp remote-access client-ip-pool stop <ipv4>...37 security vpn l2tp remote-access dhcp-interface <interface>...38 security vpn l2tp remote-access dns-servers server-1 <ipv4>...39 security vpn l2tp remote-access dns-servers server-2 <ipv4>...40 security vpn l2tp remote-access ipsec-settings authentication mode <mode> security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>...43 security vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file <file-name>...44 security vpn l2tp remote-access ipsec-settings authentication x509 crl-file <filename>...45 security vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file <file-name>...46 security vpn l2tp remote-access ipsec-settings authentication x509 server-key-file <file-name>...47 security vpn l2tp remote-access ipsec-settings authentication x509 server-keypassword <password>...48 security vpn l2tp remote-access ipsec-settings ike-lifetime <lifetime>...49 security vpn l2tp remote-access mtu <mtu> security vpn l2tp remote-access outside-address <ipv4> security vpn l2tp remote-access outside-nexthop <ipv4> security vpn l2tp remote-access server-ip-pool start <ipv4>...53 security vpn l2tp remote-access server-ip-pool stop <ipv4> security vpn l2tp remote-access wins-servers server-1 <ipv4> security vpn l2tp remote-access wins-servers server-2 <ipv4> Vyatta Remote Access VPN Reference Guide 27
28 reset vpn remote-access all reset vpn remote-access all Terminates all remote-access VPN tunnels. Syntax Modes Usage Guidelines Examples reset vpn remote-access all Operational mode Use this command to terminate all remote access VPN tunnels. The following example terminates all remote access VPN tunnels. reset vpn remote-access all 28 Vyatta Remote Access VPN Reference Guide
29 reset vpn remote-access interface <interface> reset vpn remote-access interface <interface> Terminates the specified active session. Syntax reset vpn remote-access interface interface Parameters Modes interface Operational mode The interface associated with the session to be terminated. Usage Guidelines Examples Use this command to terminate a specific remote access VPN tunnel. The following example terminates the active session on dp0p1p1. vyatta@vyatta# reset vpn remote-access interface dp0p1p1 vyatta@vyatta# Vyatta Remote Access VPN Reference Guide 29
30 reset vpn remote-access user <username> reset vpn remote-access user <username> Terminates the specified user's active sessions. Syntax reset vpn remote-access user username [protocol {12tp] Parameters Modes username l2tp Operational mode The user name associated with the sessions to be terminated. Terminate the specified user's session that is using the l2tp protocol. Usage Guidelines Examples Use this command to terminate remote access VPN tunnels for the specified user. Use the l2tp option to specify a particular session. This is useful when a user has simultaneous sessions open on different protocols. The following example terminates all active sessions for user robert. vyatta@vyatta# reset vpn remote-access user robert vyatta@vyatta# 30 Vyatta Remote Access VPN Reference Guide
31 show vpn remote-access show vpn remote-access Shows information about currently active remote access VPN sessions. Syntax Modes Usage Guidelines Examples show vpn remote-access Operational mode Use this command to see information about the currently active remote access VPN sessions. The following example shows the output of the show vpn remote-access command. show vpn remote-access Active remote access VPN sessions: User Proto Iface Tunnel IP TX byte RX byte Time bill L2TP ppp K 00h02m09s dave L2TP ppp K 00h02m32s Vyatta Remote Access VPN Reference Guide 31
32 security vpn l2tp security vpn l2tp Creates the top-most configuration node for L2TP VPN, enabling L2TP VPN functionality. Syntax set security vpn l2tp delete security vpn l2tp show security vpn l2tp Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp Use this command to create the configuration node for Layer 2 Tunneling Protocol (L2TP) Virtual Private Network (VPN) functionality. Use the set form of this command to create the L2TP VPN configuration node. Use the delete form of this command to remove all L2TP VPN configuration. Use the show form of this command to display L2TP VPN configuration. 32 Vyatta Remote Access VPN Reference Guide
33 security vpn l2tp remote-access authentication mode <mode> security vpn l2tp remote-access authentication mode <mode> Specifies user authentication mode for L2TP VPN remote access connections. Syntax set security vpn l2tp remote-access authentication mode mode delete security vpn l2tp remote-access authentication mode show security vpn l2tp remote-access authentication mode Command Default Users are authenticated using the system's local user database defined in the vpn l2tp configuration. Parameters mode The mode to be used for authenticating remote users. Supported values are as follows: local: Authenticates users locally. radius: Authenticates using a RADIUS server. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { authentication { mode mode Use this command to specify how L2TP VPN remote users are to be authenticated. Users can be authenticated either locally, using login credentials specified using the security vpn 12tp remote-access authentication local-users username username command, or using one or more servers running the Remote Access Dial In User Service (RADIUS) protocol. If you specify RADIUS authentication, you must specify the location of the RADIUS servers, and record the RADIUS login password, by using the security vpn 12tp remote-access authentication radiusserver ipv4 key key command. Use the set form of this command to configure the authentication mode for users. Use the delete form of this command to remove the user authentication mode. Use the show form of this command to display the user authentication mode. Vyatta Remote Access VPN Reference Guide 33
34 security vpn l2tp remote-access authentication local-users username <username> security vpn l2tp remote-access authentication local-users username <username> Specifies the login credentials for L2TP VPN remote users being authenticated locally. Syntax set security vpn l2tp remote-access authentication local-users username username [ disable password password static-ip ipv4 ] delete security vpn l2tp remote-access authentication local-users username username [ disable password static-ip ] show security vpn l2tp remote-access authentication local-users username username [ password static-ip ] Parameters username disable password ipv4 The user name. Mandatory if authentication mode is local. Disables remote access for the user. The login password for the specified user. Mandatory if authentication mode is local. The IPv4 address to assign the user when they connect. This address does not have to be part of the client-ip-pool. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { authentication { local-users { username username { disable password password static-ip ipv4 Use this command to specify login credentials for L2TP VPN remote users and, optionally, to specify the IP address that will be assigned to a user when they connect. Use the set form of this command to create the user name configuration node for the user. Use the delete form of this command to remove a user's login credentials. Use the show form of this command to display the user login authentication configuration. 34 Vyatta Remote Access VPN Reference Guide
35 security vpn l2tp remote-access authentication radius-server <ipv4> key <key> security vpn l2tp remote-access authentication radius-server <ipv4> key <key> Defines a RADIUS server authenticating L2TP VPN remote users. Syntax set security vpn l2tp remote-access authentication radius-server ipv4 key key delete security vpn l2tp remote-access authentication radius-server ipv4 [ key ] show security vpn l2tp remote-access authentication radius-server ipv4 [ key ] Parameters ipv4 key Multi-node. The IPv4 address of the RADIUS server. Mandatory if authentication mode is radius. You can define more than one RADIUS server by creating multiple radiusserver configuration nodes. The password for the RADIUS server. This must be the same as that recorded on the RADIUS server. Mandatory if authentication mode is radius. Supported characters are alphanumeric, space, and special characters. Strings containing spaces must be enclosed in double quotes. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { authentication { radius-server ipv4 { key key Use this command to define one or more RADIUS servers for authenticating remote L2TP VPN and the login credentials required to access it. At least one RADIUS server must be defined if RADIUS is set as the user authentication mode. RADIUS servers are queried in the order they were configured. If the query to the first RADIUS server times out, the next RADIUS server in the list is queried. If no query is successful, the login attempt fails. The RADIUS secret is specified in plain text. RADIUS secrets are stored in plain text on the system, and used as part of a cryptographic operation for transferring authentication information securely over the network. When you view RADIUS secrets, they are displayed in plain text. Use the set form of this command to define a RADIUS server. Note that you cannot use set to change the IP address of a defined server. To change the server's IP address, delete the server and create a new one. Use the delete form of this command to remove the RADIUS server configuration node or the key. Note that the key is mandatory; if you delete the key, you must configure another one. Use the show form of this command to display RADIUS server configuration. Vyatta Remote Access VPN Reference Guide 35
36 security vpn l2tp remote-access client-ip-pool start <ipv4> security vpn l2tp remote-access client-ip-pool start <ipv4> Specifies the beginning address of a pool of IP addresses for L2TP VPN remote clients. Syntax set security vpn l2tp remote-access client-ip-pool start ipv4 delete security vpn l2tp remote-access client-ip-pool start show security vpn l2tp remote-access client-ip-pool start Command Default The default beginning address is Parameters ipv4 The IP address that designates the beginning of the address pool. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { client-ip-pool { start ipv4 Use this command to specify the beginning address of an address pool for remote L2TP VPN clients. Each L2TP VPN connection requires a client address and a server address. Both the beginning and ending addresses must be specified for the remote L2TP VPN clients. Use the security vpn 12tp remote-access client-ip-pool stop ipv4 command to specify the ending address for the L2TP VPN clients. For information on how to specify the range of addresses for an L2TP server, refer to the security vpn 12tp remote-access server-ip-pool start ipv4 and security vpn 12tp remote-access server-ip-pool stop ipv4 commands. Use the set form of this command to specify the beginning address. Use the delete form of this command to delete the beginning address. Use the show form of this command to display the beginning address. 36 Vyatta Remote Access VPN Reference Guide
37 security vpn l2tp remote-access client-ip-pool stop <ipv4> security vpn l2tp remote-access client-ip-pool stop <ipv4> Specifies the ending address of a pool of IP addresses for L2TP VPN remote clients. Syntax set security vpn l2tp remote-access client-ip-pool stop ipv4 delete security vpn l2tp remote-access client-ip-pool stop show security vpn l2tp remote-access client-ip-pool stop Command Default The default ending address is Parameters ipv4 The IP address that designates the end of the address pool. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { client-ip-pool { stop ipv4 Use this command to specify the ending address of an address pool for remote L2TP VPN clients. Each L2TP VPN connection requires a client address and a server address. Both the beginning and ending addresses must be specified for the remote L2TP VPN clients. Use the security vpn 12tp remoteaccess client-ip-pool start ipv4 command to specify the beginning address for the L2TP VPN clients. For information on how to specify the range of addresses for an L2TP server, refer to the security vpn 12tp remote-access server-ip-pool start ipv4 and security vpn 12tp remote-access server-ip-pool stop ipv4 commands. Use the set form of this command to specify the ending address. Use the delete form of this command to delete the ending address. Use the show form of this command to display the ending address. Vyatta Remote Access VPN Reference Guide 37
38 security vpn l2tp remote-access dhcp-interface <interface> security vpn l2tp remote-access dhcp-interface <interface> Specifies a DHCP client interface to use for remote access L2TP VPN connections. Syntax set security vpn l2tp remote-access dhcp-interface interface delete security vpn l2tp remote-access dhcp-interface show security vpn l2tp remote-access dhcp-interface Parameters interface The interface to use for remote access L2TP VPN connections (for example, dp0p1p1). Note that the interface must already have IPsec VPN enabled, using the security vpn ipsec ipsec-interfaces interface if-name command (described in the Vyatta IPsec Site-to-Site VPN Reference Guide), and must be configured as a DHCP client. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { dhcp-interface interface Use this command to specify a DHCP client interface to use for remote access L2TP VPN connections. Connections will be automatically restarted if the IP address changes. The DHCP interface is the interface facing the external network. This is the interface to which the L2TP server binds, and only remote connections coming into this interface will be accepted. NOTE This option cannot be used if the security vpn 12tp remote-access outside-address ipv4 command is also set. Use the set form of this command to specify a DHCP interface to use for remote access L2TP VPN connections. Use the delete form of this command to remove the configuration. Use the show form of this command to view the configuration. 38 Vyatta Remote Access VPN Reference Guide
39 security vpn l2tp remote-access dns-servers server-1 <ipv4> security vpn l2tp remote-access dns-servers server-1 <ipv4> Specifies the IP address for the primary DNS server for L2TP VPN remote clients. Syntax set security vpn l2tp remote-access dns-servers server-1 ipv4 delete security vpn l2tp remote-access dns-servers server-1 show security vpn l2tp remote-access dns-servers server-1 Parameters ipv4 The IP address of the primary DNS server for remote clients. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { dns-servers { server-1 ipv4 Use this command to specify the primary DNS server to be associated with remote L2TP VPN clients. Use the set form of this command to specify the primary DNS server IP address. Use the delete form of this command to remove the primary DNS server IP address. Use the show form of this command to display the primary DNS server IP address. Vyatta Remote Access VPN Reference Guide 39
40 security vpn l2tp remote-access dns-servers server-2 <ipv4> security vpn l2tp remote-access dns-servers server-2 <ipv4> Specifies the IP address for the secondary DNS server for L2TP VPN remote clients. Syntax set security vpn l2tp remote-access dns-servers server-2 ipv4 delete security vpn l2tp remote-access dns-servers server-2 show security vpn l2tp remote-access dns-servers server-2 Parameters ipv4 The IP address of the secondary DNS server for remote clients. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { dns-servers { server-2 ipv4 Use this command to specify the secondary DNS server to be associated with remote L2TP VPN clients. Use the set form of this command to specify the secondary DNS server IP address. Use the delete form of this command to remove the secondary DNS server IP address. Use the show form of this command to display the secondary DNS server IP address. 40 Vyatta Remote Access VPN Reference Guide
41 security vpn l2tp remote-access ipsec-settings authentication mode <mode> security vpn l2tp remote-access ipsec-settings authentication mode <mode> Sets the IPsec authentication mode to be used for IPsec authentication on remote access L2TP VPN connections. Syntax set security vpn l2tp remote-access ipsec-settings authentication mode mode delete security vpn l2tp remote-access ipsec-settings authentication mode show security vpn l2tp remote-access ipsec-settings authentication mode Command Default Pre-shared secret. Parameters mode Specifies the authentication mode to be used for IPsec authentication on L2TP VPN remote access connections. Supported values are as follows: pre-shared-secret: Uses a pre-shared secret for authentication. x509: Uses X.509 V.3 certificates for authentication. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { ipsec-settings { authentication { mode mode Use this command to set the authentication mode to be used for IPsec authentication on remote access L2TP VPN connections. A pre-shared secret, or pre-shared key (PSK), is a method of authentication. The secret, or key, is a string agreed upon beforehand by both parties as key for authenticating the session. It is used to generate a hash such that each VPN endpoint can authenticate the other. If the authentication mode is pre-shared-secret, you must configure the secret using the security vpn 12tp remote-access ipsec-settings authentication pre-shared-secret secret command. The pre-shared secret is not passed from side to side. It is configured on both sides, and must match on both sides. Pre-shared secrets are less secure than X.509 certificates. NOTE You should restrict the use of pre-shared keys to smaller, low-risk environments. X.509 v.3 certificates are certificates conforming to the ITU-T X.509 version 3 standard for public key infrastructure (PKI). The certificate is issued by a Certificate Authority (CA), and stored securely on the local Vyatta system. If the mode is X.509 certificates, you must configure all X.509 certificate information. Vyatta Remote Access VPN Reference Guide 41
42 Remote Access VPN Commands Use the set form of this command to specify the authentication mode for remote access L2TP VPN. Use the delete form of this command to remove authentication mode configuration. Use the show form of this command to display authentication mode configuration. 42 Vyatta Remote Access VPN Reference Guide
43 security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> security vpn l2tp remote-access ipsec-settings authentication preshared-secret <secret> Sets a pre-shared key for IPsec authentication on remote access L2TP VPN connections. Syntax set security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret secret delete security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret show security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret Parameters secret The password, or secret, to be used to authenticate the remote access connection. This parameter is mandatory if authentication mode is preshared-secret. The secret must be the same on both sides of the connection. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { ipsec-settings { authentication { pre-shared-secret secret Use this command to set a pre-shared secret to be used to authenticate the IPsec part of remote access L2TP VPN connections. Use the set form of this command to specify the pre-shared secret. Use the delete form of this command to remove pre-shared secret configuration. Use the show form of this command to display pre-shared secret configuration. Vyatta Remote Access VPN Reference Guide 43
44 security vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file <file-name> security vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file <file-name> Specifies the name of an X.509 Certificate Authority (CA) certificate file for IPsec authentication on remote access L2TP VPN connections. Syntax set security vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file file-name delete security vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file show security vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file Parameters file-name The name of a certificate file. This parameter is mandatory if authentication mode is x509. Modes Configuration Statement Configuration mode security { vpn { l2tp { remote-access { ipsec-settings { authentication { x509 { ca-cert-file file-name Usage Guidelines Use this command to specify the name of an X.509 Certificate Authority (CA) certificate file. The X.509 CA certificate is used for IPsec authentication on remote access L2TP VPN connections. The file is assumed to be in /config/auth unless an absolute path is specified. Use the set form of this command to specify the name of the CA certificate file. Use the delete form of this command to remove the name of the CA certificate file. Use the show form of this command to display CA certificate file configuration. 44 Vyatta Remote Access VPN Reference Guide
45 security vpn l2tp remote-access ipsec-settings authentication x509 crl-file <file-name> security vpn l2tp remote-access ipsec-settings authentication x509 crl-file <file-name> Specifies the name of an X.509 Certificate Revocation List (CRL) file for IPsec authentication on L2TP VPN remote access connections. Syntax set security vpn l2tp remote-access ipsec-settings authentication x509 crl-file file-name delete security vpn l2tp remote-access ipsec-settings authentication x509 crl-file show security vpn l2tp remote-access ipsec-settings authentication x509 crl-file Parameters file-name The name of the CRL file. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { ipsec-settings { authentication { x509 { crl-file file-name Use this command to specify the name of a Certificate Revocation List (CRL) file. A CRL is a time-stamped signed data structure issued by the Certificate Authority (CA) identifying revoked certificates. When the remote user attempts to log on to the system, the system checks both the remote user's certificate signature and also the CRL to make sure that the remote user's certificate serial number is not on the CRL. The file is assumed to be in /config/auth unless an absolute path is specified. Use the set form of this command to specify the location of the CRL file. Use the delete form of this command to remove the location of the CRL file. Use the show form of this command to display CRL file configuration. Vyatta Remote Access VPN Reference Guide 45
46 security vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file <file-name> security vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file <file-name> Specifies the name of VPN server's certificate file for IPsec authentication on L2TP VPN remote access connections. Syntax set security vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file file-name delete security vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file show security vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file Parameters file-name The name of the VPN server's certificate file. This parameter is mandatory if authentication mode is x509. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { ipsec-settings { authentication { x509 { server-cert-file file-name Use this command to specify the name of the VPN server's certificate file. VPN server's certificate certifies the identity of the VPN server. The file is assumed to be in /config/auth unless an absolute path is specified. Use the set form of this command to specify the name of the VPN server's certificate file. Use the delete form of this command to remove the name of the VPN server's certificate file. Use the show form of this command to display VPN server certificate file configuration. 46 Vyatta Remote Access VPN Reference Guide
47 security vpn l2tp remote-access ipsec-settings authentication x509 server-key-file <file-name> security vpn l2tp remote-access ipsec-settings authentication x509 server-key-file <file-name> Specifies the name of VPN server's private key file for IPsec authentication on L2TP VPN remote access connections. Syntax set security vpn l2tp remote-access ipsec-settings authentication x509 server-key-file file-name delete security vpn l2tp remote-access ipsec-settings authentication x509 server-key-file show security vpn l2tp remote-access ipsec-settings authentication x509 server-key-file Parameters file-name The name of the VPN server's private key file. This parameter is mandatory if authentication mode is x509. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { ipsec-settings { authentication { x509 { server-key-file file-name Use this command to specify the name of the VPN server's private key file. VPN server's private key certifies the identity of the VPN server. The file is assumed to be in /config/auth unless an absolute path is specified. Use the set form of this command to specify the name of the VPN server's private key file. Use the delete form of this command to remove the name of the VPN server's private key file. Use the show form of this command to display VPN server private key file configuration. Vyatta Remote Access VPN Reference Guide 47
48 security vpn l2tp remote-access ipsec-settings authentication x509 server-key-password <password> security vpn l2tp remote-access ipsec-settings authentication x509 server-key-password <password> Specifies the password that protects the L2TP VPN server's private key. Syntax set security vpn l2tp remote-access ipsec-settings authentication x509 server-key-password password delete security vpn l2tp remote-access ipsec-settings authentication x509 server-key-password show security vpn l2tp remote-access ipsec-settings authentication x509 server-key-password Parameters password The password protecting the VPN server's private key file. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { ipsec-settings { authentication { x509 { server-key-password password Use this command to specify a password that protects the VPN server's private key. Use the set form of this command to specify the password for the VPN server's private key. Use the delete form of this command to remove the password for the VPN server's private key. Use the show form of this command to display VPN servers private key password configuration. 48 Vyatta Remote Access VPN Reference Guide
49 security vpn l2tp remote-access ipsec-settings ike-lifetime <lifetime> security vpn l2tp remote-access ipsec-settings ike-lifetime <lifetime> Specifies the IKE lifetime of an L2TP connection. Syntax set security vpn l2tp remote-access ipsec-settings ike-lifetime lifetime delete security vpn l2tp remote-access ipsec-settings ike-lifetime show security vpn l2tp remote-access ipsec-settings ike-lifetime Command Default The IKE lifetime is 3600 seconds (1 hour). Parameters lifetime The length of time (in seconds) the IKE connection will remain active after the last traffic from the remote end is received. The range is 30 to (that is, 24 hours). The default is 3600 (1 hour). Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { ipsec-settings { ike-lifetime lifetime Use this command to specify the IKE lifetime of an L2TP connection. The IKE lifetime is used to terminate a connection when the remote end has not been heard from for a period of time. Use the set form of this command to specify the IKE lifetime of an L2TP connection. Use the delete form of this command to return the IKE lifetime to its default. Use the show form of this command to display IKE lifetime configuration. Vyatta Remote Access VPN Reference Guide 49
50 security vpn l2tp remote-access mtu <mtu> security vpn l2tp remote-access mtu <mtu> Specifies the MTU for an L2TP connection. Syntax set security vpn l2tp remote-access mtu mtu delete security vpn l2tp remote-access mtu show security vpn l2tp remote-access mtu Command Default If this value is not set, fragmentation is never performed. Parameters mtu Sets the MTU, in octets, for the interface as a whole, including any logical interfaces configured for it. The range is 128 to Modes Configuration Statement Configuration mode security { vpn { l2tp { remote-access { mtu mtu Usage Guidelines Use this command to set the maximum transmission unit (MTU) for an L2TP connection. When forwarding, IPv4 packets larger than the MTU will be fragmented unless the DF bit is set. In that case, the packets will be dropped and an ICMP Packet too big message is returned to the sender. Use the set form of this command to specify the MTU. Use the delete form of this command to remove MTU value and disable fragmentation. Use the show form of this command to view MTU configuration. 50 Vyatta Remote Access VPN Reference Guide
51 security vpn l2tp remote-access outside-address <ipv4> security vpn l2tp remote-access outside-address <ipv4> Sets the IP address to be bound to the L2TP server. Syntax set security vpn l2tp remote-access outside-address ipv4 delete security vpn l2tp remote-access show security vpn l2tp remote-access Parameters ipv4 The IPv4 address to which the L2TP server should bind. Modes Configuration Statement Configuration mode security { vpn { l2tp { remote-access { outside-address ipv4 Usage Guidelines Use this command to set the outside address for a remote access L2TP VPN connection. The outside address is the address of the interface facing the external network. This is the address to which the L2TP server binds, and only remote connections coming into this address will be accepted. NOTE This option cannot be used if the security vpn 12tp remote-access dhcp-interface interface command is also set. Use the set form of this command to set the L2TP VPN outside address. Use the delete form of this command to remove the L2TP VPN outside address. Use the show form of this command to display L2TP VPN outside address configuration. Vyatta Remote Access VPN Reference Guide 51
52 security vpn l2tp remote-access outside-nexthop <ipv4> security vpn l2tp remote-access outside-nexthop <ipv4> Sets the IP address of the next hop on the external network. Syntax set security vpn l2tp remote-access outside-nexthop ipv4 delete security vpn l2tp remote-access outside-nexthop ipv4 show security vpn l2tp remote-access outside-nexthop Parameters ipv4 The IPv4 address of the next hop on the outside network. Modes Configuration Statement Configuration mode security { vpn { l2tp { remote-access { outside-nexthop ipv4 Usage Guidelines Use this command to set the next hop on the external network for a remote access L2TP VPN connection. Use the set form of this command to set the L2TP VPN outside next hop. Use the delete form of this command to remove the L2TP VPN outside next hop. Use the show form of this command to display L2TP VPN outside next-hop configuration. 52 Vyatta Remote Access VPN Reference Guide
53 security vpn l2tp remote-access server-ip-pool start <ipv4> security vpn l2tp remote-access server-ip-pool start <ipv4> Specifies the beginning address of a pool of IP addresses for an L2TP server. Syntax set security vpn l2tp remote-access server-ip-pool start ipv4 delete security vpn l2tp remote-access server-ip-pool start show security vpn l2tp remote-access server-ip-pool start Command Default The default beginning address is Parameters ipv4 The IP address that designates the beginning of the address pool. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { server-ip-pool { start ipv4 Use this command to specify the beginning address of a pool of IP addresses for an L2TP server. Each L2TP VPN connection requires a client address and a server address. Both the beginning and ending addresses for the L2TP server must be specified. Use the security vpn 12tp remote-access serverip-pool stop ipv4 command to specify the ending address for the L2TP server. For information on how to specify the range of addresses for L2TP VPN clients, refer to the security vpn 12tp remote-access client-ip-pool start ipv4 and security vpn 12tp remote-access client-ippool stop ipv4 commands. NOTE The number of addresses that are used in the range for the L2TP server must be equal to or greater than the number of addresses that are used in the range for the L2TP VPN clients. And the address range that is used for L2TP server must be unique within your router configuration. NOTE If you do not specify the beginning and ending addresses of a pool of IP addresses for an L2TP server, the Vyatta router uses a default address range from through If you use the default range, ensure that this range is unique within your router configuration. Use the set form of this command to specify the beginning address. Use the delete form of this command to delete the beginning address. Use the show form of this command to display the beginning address. Vyatta Remote Access VPN Reference Guide 53
54 security vpn l2tp remote-access server-ip-pool stop <ipv4> security vpn l2tp remote-access server-ip-pool stop <ipv4> Specifies the ending address of a pool of IP addresses for an L2TP server. Syntax set security vpn l2tp remote-access server-ip-pool stop ipv4 delete security vpn l2tp remote-access server-ip-pool stop show security vpn l2tp remote-access server-ip-pool stop Command Default The default ending address is Parameters ipv4 The IP address that designates the end of the address pool. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { server-ip-pool { stop ipv4 Use this command to specify the ending address of a pool of IP addresses for an L2TP server. Each L2TP VPN connection requires a client address and a server address. Both the beginning and ending addresses for the L2TP server must be specified. Use the security vpn 12tp remote-access serverip-pool start ipv4 command to specify the beginning address for the L2TP server. For information on how to specify the range of addresses for L2TP VPN clients, refer to the security vpn 12tp remote-access client-ip-pool start ipv4 and security vpn 12tp remote-access client-ippool stop ipv4 commands. NOTE The number of addresses that are used in the range for the L2TP server must be equal to or greater than the number of addresses that are used in the range for the L2TP VPN clients. And the address range that is used for L2TP server must be unique within your router configuration. NOTE If you do not specify the beginning and ending addresses of a pool of IP addresses for an L2TP server, the Vyatta router uses a default address range from through If you use the default range, ensure that this range is unique within your router configuration. Use the set form of this command to specify the ending address. Use the delete form of this command to delete the ending address. Use the show form of this command to display the ending address. 54 Vyatta Remote Access VPN Reference Guide
55 security vpn l2tp remote-access wins-servers server-1 <ipv4> security vpn l2tp remote-access wins-servers server-1 <ipv4> Specifies the IP address for the primary WINS server for L2TP VPN remote clients. Syntax set security vpn l2tp remote-access wins-servers server-1 ipv4 delete security vpn l2tp remote-access wins-servers server-1 show security vpn l2tp remote-access wins-servers server-1 Parameters ipv4 The IP address of the primary WINS server for remote clients. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { wins-servers { server-1 ipv4 Use this command to specify a primary WINS server to be associated with remote L2TP VPN clients. The Windows Internet Net Service (WINS) is used to support environments in which users access resources that have NetBIOS names. Use the set form of this command to specify the primary WINS server IP address. Use the delete form of this command to remove the primary WINS server IP address. Use the show form of this command to display the primary WINS server IP address. Vyatta Remote Access VPN Reference Guide 55
56 security vpn l2tp remote-access wins-servers server-2 <ipv4> security vpn l2tp remote-access wins-servers server-2 <ipv4> Specifies the IP address for the secondary WINS server for L2TP VPN remote clients. Syntax set security vpn l2tp remote-access wins-servers server-2 ipv4 delete security vpn l2tp remote-access wins-servers server-2 show security vpn l2tp remote-access wins-servers server-2 Parameters ipv4 The IP address of the secondary WINS server for remote clients. Modes Configuration Statement Usage Guidelines Configuration mode security { vpn { l2tp { remote-access { wins-servers { server-2 ipv4 Use this command to specify the secondary WINS server to be associated with remote L2TP VPN clients. The Windows Internet Net Service (WINS) is used to support environments in which users access resources that have NetBIOS names. Use the set form of this command to specify the secondary WINS server IP address. Use the delete form of this command to remove the secondary WINS server IP address. Use the show form of this command to display the secondary WINS server IP address. 56 Vyatta Remote Access VPN Reference Guide
57 List of Acronyms Acronym ACL ADSL AH AMI API AS ARP AWS BGP BIOS BPDU CA CCMP CHAP CLI DDNS DHCP Description access control list Asymmetric Digital Subscriber Line Authentication Header Amazon Machine Image Application Programming Interface autonomous system Address Resolution Protocol Amazon Web Services Border Gateway Protocol Basic Input Output System Bridge Protocol Data Unit certificate authority AES in counter mode with CBC-MAC Challenge Handshake Authentication Protocol command-line interface dynamic DNS Dynamic Host Configuration Protocol DHCPv6 Dynamic Host Configuration Protocol version 6 DLCI DMI DMVPN DMZ DN DNS DSCP DSL ebgp EBS EC2 EGP ECMP ESP data-link connection identifier desktop management interface dynamic multipoint VPN demilitarized zone distinguished name Domain Name System Differentiated Services Code Point Digital Subscriber Line external BGP Amazon Elastic Block Storage Amazon Elastic Compute Cloud Exterior Gateway Protocol equal-cost multipath Encapsulating Security Payload Vyatta Remote Access VPN Reference Guide 57
58 List of Acronyms Acronym FIB FTP GRE HDLC I/O ICMP IDS IEEE IGMP IGP IPS IKE IP IPOA IPsec Description Forwarding Information Base File Transfer Protocol Generic Routing Encapsulation High-Level Data Link Control Input/Output Internet Control Message Protocol Intrusion Detection System Institute of Electrical and Electronics Engineers Internet Group Management Protocol Interior Gateway Protocol Intrusion Protection System Internet Key Exchange Internet Protocol IP over ATM IP Security IPv4 IP Version 4 IPv6 IP Version 6 ISAKMP ISM ISP KVM L2TP LACP LAN LDAP LLDP MAC mgre MIB MLD MLPPP MRRU MTU NAT NBMA ND Internet Security Association and Key Management Protocol Internet Standard Multicast Internet Service Provider Kernel-Based Virtual Machine Layer 2 Tunneling Protocol Link Aggregation Control Protocol local area network Lightweight Directory Access Protocol Link Layer Discovery Protocol medium access control multipoint GRE Management Information Base Multicast Listener Discovery multilink PPP maximum received reconstructed unit maximum transmission unit Network Address Translation Non-Broadcast Multi-Access Neighbor Discovery 58 Vyatta Remote Access VPN Reference Guide
59 List of Acronyms Acronym NHRP NIC NTP OSPF Description Next Hop Resolution Protocol network interface card Network Time Protocol Open Shortest Path First OSPFv2 OSPF Version 2 OSPFv3 OSPF Version 3 PAM PAP PAT PCI PIM PIM-DM PIM-SM PKI PPP PPPoA PPPoE PPTP PTMU PVC QoS RADIUS RHEL RIB RIP RIPng RP RPF RSA Rx S3 SLAAC SNMP SMTP SONET SPT Pluggable Authentication Module Password Authentication Protocol Port Address Translation peripheral component interconnect Protocol Independent Multicast PIM Dense Mode PIM Sparse Mode Public Key Infrastructure Point-to-Point Protocol PPP over ATM PPP over Ethernet Point-to-Point Tunneling Protocol Path Maximum Transfer Unit permanent virtual circuit quality of service Remote Authentication Dial-In User Service Red Hat Enterprise Linux Routing Information Base Routing Information Protocol RIP next generation Rendezvous Point Reverse Path Forwarding Rivest, Shamir, and Adleman receive Amazon Simple Storage Service Stateless Address Auto-Configuration Simple Network Management Protocol Simple Mail Transfer Protocol Synchronous Optical Network Shortest Path Tree Vyatta Remote Access VPN Reference Guide 59
60 List of Acronyms Acronym SSH SSID SSM STP TACACS+ TBF TCP TKIP ToS TSS Tx UDP VHD vif VLAN VPC VPN VRRP WAN WAP WPA Description Secure Shell Service Set Identifier Source-Specific Multicast Spanning Tree Protocol Terminal Access Controller Access Control System Plus Token Bucket Filter Transmission Control Protocol Temporal Key Integrity Protocol Type of Service TCP Maximum Segment Size transmit User Datagram Protocol virtual hard disk virtual interface virtual LAN Amazon virtual private cloud virtual private network Virtual Router Redundancy Protocol wide area network wireless access point Wired Protected Access 60 Vyatta Remote Access VPN Reference Guide
Brocade 5600 vrouter Remote Access VPN
14 September 2015 Brocade 5600 vrouter Remote Access VPN Reference Guide Supporting Brocade 5600 vrouter 3.5R6 2015, Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade, Brocade Assurance,
Brocade 5600 vrouter License and Entitlement Management
13 November 2015 Brocade 5600 vrouter License and Entitlement Management Reference Guide Supporting Brocade 5600 vrouter 4.0R1 2015, Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade,
Brocade 5600 vrouter IPsec Site-to-Site VPN
14 September 2015 Brocade 5600 vrouter IPsec Site-to-Site VPN Reference Guide Supporting Brocade 5600 vrouter 3.5R6 2015, Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade, Brocade
Brocade 5600 vrouter Firewall
14 September 2015 Brocade 5600 vrouter Firewall Reference Guide Supporting Brocade 5600 vrouter 3.5R6 2015, Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade, Brocade Assurance, the
Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client
Astaro Security Gateway V8 Remote Access via L2TP over IPSec Configuring ASG and Client 1. Introduction This guide contains complementary information on the Administration Guide and the Online Help. If
CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC
CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC 1 Introduction Release date: 11/12/2003 This application note details the steps for creating an IKE IPSec VPN tunnel
FastIron Ethernet Switch Software Defined Networking (SDN)
31 March 2015 FastIron Ethernet Switch Software Defined Networking (SDN) Configuration Guide Supporting FastIron Software Release 08.0.30 2015, Brocade Communications Systems, Inc. All Rights Reserved.
Configuring SSL VPN on the Cisco ISA500 Security Appliance
Application Note Configuring SSL VPN on the Cisco ISA500 Security Appliance This application note describes how to configure SSL VPN on the Cisco ISA500 security appliance. This document includes these
This chapter describes how to set up and manage VPN service in Mac OS X Server.
6 Working with VPN Service 6 This chapter describes how to set up and manage VPN service in Mac OS X Server. By configuring a Virtual Private Network (VPN) on your server you can give users a more secure
Step-by-Step Guide for Setting Up VPN-based Remote Access in a
Page 1 of 41 TechNet Home > Products & Technologies > Server Operating Systems > Windows Server 2003 > Networking and Communications Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test
How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip
WINXP VPN to ZyWALL Tunneling 1. Setup WINXP VPN 2. Setup ZyWALL VPN This page guides us to setup a VPN connection between the WINXP VPN software and ZyWALL router. There will be several devices we need
Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab
Página 1 de 54 Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab This guide provides detailed information about how you can use five computers to create a test lab with which to configure
How To Industrial Networking
How To Industrial Networking Prepared by: Matt Crites Product: Date: April 2014 Any RAM or SN 6xxx series router Legacy firmware 3.14/4.14 or lower Subject: This document provides a step by step procedure
Dlink DFL 800/1600 series: Using the built-in MS L2TP/IPSEC VPN client with certificates
Dlink DFL 800/1600 series: Using the built-in MS L2TP/IPSEC VPN client with certificates In this guide we have used Microsoft CA (Certification Authority) to generate client and gateway certificates. Certification
Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W
Article ID: 5037 Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W Objective IPSec VPN (Virtual Private Network) enables you to securely obtain remote resources by establishing
Application Note: Onsight Device VPN Configuration V1.1
Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1
How to configure VPN function on TP-LINK Routers
How to configure VPN function on TP-LINK Routers 1. VPN Overview... 2 2. How to configure LAN-to-LAN IPsec VPN on TP-LINK Router... 3 3. How to configure GreenBow IPsec VPN Client with a TP-LINK VPN Router...
Using a VPN with Niagara Systems. v0.3 6, July 2013
v0.3 6, July 2013 What is a VPN? Virtual Private Network or VPN is a mechanism to extend a private network across a public network such as the Internet. A VPN creates a point to point connection or tunnel
I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:
Table of Content I. What is VPN?... 2 II. Types of VPN connection... 2 III. Types of VPN Protocol... 3 IV. Remote Access VPN configuration... 4 a. PPTP protocol configuration... 4 Network Topology... 4
OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6
WL/IP-8000VPN VPN Setup Guide Version 0.6 Document Revision Version Date Note 0.1 11/10/2005 First version with four VPN examples 0.2 11/15/2005 1. Added example 5: dynamic VPN using TheGreenBow VPN client
Hillstone StoneOS User Manual Hillstone Unified Intelligence Firewall Installation Manual
Hillstone StoneOS User Manual Hillstone Unified Intelligence Firewall Installation Manual www.hillstonenet.com Preface Conventions Content This document follows the conventions below: CLI Tip: provides
Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab
Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab Microsoft Corporation Published: May, 2005 Author: Microsoft Corporation Abstract This guide describes how to create
Global VPN Client Getting Started Guide
Global VPN Client Getting Started Guide 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION indicates potential
How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client
How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client Make sure your DI-804HV or DI-808HV is running firmware ver.1.40 August 12 or later. You can check firmware version
7.1. Remote Access Connection
7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to
How to setup a VPN on Windows XP in Safari.
How to setup a VPN on Windows XP in Safari. If you want to configure a VPN connection from a Windows XP client computer you only need what comes with the Operating System itself, it's all built right in.
HOWTO: How to configure IPSEC gateway (office) to gateway
HOWTO: How to configure IPSEC gateway (office) to gateway How-to guides for configuring VPNs with GateDefender Integra Panda Security wants to ensure you get the most out of GateDefender Integra. For this
Chapter 4 Virtual Private Networking
Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between
Innominate mguard Version 6
Innominate mguard Version 6 Configuration Examples mguard smart mguard PCI mguard blade mguard industrial RS EAGLE mguard mguard delta Innominate Security Technologies AG Albert-Einstein-Str. 14 12489
DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide
DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide This guide will show how to configure a Windows 2000/XP machine to make an IPsec VPN Tunnel connection to a DI-804HV. Below is the example
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation
Basic ViPNet VPN Deployment Schemes Supplement to ViPNet Documentation 1991 2015 Infotecs Americas. All rights reserved. Version: 00121-04 90 01 ENU This document is included in the software distribution
53-1003126-02 15 August 2014. Access Gateway. Administrator's Guide. Supporting Fabric OS v7.3.0
15 August 2014 Access Gateway Administrator's Guide Supporting Fabric OS v7.3.0 2014, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO,
Brocade Virtual Traffic Manager and Microsoft IIS Deployment Guide
September 2015 Brocade Virtual Traffic Manager and Microsoft IIS Deployment Guide 2015 Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade, Brocade Assurance, the B-wing symbol, DCX,
Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.
Application Note Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.0 Page 1 Controlling Access to Large Numbers of Networks Devices to
VPN Quick Configuration Guide. Astaro Security Gateway V8
VPN Quick Configuration Guide Astaro Security Gateway V8 2010 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this configuration guide may not be copied, in whole or in part,
HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide
HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide Abstract This guide describes the Virtualization Monitor (vmon), an add-on service module of the HP Intelligent Management
Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client
Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client Generally speaking, remote users need to use a VPN client software for establishing a VPN connection to their home/work router
Scenario: Remote-Access VPN Configuration
CHAPTER 7 Scenario: Remote-Access VPN Configuration A remote-access Virtual Private Network (VPN) enables you to provide secure access to off-site users. ASDM enables you to configure the adaptive security
HP Load Balancing Module
HP Load Balancing Module Load Balancing Configuration Guide Part number: 5998-2685 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P.
Guideline for setting up a functional VPN
Guideline for setting up a functional VPN Why do I want a VPN? VPN by definition creates a private, trusted network across an untrusted medium. It allows you to connect offices and people from around the
Brocade Network Advisor: CLI Configuration Manager
Brocade Network Advisor: CLI Configuration Manager Brocade Network Advisor is a unified network management platform to manage the entire Brocade network, including both SAN and IP products. This technical
STATIC IP SET UP GUIDE VERIZON 7500 WIRELESS ROUTER/MODEM
STATIC IP SET UP GUIDE VERIZON 7500 WIRELESS ROUTER/MODEM Verizon High Speed Internet for Business Verizon High Speed Internet for Business SETTING UP YOUR NEW STATIC IP CONNECTION AND IP ADDRESS(ES) This
How to configure VPN function on TP-LINK Routers
How to configure VPN function on TP-LINK Routers 1. VPN Overview... 2 2. How to configure LAN-to-LAN IPsec VPN on TP-LINK Router... 3 3. How to configure GreenBow IPsec VPN Client with a TP-LINK VPN Router...
Broadband Router ESG-103. User s Guide
Broadband Router ESG-103 User s Guide FCC Warning This equipment has been tested and found to comply with the limits for Class A & Class B digital device, pursuant to Part 15 of the FCC rules. These limits
Fabric OS Encryption Administrator's Guide
29 May 2015 Fabric OS Encryption Administrator's Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Supporting Fabric OS 7.4.0a 2015, Brocade Communications Systems,
While every effort was made to verify the following information, no warranty of accuracy or usability is expressed or implied.
AG082411 Objective: How to set up a 3G connection using Static and Dynamic IP addressing Equipment: SITRANS RD500 Multitech rcell MTCBAH4EN2 modem PC with Ethernet card Internet explorer 6.0 or higher
your Gateway Windows network installationguide 802.11b wireless series Router model WBR-100 Configuring Installing
your Gateway Windows network installationguide 802.11b wireless series Router model WBR-100 Installing Configuring Contents 1 Introduction...................................................... 1 Features...........................................................
Sophos UTM. Remote Access via PPTP. Configuring UTM and Client
Sophos UTM Remote Access via PPTP Configuring UTM and Client Product version: 9.000 Document date: Friday, January 11, 2013 The specifications and information in this document are subject to change without
Configuring the OfficeConnect Secure Gateway for a remote L2TP over IPSec connection
Creating L2TP over IPSec VPNs between the OfficeConnect Cable/DSL Secure Gateway and the Microsoft VPN Client 1.0 Introduction The OfficeConnect Cable/DSL Secure Gateway supports IPSec, PPTP and L2TP over
Brocade Virtual Traffic Manager and Magento Deployment Guide
September 2015 Brocade Virtual Traffic Manager and Magento Deployment Guide 2015 Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric
Cisco UCS Director Payment Gateway Integration Guide, Release 4.1
First Published: April 16, 2014 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
Windows XP VPN Client Example
Windows XP VPN Client Example Technote LCTN0007 Proxicast, LLC 312 Sunnyfield Drive Suite 200 Glenshaw, PA 15116 1-877-77PROXI 1-877-777-7694 1-412-213-2477 Fax: 1-412-492-9386 E-Mail: [email protected]
Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May 2011. 1. New Features and Enhancements. Tip of the Day
NCP Secure Entry Mac Client Major Release 2.01 Build 47 May 2011 1. New Features and Enhancements Tip of the Day A Tip of the Day field for configuration tips and application examples is incorporated in
Step By Step Guide: Demonstrate DirectAccess in a Test Lab
Step By Step Guide: Demonstrate DirectAccess in a Test Lab Microsoft Corporation Published: May 2009 Updated: October 2009 Abstract DirectAccess is a new feature in the Windows 7 and Windows Server 2008
Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1
Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1 This document describes how to configure an IPSec tunnel with a WatchGuard Firebox II or Firebox III (software version 4.5 or later)
VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning
VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning SonicOS Enhanced 2010 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this manual may not be copied,
Configuring Global Protect SSL VPN with a user-defined port
Configuring Global Protect SSL VPN with a user-defined port Version 1.0 PAN-OS 5.0.1 Johan Loos [email protected] Global Protect SSL VPN Overview This document gives you an overview on how to configure
UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...
Page 1 of 10 Question/Topic UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) in SonicOS Enhanced Answer/Article Article Applies To: SonicWALL Security
vcloud Director User's Guide
vcloud Director 5.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of
Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel
Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel This document describes the procedures required to configure an IPSec VPN tunnel between a WatchGuard SOHO or SOHO tc and a Check Point FireWall-1.
How to Guide: StorageCraft Cloud Services VPN
How to Guide: StorageCraft Cloud Services VPN CONTENTS Executive Summary...3 Setting up the VPN...4 Connecting to the VPN from a single computer...5 Providing a LAN site with access to the VPN...6 Conclusion...12
Vantage Report. User s Guide. www.zyxel.com. Version 3.0 10/2006 Edition 1
Vantage Report User s Guide Version 3.0 10/2006 Edition 1 www.zyxel.com About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the Vantage
VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning
VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning SonicOS Enhanced equinux AG and equinux USA, Inc. 2008 equinux USA, Inc. All rights reserved. Under the copyright laws, this
Chapter 5 Virtual Private Networking Using IPsec
Chapter 5 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to provide
Quick Installation Guide DAP-1360. Wireless N 300 Access Point & Router
DAP-1360 Wireless N 300 Access Point & Router BEFORE YOU BEGIN Delivery Package Access point DAP-1360 Power adapter DC 12V Ethernet cable (CAT 5E) (brochure). If any of the items are missing, please contact
VRC 7900/8900 Avalanche Enabler User s Manual
VRC 7900/8900 Avalanche Enabler User s Manual WLE-VRC-20030702-02 Revised 7/2/03 ii Copyright 2003 by Wavelink Corporation All rights reserved. Wavelink Corporation 6985 South Union Park Avenue, Suite
Configuring a Dial-up VPN Using Windows XP Client with L2TP Over IPSec (without NetScreen-Remote)
Application Note Configuring a Dial-up VPN Using Windows XP Client with L2TP Over IPSec (without NetScreen-Remote) Version 1.2 January 2008 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale,
Pre-lab and In-class Laboratory Exercise 10 (L10)
ECE/CS 4984: Wireless Networks and Mobile Systems Pre-lab and In-class Laboratory Exercise 10 (L10) Part I Objectives and Lab Materials Objective The objectives of this lab are to: Familiarize students
Chapter 8 Router and Network Management
Chapter 8 Router and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. These features can be found by
Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client
Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client Topology Note: ISR G2 devices have Gigabit Ethernet interfaces instead of FastEthernet Interfaces. All contents are Copyright 1992 2012
Connecting Remote Users to Your Network with Windows Server 2003
Connecting Remote Users to Your Network with Windows Server 2003 Microsoft Corporation Published: March 2003 Abstract Business professionals today require access to information on their network from anywhere
HP IMC Firewall Manager
HP IMC Firewall Manager Configuration Guide Part number: 5998-2267 Document version: 6PW102-20120420 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this
NAT REFERENCE GUIDE. VYATTA, INC. Vyatta System NAT. Title
Title VYATTA, INC. Vyatta System NAT REFERENCE GUIDE NAT Vyatta Suite 200 1301 Shoreway Road Belmont, CA 94002 vyatta.com 650 413 7200 1 888 VYATTA 1 (US and Canada) Copyright COPYRIGHT Copyright 2005
Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance
Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance This article will easily explain how to configure your Apple ipad, iphone or ipod Touch
Vantage RADIUS 50. Quick Start Guide Version 1.0 3/2005
Vantage RADIUS 50 Quick Start Guide Version 1.0 3/2005 1 Introducing Vantage RADIUS 50 The Vantage RADIUS (Remote Authentication Dial-In User Service) 50 (referred to in this guide as Vantage RADIUS)
Barracuda Link Balancer
Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.2 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.2-110503-01-0503
Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
Virtual Data Centre. User Guide
Virtual Data Centre User Guide 2 P age Table of Contents Getting Started with vcloud Director... 8 1. Understanding vcloud Director... 8 2. Log In to the Web Console... 9 3. Using vcloud Director... 10
Allworx Installation Course
VPN Hello and welcome. In the VPN section we will cover the steps for enabling the VPN feature on the Allworx server and how to set up a VPN connection to the Allworx System from your PC. Page 1 VPN The
Fabric OS Encryption Administrator's Guide
29 May 2015 Fabric OS Encryption Administrator's Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Supporting Fabric OS 7.4.0a 2015, Brocade Communications Systems, Inc.
Diagnostics and Troubleshooting Using Event Policies and Actions
Diagnostics and Troubleshooting Using Event Policies and Actions Brocade Network Advisor logs events and alerts generated by managed devices and the management server and presents them through the master
V310 Support Note Version 1.0 November, 2011
1 V310 Support Note Version 1.0 November, 2011 2 Index How to Register V310 to Your SIP server... 3 Register Your V310 through Auto-Provision... 4 Phone Book and Firmware Upgrade... 5 Auto Upgrade... 6
Chapter 9 Monitoring System Performance
Chapter 9 Monitoring System Performance This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. You can be alerted to important
HP A-IMC Firewall Manager
HP A-IMC Firewall Manager Configuration Guide Part number: 5998-2267 Document version: 6PW101-20110805 Legal and notice information Copyright 2011 Hewlett-Packard Development Company, L.P. No part of this
53-1003139-01 27 June 2014. Fabric OS. Software Licensing Guide. Supporting Fabric OS 7.3.0
27 June 2014 Fabric OS Software Licensing Guide Supporting Fabric OS 7.3.0 2014, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX,
Barracuda Link Balancer Administrator s Guide
Barracuda Link Balancer Administrator s Guide Version 1.0 Barracuda Networks Inc. 3175 S. Winchester Blvd. Campbell, CA 95008 http://www.barracuda.com Copyright Notice Copyright 2008, Barracuda Networks
McAfee SMC Installation Guide 5.7. Security Management Center
McAfee SMC Installation Guide 5.7 Security Management Center Legal Information The use of the products described in these materials is subject to the then current end-user license agreement, which can
VPN Configuration of ProSafe VPN Lite software and NETGEAR ProSafe Router:
Page 1 of 8 VPN Configuration of ProSafe VPN Lite software and NETGEAR ProSafe Router: This document will guide you on how to create IKE and auto-vpn policies for your ProSafe NETGEAR Router, as well as
Scenario: IPsec Remote-Access VPN Configuration
CHAPTER 3 Scenario: IPsec Remote-Access VPN Configuration This chapter describes how to use the security appliance to accept remote-access IPsec VPN connections. A remote-access VPN enables you to create
Configuring a FortiGate unit as an L2TP/IPsec server
Configuring a FortiGate unit as an L2TP/IPsec server The FortiGate implementation of L2TP enables a remote dialup client to establish an L2TP/IPsec tunnel with the FortiGate unit directly. Creating an
Brocade Network Advisor High Availability Using Microsoft Cluster Service
Brocade Network Advisor High Availability Using Microsoft Cluster Service This paper discusses how installing Brocade Network Advisor on a pair of Microsoft Cluster Service nodes provides automatic failover
Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.
Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. CHAPTER 5 OBJECTIVES Configure a router with an initial configuration. Use the
STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE
STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE V IRTUAL PRIVATE NETWORKS C ONTENTS Introduction to the Scenarios... 3 Scenario 1: Gateway-to-Gateway With Pre-Shared Secrets... 3 Configuring
Defender 5.7. Remote Access User Guide
Defender 5.7 Remote Access User Guide 2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished
VPN Configuration Guide. Cisco ASA 5500 Series
VPN Configuration Guide Cisco ASA 5500 Series 2010 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this configuration guide may not be copied, in whole or in part, without the
53-1003257-03 22 May 2015. Brocade NetIron. Software Defined Networking (SDN) Configuration Guide. Supporting Multi-Service IronWare R05.8.
22 May 2015 Brocade NetIron Software Defined Networking (SDN) Configuration Guide Supporting Multi-Service IronWare R05.8.00b 2015, Brocade Communications Systems, Inc. All Rights Reserved. ADX, Brocade,
Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM
Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM Objective Scenario Topology In this lab, the students will complete the following tasks: Prepare to configure Virtual Private Network (VPN)
AirStation VPN Setup Guide WZR-RS-G54
AirStation VPN Setup Guide WZR-RS-G54 WZR-RS-G54 Introduction The WZR-RS-G54 s VPN services allows users to securely access their home or office network from anywhere in the world. All services available
Polycom RSS 4000 / RealPresence Capture Server 1.6 and RealPresence Media Manager 6.6
INTEGRATION GUIDE May 2014 3725-75304-001 Rev B Polycom RSS 4000 / RealPresence Capture Server 1.6 and RealPresence Media Manager 6.6 Polycom, Inc. 0 Copyright 2014, Polycom, Inc. All rights reserved.
Quick Start Guide. RV 120W Wireless-N VPN Firewall. Cisco Small Business
Quick Start Guide Cisco Small Business RV 120W Wireless-N VPN Firewall Package Contents Wireless-N VPN Firewall Ethernet Cable Power Adapter Quick Start Guide Documentation and Software on CD-ROM Welcome