Configuring a BANDIT Product for Virtual Private Networks

encor! enetworks TM Version A, March 2008 2013 Encore Networks, Inc. All rights reserved. Configuring a BANDIT Product for Virtual Private Networks O ne of the principal features in the BANDIT family of products is the support of virtual private networks (VPNs). This guide discusses the initial configuration of VPNs in the BANDIT products. Note: To revise an existing VPN configuration, see Revising a BANDIT Product s VPN Configuration. The following BANDIT products can support VPNs. BANDIT BANDIT II BANDIT III BANDIT Mini BANDIT Plus ILR-100 VSR-30 VSR-1200 All BANDIT VPN products can use DES or 3DES for VPN tunnels. The high-end products the BANDIT II, the BANDIT III, and the VSR-1200 can use AES (or DES or 3DES) for VPN tunnels. The VPN products can use Selective Layer Encryption (SLE, patent pending) in VPN connections that traverse satellite networks. For details of SLE, see Section 3.5, Configuring Selective Layer Encryption in VPNs, in Revising a BANDIT Product s VPN Configuration. For more information about virtual private networks, see The BANDIT Products in Virtual Private Networks. For sample configurations of connections between VPN endpoints, see VPNC Scenario for IPsec Interoperability and Scenarios for Operation with a VPN Client. 2.1 Preparing for VPN Configuration Gather all required information. Before you start these procedures, make sure you have all the information required to set up the BANDIT III device for use in your network for example: The device s IP addresses The device s passwords Values for the device s VPN connection(s) Interface requirements for the device s ports For information on trademarks, safety, limitations of liability, and similar topics, see Notices. Home Module: VPN Configuration Document 2

Page 2 VPN Configuration, Document 2 Interface types for the ports for example, DTE or DCE Protocols that the ports will use Network and routing functions that the device will perform Other pertinent network information Confer with your network administrator, and use the Site Planning Worksheets as checklists for this information. If you have questions or concerns after you have followed these procedures, contact Encore Networks, Inc., at support@encorenetworks.com, 703-787-4625 (fax), or 703-318-4350 (voice). Note: The VPN tables that you configure on this BANDIT device exist only on this device, via its ELIOS software. The tables are not copied to or shared with any other BANDIT or third-party device. They are not maintained at any point in the network other than in the BANDIT device that uses them. 2.2 Using Quickstart to Configure a BANDIT Product for Virtual Private Networks Note: The screens shown in this document are examples. The choices shown on your BANDIT s menus depend on the features in the chassis and on the software version installed in the device. Getting Started 1 Do one of the following: a Connect the DB9 Supervisor serial port of a BANDIT II or a BANDIT III to a DB9 serial port on the control terminal (for example, a PC). Note: If you are using a computer terminal with a universal serial bus (USB), you must use a serial-to-usb adapter. (Contact the manufacturer of the USB for information on the proper adapter.) 2 Use a terminal-emulation software package, such as HyperTerminal, to communicate with the BANDIT III. Use the settings in Table 2-1. Table 2-1. Supervisory Port Communication Settings Parameter Value Bits per second 9600 Data bits 8 Parity None Stop bit 1 Flow control Hardware 3 Press the Enter key to get the BANDIT s attention. The BANDIT starts up.

Configuring a BANDIT Product for Virtual Private Networks Page 3 WELCOME TO ENCORE PRODUCT -- BANDIT III, ELIOS Version:16407.0102 Copyright ENCORE NETWORKS Inc., 2002-2006. Then the Main Menu is displayed. Main Menu ---------- 1) QuickStart Config Builder 2) Typical Configurations 3) Advanced Configurations 4) Tools V) View Current Unit Status L) Load Factory Defaults P) Load Plug and Play Defaults W) Write Configuration R) Reset Unit X) exit Session S) Statistics Y) system Administration Note: In the ELIOS menus, you may press the Escape key to return to a higher-level menu. You may also press Ctrl Z to return from any level to the Main Menu. Selecting a Basic Configuration 4 On the Main Menu, select QuickStart Config Builder. The menu of Startup Config Options is displayed. Startup Config Options ----------------------- 1) GENERIC 5 On the menu of Startup Config Options, select Generic. The menu of Startup Configuration Scenarios is displayed.

Page 4 VPN Configuration, Document 2 Startup Configuration Scenarios --------------------------------------- 1) PPPoE WAN Router 2) PPPoE WAN VPN Gateway(Initiator) 3) PPPoE WAN VPN Gateway(Initiator) With Dial Backup 4) PPPoE WAN VPN Gateway(Terminator) 5) PPPoE WAN VPN Gateway(Terminator) With Dial Backup 6) Ethernet WAN Router 7) Ethernet WAN VPN Gateway(Initiator) 8) Ethernet WAN VPN Gateway(Initiator) With Dial Backup 9) Ethernet WAN VPN Gateway(Terminator) A) Ethernet WAN VPN Gateway(Terminator) With Dial Backup 6 On the menu of Startup Configuration Scenarios, select the way your BANDIT will function in the network. Note: This example uses PPPoE WAN VPN Gateway (Initiator) with Dial Backup. The menu of Startup Configuration Parameters for your selection is displayed. Startup Configuration Parameters --------------------------------- 1) System Name : 2) LAN Interface IP : 0.0.0.0 /0.0.0.0 No DHCP Server 3) WAN Interface IP : Dynamic 4) PPPoE User Name : 5) PPPoE Password : 6) Dialup Phone Number : 7) Dialup User Name : 8) Dialup Password : 9) Primary DNS Server : 0.0.0.0 A) VPN Gateway : B) VPN User ID : C) VPN Pre-Shared Key : D) Remote Subnet : 0.0.0.0/0.0.0.0 L) Load Above Config V) review/modify Loaded Config R) Reset (Write and Reset) Z) Clear All Fields Setting Parameter Values for the Configuration 7 Do the following to configure parameters for your selection: Note: The parameters listed depend on the BANDIT function you selected in Step 6. a On the menu of Startup Configuration Parameters, select System Name.

Configuring a BANDIT Product for Virtual Private Networks Page 5 Enter System Name : b Type a name (unique within the LAN) for the BANDIT device, and press Enter. Note: Get all device names and IP addresses from your network administrator. The device name is accepted, and the menu of Startup Configuration Parameters is redisplayed. c On the menu of Startup Configuration Parameters, select LAN Interface IP. Enter IP Address : i Type the BANDIT device s IP address for the LAN, and press Enter. Note: Get all device names and IP addresses from your network administrator. The next prompt is displayed. Enter IP Subnet Mask :255.255.255.0 ii Type the subnet mask and press Enter (or just press Enter to accept the default). The next prompt is displayed. Enter DHCP Type (1.No DHCP, 2.DHCP Server)(1 to 2)[1] : iii Specify whether the BANDIT will act as a DHCP server. The menu of Startup Configurations Parameters is redisplayed, showing information for the IP address.

Page 6 VPN Configuration, Document 2 Startup Configuration Parameters --------------------------------- 1) System Name : BANDIT_1 2) LAN Interface IP : 1.2.4.3 /255.255.255.0 No DHCP Server 3) WAN Interface IP : Dynamic 4) PPPoE User Name : 5) PPPoE Password : 6) Dialup Phone Number : 7) Dialup User Name : 8) Dialup Password : 9) Primary DNS Server : 0.0.0.0 A) VPN Gateway : B) VPN User ID : C) VPN Pre-Shared Key : D) Remote Subnet : 0.0.0.0/0.0.0.0 L) Load Above Config V) review/modify Loaded Config R) Reset (Write and Reset) Z) Clear All Fields 4 d On the menu of Startup Configuration Parameters, select PPPoE User Name. Enter User ID : i Type the user ID, and press Enter. Note: Confer with your network administrator for the ID to use. The ID is accepted, and the menu of Startup Configuration Parameters is redisplayed. e On the menu of Startup Configuration Parameters, select PPPoE Password. Enter Password : i Type the password, and press Enter. Note: Confer with your network administrator for the password to use. The system asks you to retype the password, for confirmation. Re-Enter Password :

Configuring a BANDIT Product for Virtual Private Networks Page 7 ii Type the password exactly as before, and press Enter. The password is accepted, and the menu of Startup Configuration Parameters is redisplayed. f On the menu of Startup Configuration Parameters, select Dialup Phone Number. Enter Dialup Phone Number : i Type the telephone number of the remote device (for dial backup support), and press Enter. (When typing the number, do not include dashes or other symbols.) Note: Confer with your network administrator for the telephone number for dial backup. The number is accepted, and the menu of Startup Configuration Parameters is redisplayed. g On the menu of Startup Configuration Parameters, select Dialup User Name. Enter User ID : i Type the user ID, and press Enter. Note: Confer with your network administrator for the ID to use. The ID is accepted, and the menu of Startup Configuration Parameters is redisplayed. h On the menu of Startup Configuration Parameters, select Dialup Password. Enter Password : i Type the password, and press Enter. Note: Confer with your network administrator for the password to use. The system asks you to retype the password, for confirmation. Re-Enter Password :

Page 8 VPN Configuration, Document 2 ii Type the password exactly as before, and press Enter. The password is accepted, and the menu of Startup Configuration Parameters is redisplayed. i On the menu of Startup Configuration Parameters, select VPN User ID. Enter User ID : i Type the user ID, and press Enter. Note: Confer with your network administrator for the ID to use. The ID is accepted, and the menu of Startup Configuration Parameters is redisplayed. j On the menu of Startup Configuration Parameters, select VPN Shared Key. Enter the Preshared Key : i Type the preshared key, and press Enter. Note: Confer with your network administrator for the preshared key. The system asks you to retype the key, for confirmation. ReEnter the Preshared Key: ii Type the key exactly as before, and press Enter. The preshared key is accepted, and the menu of Startup Configuration Parameters is redisplayed. k On the menu of Startup Configuration Parameters, select VPN Gateway. Enter VPN Gateway IP or DNS Name : i Type the public IP address or DNS name of the remote VPN gateway, and press Enter.

Configuring a BANDIT Product for Virtual Private Networks Page 9 Note: Get all device names and IP addresses from your network administrator. The entry is accepted, and the menu of Startup Configuration Parameters is redisplayed. l On the menu of Startup Configuration Parameters, select Remote Subnet. Enter Remote Ping IP Address : i Type the IP address of the remote device. Then press Enter. Note: Get all IP addresses from your network administrator. The remote ping IP address is usually the private LAN IP address of the remote VPN gateway (whose public address or DNS name you entered in Substep k). Enter Remote Subnet Mask :255.255.255.0 ii Type the subnet mask and press Enter. (Or just press Enter to accept the default subnet mask.) The entries are accepted, and the menu of Startup Configuration Parameters is redisplayed. Startup Configuration Parameters --------------------------------- 1) System Name : BANDIT_1 2) LAN Interface IP : 1.2.4.3 /255.255.255.0 No DHCP Server 3) WAN Interface IP : Dynamic 4) PPPoE User Name : abc 5) PPPoE Password : ******** 6) Dialup Phone Number : 7) Dialup User Name : abc 8) Dialup Password : ******** 9) Primary DNS Server : 0.0.0.0 A) VPN Gateway : 2.3.4.5 B) VPN User ID : abc C) VPN Pre-Shared Key : ******** D) Remote Subnet : 4.5.6.7/255.255.255.0 L) Load Above Config V) review/modify Loaded Config R) Reset (Write and Reset) Z) Clear All Fields

Page 10 VPN Configuration, Document 2 8 Do one of the following: a To load the configuration (so that you may review it, save it, or use it), continue to Step 9. b To clear all entries in the menu of Startup Configuration Parameters, select Clear All Fields. The following prompt appears. This Clears All the above Fields, Continue?(Y/N)[N]: i Answer y to empty the fields. ii Answer n to have the parameters retain their values. Whether you answer y or n, the menu of Startup Configuration Parameters is redisplayed. Return to Step 7. Loading the Configuration 9 When you have finished configuring items on the menu of Startup Configuration Parameters, select Load Above Config. Note: Loading the configuration merely makes the configuration available for review. It does not save the configuration or implement use of the configuration. The following message is displayed. Caution: Existing configurations will be over written Do you want to Continue?(Y/N)[N] 10 Do one of the following: a To abandon the configuration load, answer n. The configuration load is cancelled. The following message is displayed. Then the menu of Startup Configuration Parameters is redisplayed. Return to Step 7; then, if you wish to change some parameters, do so and repeat Step 9. Config Not Loaded b To load the configuration, answer y. The configuration starts to load. Note the following: If there are errors, or if some necessary parameters have not yet been configured, you will see messages to that effect. The configuration load will be cancelled. Press Enter

Configuring a BANDIT Product for Virtual Private Networks Page 11 to redisplay the menu of Startup Configuration Parameters. Return to Step 7 and address the concerns of the messages. Then repeat Step 9. Error: VPN Gateway Must be valid IP or Valid DNS Name Error: Remote Subnet Mask 0.0.0.0 Not Accepted Errors Found. Config Not Loaded, Press Any key to Continue... When the configuration loads successfully, you will see the following message. Continue to Step 11. Loading Config, Please wait...done. This takes effect only after WRITE and RESET, Press Any key... 11 Press any key to redisplay the menu of Startup Configuration Parameters, with the loaded parameters. Startup Configuration Parameters --------------------------------- 1) System Name : BANDIT_1 2) LAN Interface IP : 1.2.4.3 /255.255.255.0 No DHCP Server 3) WAN Interface IP : Dynamic 4) PPPoE User Name : abc 5) PPPoE Password : ******** 6) Dialup Phone Number : 7) Dialup User Name : abc 8) Dialup Password : ******** 9) Primary DNS Server : 0.0.0.0 A) VPN Gateway : 2.3.4.5 B) VPN User ID : abc C) VPN Pre-Shared Key : ******** D) Remote Subnet : 4.5.6.7/255.255.255.0 L) Load Above Config V) review/modify Loaded Config R) Reset (Write and Reset) Z) Clear All Fields Reviewing or Modifying the Loaded Configuration 12 On the menu of Startup Configuration Parameters, if you wish to review the loaded configuration, select Review/Modify Loaded Config. The Typical Configurations menu is displayed.

Page 12 VPN Configuration, Document 2 Typical Configurations Menu ---------------------------- 1) System Configuration 2) IP Interfaces 3) IP Static Routes 4) VPN Profiles 5) IP/VPN Policies 6) NAT Profiles 7) DNS/DHCP Servers 8) Configure Firewall 9) IP QoS (Quality of Service) L) LAN : EtherNet No DHCP ETHERNET W) WAN : PPPoE WAN ETHERNET M) MODEM : Point-to-Point MODEM INTERNAL S) SERIAL : UNDEFINED SERIAL V.24/RS232 DCE B) RDU Ports... P) More Ports... 1 13 If you wish to review or change parameters on the Typical Configurations menu, do the following: a To review the BANDIT s system IP address (the LAN IP address) and name, select System Configuration. The menu to Configure System Parameters is displayed. Configure System Parameters ---------------------------- 1) System IP Address : 1.2.4.3 2) System Name : i If you wish to change any information on this menu, select the item. ii When you have finished configuring items on this menu, press Escape to return to the Typical Configurations menu. b To review the IP interface table, select IP Interfaces. The IP interface table is displayed. Entry IP Address Net Mask Gpt Name Next Router Mode MTU ---- --------------- -------------- ------------ -------------- ------ ---- 1 Unnumbered N/A MODEM N/A Off 1500 2 Unnumbered N/A WAN N/A Off 1492 3 1.2.4.3 255.255.255.0 LAN 0.0.0.0 Off 1500 4 192.168.169.1 255.255.255.0 48~ @#$_ 0.0.0.0 Off 1500 Add, Modify, or Delete an Entry? (Enter A, M, or D):

Configuring a BANDIT Product for Virtual Private Networks Page 13 i If you wish to change any information, select the item. Follow the instructions that display on the screen. ii When you have finished configuring items, press Escape to exit the table. IP interface Table Handling Complete iii Then press Escape again to return to the Typical Configurations menu. c To review the BANDIT s static routing table, select IP Static Routes. The static routing table is displayed. Entry IP Address Net Mask Next Router Path Name Hops 1 0.0.0.0 0.0.0.0 Unnumbered WAN 2 2 0.0.0.1 0.0.0.0 Unnumbered MODEM 2 Add, Modify, or Delete an Entry? (Enter A, M, or D): i If you wish to change any information, select the item. Follow the instructions that display on the screen. ii When you have finished configuring items, press Escape to exit the table. RIP Static Table Handling Complete iii Then press Escape again to return to the Typical Configurations menu. d To review the VPN profile table, select VPN Profiles. The VPN profile table is displayed. VPN Profile Table ----------------------------------------------------------------------------- No. Name Mode VPN Gateway Phase1 Proposal#1 Ping User ID --- ---------- ---- --------------- ----------------- ---- ----------------- 1) REMOTE AGGR 2.3.4.5 psk-g2-3des-sha1 ON abc 2) AGGR_G1 AGGR None psk-g1-3des-sha1 OFF 3) MAIN_G2 MAIN None psk-g2-3des-sha1 OFF 4) MAIN_G5 MAIN None psk-g1-3des-sha1 OFF 5) AGGR_G1_AES AGGR None psk-g1-aes-sha1 OFF 6) AGGR_G2_AES AGGR None psk-g2-aes-sha1 OFF 7) MAIN_G2_AES MAIN None psk-g2-aes-sha1 OFF 8) AGGR_G2 AGGR None psk-g2-3des-sha1 OFF Enter a to add, m to modify, d to delete, c to copy or <ESC> to exit: i If you wish to change any information, select the item. Follow the instructions that display on the screen.

Page 14 VPN Configuration, Document 2 ii When you have finished configuring items, press Escape to exit the table. Then press Escape again to return to the Typical Configurations menu. e To review the VPN/IP policy table, select IP/VPN Policies. The IP Policy menu is displayed. Its Status should be Enabled. IP Policy ---------- 1) Status : Enabled 2) Policy Table 3) Remote Logging : Disabled 2 i Select Policy Table. The IP policy table is displayed. Source Src Destination Dest Protocol # Address Port Address Port /Flag Path Name I/O Action --- --------------- ------ --------------- ------ -------- ---------- --- ---- 1 1.2.4.0 * 4.5.6.0 * * * * 1.2.4.255 * 4.5.6.255 * IPSec Tunnel To Remote 1 Action: Initiate VPN Profile: REMOTE 2 * * * * * * * * * * * Allow ALL Action: Allow Add, Modify, Insert, Copy or Delete an Entry? - (A/M/I/C/D) : ii If you wish to change any information, select the item. Follow the instructions that display on the screen. iii When you have finished configuring items, press Escape to exit the table. Filter Table Handling Complete. iv Then press Escape again to return to the Typical Configurations menu. f To review network address translation, select NAT Profiles. The Network Address Translation menu is displayed. Network Address Translation (NAT) ---------------------------------- 1) NAT Configuration 1 2) NAT Configuration 2 3) NAT Configuration 3

Configuring a BANDIT Product for Virtual Private Networks Page 15 g Perform Substep i through Substep vi for each item in the table. i On the Network Address Translation menu, select NAT Configuration i, where i is the NAT configuration (1, 2, or 3) you wish to review. The NAT Configuration menu is displayed for the selected NAT Configuration (shown here for NAT Configuration 1). NAT Configuration : 1 ---------------------- 1) NAT Status : Public NAT Enabled 2) IP Masquerading 3) Static NAT Table 4) Remote Logging : Disabled Note: In this example, the NAT Status of NAT Configuration 1 and NAT Configuration 3 is Public NAT Enabled, and the NAT Status of NAT Configuration 2 is Disabled. ii For NAT Configuration 2 (in the example shown), press Escape to return to the Network Address Translation menu. iii For NAT Configuration 1 or NAT Configuration 3 (in the example shown), select Static NAT Table. The selected NAT configuration s NAT table is displayed. Private Private Public Public # Protocol Address Port Address Port --- -------- --------------- ------- --------------- ------- 1 ICMP 0.0.0.0 N/A 0.0.0.0 N/A 0.0.0.0 N/A 0.0.0.0 N/A 2 TCP 0.0.0.0 23 0.0.0.0 23 0.0.0.0 23 0.0.0.0 23 3 ESP 0.0.0.0 0 0.0.0.0 0 0.0.0.0 0 0.0.0.0 0 4 UDP 0.0.0.0 500 0.0.0.0 500 0.0.0.0 500 0.0.0.0 500 Add, Modify, or Delete an Entry? (Enter A, M, or D) iv If you wish to change any information, select that record. For guidelines, see Section 3.6.2, Network Address Translation. v When you have finished configuring the selected NAT configuration s NAT table, press Escape. The following message is displayed. Then the NAT Configuration menu for the selected NAT is redisplayed.

Page 16 VPN Configuration, Document 2 Static NAT Table Handling Complete vi When you have finished configuring the selected NAT s configuration, press Escape to return to the Network Address Translation menu. h When you have finished configuring all network address translation, press Escape to return to the Typical Configurations Menu. i On the Typical Configurations menu, select DNS/DHCP Servers to set up a DNS server or BOOTP/DHCP server for the BANDIT device. The menu to Configure DNS/DHCP Parameters is displayed. Configure DNS/DHCP Parameters ------------------------------ 1) Primary DNS Server : 0.0.0.0 2) Secondary DNS Server : 0.0.0.0 3) Primary BOOTP/DHCP Server : No BOOTP/DHCP Server Configured 4) Secondary BOOTP/DHCP Server : No BOOTP/DHCP Server Configured Note: If you wish to change any information, select the item. When you have finished configuring items, press Escape to return to the Typical Configurations menu. For information, see Section 2.1.4, Primary and Secondary BootP/DHCP Addresses (DHCP Settings). j To review the BANDIT device s firewall settings, select Configure Firewall. The Configure Firewall menu is displayed. Configure Firewall ------------------- 1) NAT Profiles 2) Policy Table 3) IP Interfaces Note: If you wish to change any information, select the item. When you have finished configuring items, press Escape to return to the Typical Configurations menu. For information, see Section 3.6.3, Firewall. 14 When you have finished reviewing the loaded configuration, press Escape to return to the menu of Startup Configuration Parameters.

Configuring a BANDIT Product for Virtual Private Networks Page 17 Saving the New Configuration 15 If you wish to save and use the loaded configuration, do all of the following: a On the menu of Startup Configuration Parameters, select Reset (Write and Reset). The Reset Unit menu is displayed. Reset Unit ----------- Y) Yes N) No Are You Sure? : b Answer Yes. The following prompt asks whether to save the configuration. Save New Configuration? (Enter Y (Yes) or N (No)) : c Answer y. The system requests the save (Write) password. Enter WRITE Password : d Enter the password. Note: Get all passwords from your network administrator (or see Default Passwords). The system provides messages as it saves the configuration. Copyright Encore Networks, 2002. Verifying Configuration, WAIT... Configuration SAVED! When the configuration has been saved, the BANDIT resets. Messages describe the progress. Caution: Do not press any keys until you see the message Press Enter to login.

Page 18 VPN Configuration, Document 2 Configuration SAVED Resetting this Unit, Please Wait... e When you see the following message, press Enter. Press <ENTER> to login The system starts the login sequence. WELCOME TO ENCORE PRODUCT -- BANDIT III, ELIOS Version:16407.0102 Copyright ENCORE NETWORKS Inc., 2002-2006. Then the Main Menu is displayed. Main Menu ---------- 1) QuickStart Config Builder 2) Typical Configurations 3) Advanced Configurations 4) Tools V) View Current Unit Status L) Load Factory Defaults P) Load Plug and Play Defaults W) Write Configuration R) Reset Unit X) exit Session S) Statistics Y) system Administration 2 Note: To revise a VPN configuration, see Revising a BANDIT Product s VPN Configuration.