ViPNet VPN in Cisc Envirnment Supplement t ViPNet Dcumentatin
1991 2015 Inftecs Americas. All rights reserved. Versin: 00121-04 90 02 ENU This dcument is included in the sftware distributin kit and is subject t the same terms and cnditins as the sftware itself. N part f this publicatin may be reprduced, published, stred in an electrnic database, r transmitted, in any frm r by any means electrnic, mechanical, recrding, r therwise fr any purpse, withut the prir written cnsent f Inftecs Americas Inc. ViPNet is a registered trademark f Inftecs Americas Inc., New Yrk, USA. All brands and prduct names that are trademarks r registered trademarks are the prperty f their wners. Glbal cntacts page http://www.vipnet.cm/
Cntents Abut This Dcument... 3 Advantages f Deplying a ViPNet Netwrk... 4 Netwrk Structure Requirements... 6 Guidelines... 6 Cnfiguring Crdinatrs... 7 Cnfiguring Clients... 9 Cnfiguring Tunneled Hsts... 10 If Bth ViPNet and Tunneled Hsts Are in the Same Netwrk Segment... 10 Cnfiguring Remte Clients... 13 Cnfiguring a Remte User's Laptp... 13 Cnfiguring a Remte User's Desktp Cmputer... 14 Making Test Calls... 14 Abut This Dcument This dcument is intended fr the netwrk administratrs intending t deply and cnfigure Cisc IP telephny systems within ViPNet VPN virtual private netwrks in their rganizatins. Yu dn't have t be an IT prfessinal t read and understand this dcument. Hwever, yu shuld have a general idea f cmputer netwrks, IP prtcls, firewalls, tunneling, and cryptgraphy. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 3
Advantages f Deplying a ViPNet Netwrk T prtect yur crprate Cisc VIP traffic, yu may deply a ViPNet virtual private netwrk in yur rganizatin. The ViPNet technlgy nt nly prvides traffic prtectin, but als cuts dwn the number f settings required t establish cnnectin with remte Cisc users, branch ffices and partners, as well as makes the crprate netwrk cnfiguratin prcess easier. The advantages f deplying and cnfiguring a ViPNet netwrk are as fllws: When VIP (Internet telephny) cnnectins traffic is transferred within an external netwrk, it is encrypted. Within a crprate netwrk, VIP traffic can be either encrypted r unencrypted, up t yur chice. PSTN (public switched telephne netwrk) users can easily cmmunicate with VIP users, bth with thse lcated in the ffice and thse wh wrk remtely. Nte: Keep in mind that we dn't guarantee the privacy f PSTN-t-VIP and VIP-t- PSTN cnnectins in case a remte VIP user wrks n an unprtected hst (withut the ViPNet sftware). Remte VIP users cnnecting t the Internet frm varius access pints may create several cnfiguratins in ViPNet Mnitr, ne fr each cnnectin. Then, they wuld be able t make calls using Cisc IP Cmmunicatr (CIPC) simply by selecting the desired cnfiguratin in ViPNet Mnitr, withut changing settings. Due t virtual IP addresses usage, whenever a remte user changes lcatin, his r her visibility address remains the same. That is why changing settings in Cisc CallManager is nt required. Virtual IP addresses usage prevents cnflicts f IP addresses between different lcal netwrks where IP telephny is used. Encapsulatin f any encrypted traffic int a single UDP frmat makes cnfiguratin f firewalls much easier. This chapter gives an example f netwrk tplgy fr prtected Cisc IP telephny. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 4
Figure 1. ViPNet sftware prtecting Cisc VIP traffic Suppse there are tw ffices in an rganizatin: head and branch. Let's assume, there are a head and a branch ffice in yur cmpany. Their netwrks include bth: ViPNet hsts with Cisc sftware, which are cmputers with ViPNet Client and Cisc IP Cmmunicatr installed. Hereinafter, we shall call them 'ViPNet hsts'. Unprtected hsts, which are cmputers with Cisc IP Cmmunicatr installed, but withut ViPNet Client, as well as Cisc IP hardphnes, and a server with Cisc CallManager installed. Hereinafter, we shall call them 'tunneled hsts'. Warning: T enhance netwrk security, we strngly recmmend yu t place tunneled hsts in a separate netwrk segment frm ViPNet hsts. If yu dn't have such an pprtunity, yu shuld make sme additinal settings (see If Bth ViPNet and Tunneled Hsts Are in the Same Netwrk Segment n page 10) t prtect traffic within yur LAN. Remte users (with laptps where ViPNet Client and Cisc IP Cmmunicatr are installed) cnnect t the ViPNet netwrk ver the Internet. The head ffice LAN is cnnected t a public switched telephne netwrk (PSTN) via a PSTN gateway. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 5
The PSTN gateway and Cisc CallManager are lcated in a separate segment f the head ffice netwrk (LAN_5 n the scheme). Netwrk Structure Requirements The fllwing requirements shuld be met t prvide prtectin f VIP traffic in a Cisc IP telephny envirnment: 1 In every ffice, n the edge f the netwrk, a crdinatr shuld be installed and cnfigured t tunnel the Cisc CallManager server, the PSTN gateway, and all Cisc IP hardphnes. Mrever: The PSTN gateway, Cisc IP hardphnes, and hsts which have Cisc IP Cmmunicatr installed but dn't have ViPNet Client shuld be tunneled with the crdinatr f their ffice. The Cisc CallManager server shuld be placed behind anther crdinatr Crdinatr 2 in the scheme (see. figure 1 n page 5) and have a unique IP address. Nte: If there are several Cisc CallManager servers in yur rganizatin, each serving a separate user grup, ask Inftecs technical supprt fr recmmendatins n cnfiguring the netwrk. 2 All hsts with Cisc IP Cmmunicatr installed either have the ViPNet Client sftware installed as well r are tunneled by the crdinatr f their ffice (accrding t paragraph 1). 3 All remte hsts with Cisc IP Cmmunicatr installed have the ViPNet Client sftware installed as well. Guidelines We recmmend yu t fllw these steps t install and cnfigure the ViPNet sftware in each ffice: 1 Install and cnfigure the ViPNet Crdinatr sftware t tunnel unprtected hsts participating in IP telephny (see Cnfiguring Crdinatrs n page 7). Nte: Fr the ViPNet Crdinatr setup wrkflw, see ViPNet VPN. User's Guide, Chapter 2, Installing ViPNet Crdinatr n ViPNet Netwrk Servers. 2 Install and cnfigure the ViPNet Client sftware n hsts with installed Cisc IP Cmmunicatr (see Cnfiguring Clients n page 9). If installing ViPNet Client n sme hsts is undesirable r impssible, these hsts shuld be tunneled accrding t paragraph 3 f this sectin. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 6
Nte: Fr the ViPNet Client setup wrkflw, see ViPNet VPN. User's Guide, Chapter 2, Installing ViPNet Client n ViPNet Users' Cmputers. T cnfigure the ViPNet Client sftware, lg n as an administratr. 3 Cnfigure all tunneled hsts participating in IP telephny (see Cnfiguring Tunneled Hsts n page 10). Yu shuld nt install ViPNet sftware n tunneled hsts. 4 Install and cnfigure the ViPNet Client sftware n remte hsts with installed Cisc IP Cmmunicatr (see Cnfiguring Remte Clients n page 13). 5 Make test calls frm clients in the ffice, tunneled hsts, and remte hsts (see Making Test Calls n page 14). Cnfiguring Crdinatrs T cnfigure a crdinatr: 1 In ViPNet Netwrk Manager, set crdinatr access parameters (see the dcument ViPNet VPN. User s Guide, Chapter 5, Cnfiguring Crdinatrs ). 2 In ViPNet Netwrk Manager, specify IP addresses f the unprtected hsts, participating in IP telephny, as tunneled (see the dcument ViPNet VPN. User s Guide, Chapter 5, Tunneling ). 3 On the firewall placed n the edge f LAN, cnfigure traffic ruting rules. 4 On the crdinatr, make the fllwing netwrk settings: If the crdinatr cnnects t the Internet via a firewall, set the firewall access parameters (see the dcument ViPNet VPN. User s Guide, Chapter 5, Firewall (fr Crdinatrs) ). If the crdinatr has a netwrk interface directly cnnected t the Internet, set yur Internet service prvider's gateway as default fr this interface. Fr ther netwrks the crdinatr is cnnected t, set static rutes that frward IP traffic fr these netwrks t crrespnding gateways. 5 In ViPNet Crdinatr Mnitr, n crdinatr 2 (see. figure 1 n page 5) f the head ffice, cnfigure a frward filter fr tunneled hsts behind different netwrk interfaces. T d this: Nte: In ur example (see. figure 1 n page 5), yu shuld cnfigure a frward filter t cnnect the LAN_2 subnetwrk where unprtected hsts with Cisc IP Cmmunicatr and Cisc IP hardphnes are placed t the LAN_5 subnetwrk where the Cisc CallManager server and PSTN gateway are placed. In the main ViPNet Mnitr windw, in the navigatin pane, select Netwrk Filters > Frward Public Netwrk Filters. Click Create. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 7
In the displayed frward filter's prperties windw, in the General Optins sectin, specify the filter name and the actin it implies: allw traffic. In the Surces sectin, click Add and select IP address r IP addresses range. Figure 2. Cnfiguring a frward filter In the IP Address windw, chse IP addresses range and specify the starting and the ending addresses frm the range f IP addresses belnging t tunneled hsts f the LAN 2 subnetwrk. Click OK. In the Destinatin sectin, specify the IP addresses belnging t tunneled hsts f the LAN 5 subnetwrk (the Cisc CallManager server and the PSTN gateway). 6 If IP addresses f the same subnetwrk are used in the netwrk segments f bth head and branch ffices, t avid a cnflict f IP addresses, fr each crdinatr in the hsts list, in ViPNet Crdinatr Mnitr, d the fllwing: In the Private Netwrk sectin, duble-click ne f the crdinatrs. The ViPNet Hst Prperties dialg bx will be displayed. Click the Tunnel tab and select the Use virtual IP addresses check bx (cleared by default). ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 8
Figure 3. Using virtual IP addresses Cnfiguring Clients On each client lcated in the head r branch ffice: 1 Lg n t ViPNet Client Mnitr as an administratr. 2 T avid a cnflict f IP addresses, fr each crdinatr, in the Private Netwrk sectin, make the fllwing settings: In the Private Netwrk sectin, duble-click ne f the crdinatrs. The ViPNet Hst Prperties dialg bx will be displayed. Click the Tunnel (see. figure 3 n page 9) tab and select the Use virtual IP addresses check bx (cleared by default). ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 9
Cnfiguring Tunneled Hsts Warning: T enhance netwrk security, we strngly recmmend yu t place tunneled hsts in a separate netwrk segment frm ViPNet hsts. If yu dn't have such an pprtunity, yu shuld make sme additinal settings (see If Bth ViPNet and Tunneled Hsts Are in the Same Netwrk Segment n page 10) t prtect traffic within yur LAN. T cnfigure tunneled hsts: 1 In bth ffices' netwrks, n each tunneled hst (except fr the Cisc CallManager server and the PSTN gateway), specify the default gateway address. It must be an IP address f a crdinatr lcated in the same netwrk segment. If yu can't use this crdinatr as the default gateway, see step 2. Nte: Tunneled hsts within the same subnetwrk exchange traffic directly, withut using a crdinatr. 2 In the head ffice, cnfigure the subnetwrk with the Cisc CallManager server and the PSTN gateway. Yu can't set a crdinatr as the default gateway fr the Cisc CallManager server, as the PSTN gateway shuld be its default gateway fr access t a public switched telephne netwrk. T slve this prblem, n the Cisc CallManager server, set a static rute t have all traffic exchange between Cisc CallManager and the head ffice netwrk directed thrugh the crdinatr. If Bth ViPNet and Tunneled Hsts Are in the Same Netwrk Segment By default, clients cnnect t tunneled hsts lcated in the same netwrk segment directly. T ensure cntrl ver access t tunneled hsts, yu can cnfigure clients t cnnect t tunneled hsts thrugh a crdinatr. T d this: 1 On each client in the same netwrk segment, in ViPNet Mnitr: In the navigatin pane, click Private Netwrk. In the Private Netwrk sectin, duble-click the tunneling crdinatr f this subnetwrk. The ViPNet Hst Prperties dialg bx will be displayed. On the Tunnel tab, under Exceptins, clear the D nt tunnel the IP addresses f yur cmputer's sub netwrk check bx (selected by default). ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 10
Figure 4. Cnfiguring a netwrk segment with ViPNet hsts and tunneled hsts If yu need the traffic pass directly between a client and a tunneled hst: Under Exceptins, select the D nt tunnel the fllwing IP addresses check bx. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 11
Figure 5. Specifying addresses that shuld nt be tunneled Click Add. The Add IP address r range windw will be displayed. Figure 6. Specifying an IP address In the Add IP address r range windw, select Range and specify the starting and ending IP addresses frm the range f addresses that shuld nt be tunneled. Click OK. Click OK. 2 On each tunneled hst, set a static rute t have all traffic exchange between this hst and clients directed thrugh the crdinatr. 3 On each client, cnfigure a static rute t have all traffic exchange between this client and tunneled hsts directed thrugh the crdinatr. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 12
Cnfiguring Remte Clients In this scenari, remte users may wrk n a desktp cmputer r a laptp. Cnfiguring a Remte User's Laptp Suppse that a remte user with a laptp cnnects t the Internet frm different lcatins, using different cnnectin types. T avid recnfiguring f the ViPNet sftware every time the user cnnects t the ViPNet netwrk, we recmmend yu t create several cnfiguratins in ViPNet Mnitr fr different cnnectin types. Then, t access the ViPNet netwrk, it will take nly chsing ne f the cnfiguratins. T create a new cnfiguratin: 1 Lg n t ViPNet Client Mnitr as an administratr. 2 In the main ViPNet Mnitr windw, in the navigatin pane, right-click Cnfiguratins and, n the cntext menu, click Create a New Cnfiguratin. Figure 7. Creating a new cnfiguratin A New cnfiguratin element will be displayed in the cnfiguratins list. The current prgram settings will be autmatically saved t the new cnfiguratin. 3 We recmmend yu t rename the cnfiguratin fr easier search. T d this, select the cnfiguratin and press F2 r right-click it and, n the cntext menu, click Rename. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 13
4 T save the cnfiguratin, in the navigatin pane, right-click Cnfiguratins and, n the cntext menu, click Save Current Cnfiguratin. We recmmend yu t create and save the fllwing cnfiguratins (t d this, lg n as an administratr): In ne f the cnfiguratins, save the settings t wrk in the ffice lcal netwrk. These settings shuld be the same as the settings n clients n that netwrk (see Cnfiguring Clients n page 9). In anther cnfiguratin, save the settings t cnnect t yur ViPNet netwrk ver the Internet when yu wrk ut f the ffice. T avid a cnflict f IP addresses, in any cnfiguratin: 1 In the navigatin pane f the main ViPNet Client Mnitr windw, select Private Netwrk. 2 In the Private Netwrk sectin, duble-click yur crdinatr. The ViPNet Hst Prperties dialg bx will be displayed. 3 In the ViPNet Hst Prperties dialg bx, n the Tunnel (see. figure 3 n page 9) tab, select the Use virtual IP addresses check bx (cleared by default). Cnfiguring a Remte User's Desktp Cmputer Suppse that a remte user with a statinary desktp cmputer cnnects t the ViPNet netwrk ver the Internet and des nt change his r her lcatin. T cnfigure a desktp cmputer (in ther wrds, a statinary ViPNet hst): 1 Lg n t ViPNet Client Mnitr as an administratr. 2 T avid a cnflict f IP addresses: In the navigatin pane f the main ViPNet Client Mnitr windw, select Private Netwrk. In the Private Netwrk sectin, duble-click yur crdinatr. The ViPNet Hst Prperties dialg bx will be displayed. In the ViPNet Hst Prperties dialg bx, n the Tunnel (see. figure 3 n page 9) tab, select the Use virtual IP addresses check bx (cleared by default). Making Test Calls After deplying a crprate ViPNet netwrk and cnfiguring all crdinatrs, clients and tunneled hsts, make sure that Cisc IP telephny is perable. T d this: 1 Make sure that Cisc hardware and sftware is set up prperly. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 14
2 Check cnnectin between clients and their crdinatrs, as well as cnnectin between different crdinatrs. 3 If cnnectin is nt established, make sure that access IP addresses f all ViPNet hsts are specified crrectly and all hsts have crrect cnnectin type settings. 4 Use the ping cmmand t make sure that tunneled hsts are accessible frm clients and tunneled hsts lcated in the ther ffice. If yu can't cnnect t tunneled hsts, make sure that tunneling has been cnfigured crrectly n crdinatrs and that tunneled hsts have prper gateways and static rutes set. 5 Make test calls frm clients in the ffice, tunneled hsts and remte hsts. If all the settings have been made crrectly, yur crprate Cisc IP telephny system is ready t use. ViPNet VPN in Cisc Envirnment. Supplement t ViPNet Dcumentatin 15