Basic ViPNet VPN Deployment Schemes
Basic ViPNet VPN
Deployment Schemes
Supplement to ViPNet Documentation
© 1991–2015 Infotecs Americas. All rights reserved.
Version: 00121-04 90 01 ENU
This document is included in the software distribution kit and is subject to the same terms and conditions as the software itself.
No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means
— electronic, mechanical, recording, or otherwise — for any purpose, without the prior written consent of Infotecs Americas Inc.
ViPNet® is a registered trademark of Infotecs Americas Inc., New York, USA.
All brands and product names that are trademarks or registered trademarks are the property of their owners.
Global contacts page http://www.vipnet.com/
Contents
Introduction .................................................................................................................................................................. 5
About This Document ............................................................................................................................................... 6
Audience .............................................................................................................................................................. 6
Document Conventions ................................................................................................................................. 6
Feedback ......................................................................................................................................................................... 8
Guidelines ....................................................................................................................................................................... 9
Basic ViPNet VPN Deployment Schemes ......................................................................................................... 10
Before You Begin ....................................................................................................................................................... 11
Chapter 1. Connection between a Remote Client and an Office .................................................................. 13
Overview ....................................................................................................................................................................... 14
Configuring Network Structure in ViPNet Network Manager ................................................................. 15
Creating a ViPNet Network......................................................................................................................... 15
Configuring a ViPNet Network .................................................................................................................. 15
Checking Settings on a Firewall ........................................................................................................................... 18
Checking Settings on a Coordinator ................................................................................................................. 19
Checking Settings on Clients in the Office ...................................................................................................... 20
Checking Settings on a Remote Client ............................................................................................................. 22
Chapter 2. Remote Client to Remote Client ....................................................................................................... 24
Overview ....................................................................................................................................................................... 25
Configuring Network Structure in ViPNet Network Manager ................................................................. 26
Checking Settings on a Firewall and a Coordinator .................................................................................... 27
Checking Settings on a Remote Client ............................................................................................................. 28
Chapter 3. Office to Office Connection ............................................................................................................... 29
Overview ....................................................................................................................................................................... 30
Configuring Network Structure in ViPNet Network Manager ................................................................. 31
Checking Settings on Firewalls and Coordinators in Both Offices ........................................................ 33
Checking Settings on Clients in Both Offices ................................................................................................. 34
Chapter 4. Office to Office Connection with Tunneling .................................................................................. 35
Overview ....................................................................................................................................................................... 36
Configuring Network Structure in ViPNet Network Manager ................................................................. 37
Checking Settings on Firewalls and Coordinators in Both Offices ........................................................ 40
Checking Routing Settings on Tunneled Hosts ............................................................................................ 42
Checking Settings on a Remote Client ............................................................................................................. 44
Chapter 5. Mobile Device to Office Connection ............................................................................................... 45
Overview ....................................................................................................................................................................... 46
Configuring a Network in ViPNet Network Manager ................................................................................. 48
Configuring a Coordinator for Windows ......................................................................................................... 50
Verifying Settings on an External Firewall ....................................................................................................... 52
Configuring Mobile Devices ................................................................................................................................. 53
Configuring an Apple Mobile Device ..................................................................................................... 53
Configuring an Android Mobile Device ................................................................................................. 53
Chapter 6. Office to Office Connection Both with the ViPNet and IPsec Technologies ......................... 55
Overview ....................................................................................................................................................................... 56
Configuring Network in ViPNet Network Manager..................................................................................... 57
Settings Check on a Remote Gateway .............................................................................................................. 60
Introduction
About This Document
6
Feedback
8
Guidelines
9
Basic ViPNet VPN Deployment Schemes
10
Before You Begin
11
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 5
About This Document
This document is a supplement to “ViPNet VPN. User’s Guide.” It contains 6 basic schemes of deploying a
protected ViPNet VPN network. Each scheme is attended with step-by-step instructions helping you to
create and configure a network in ViPNet Network Manager and then, on your ViPNet hosts, check
whether the settings you made in ViPNet Network Manager are correct.
Audience
This document is intended for the network administrators intending to deploy and configure ViPNet VPN
virtual private networks in their organizations.
You don't have to be an IT professional to read and understand this document. However, you should
have a general idea of computer networks, IP protocols, firewalls, tunneling, and cryptography.
Document Conventions
This document uses the following conventions:
Table 1. Document conventions
Icon
Description
Warning: Indicates an obligatory action or information that may be critical for
continuing user operations.
Note: Indicates a non-obligatory, but desirable action or information that may be
helpful for users.
Tip: Contains additional information.
Table 2. Conventions for highlighted information
Icon
Description
Name
The name of an interface element. For instance, the name of a window, a
box, a button, or a key.
Key+Key
Shortcut keys. To use the shortcut keys, press and hold the first key and
press other keys.
Menu > Submenu >
Command
A hierarchical sequence of elements. For instance, menu items or sections
in the navigation pane.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 6
Icon
Description
Code
A file name, path, text file (code) fragment or a command executed from
the command line.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 7
Feedback
Finding Additional Information
For more information about Infotecs products and technologies, see the following resources:
ViPNet documentation web portal http://www.vipnet.com/redir/doc_vipnet/.
Information about current Infotecs products http://www.vipnet.com/redir/products/.
Information about Infotecs solutions http://www.vipnet.com/redir/solutions/.
Contacting Infotecs
We value any feedback from you. If you have any questions concerning Infotecs products and solutions,
any suggestions, complains or other feedback, feel free to contact us by means of the following:
Global contacts page http://www.vipnet.com/
Telephone (Germany): +49 (0) 30 206 43 66 0
Telephone (USA): +1 (646) 589-8571
Errata
Infotecs makes every effort to ensure that there are no errors or misprints in the text of all documents
supplied with ViPNet software. However, no one is perfect, and mistakes do occur. If you find an error in
one of our documents, like a spelling mistake or some inaccuracy in describing user scenarios or system
features, we would be very grateful for your feedback. By sending in errata you may save other reader
hours of frustration, and at the same time you will be helping us provide documentation of even higher
quality.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 8
Guidelines
Here are the guidelines of working with the document:
1
Choose a scheme that fits the required logical network structure (see Basic ViPNet VPN Deployment
Schemes on page 10).
If you want to connect two offices of your organization through a protected network, we
recommend you to create a single corporate ViPNet network including computers of both offices. If
you need to establish secure connection between two different organizations, we recommend you
to create two different ViPNet networks and establish partner network connection between them
(see “ViPNet VPN. User's Guide”, chapter 6).
Warning: In this document, we will consider communication between head and branch
offices’ hosts via a single corporate ViPNet network.
2
On a ViPNet administrator's workstation, you should first install ViPNet Network Manager and then
ViPNet Client or ViPNet Coordinator (see “ViPNet VPN. User's Guide”, chapter 2, “Deploying the
ViPNet Network Administrator's Workstation”).
3
In ViPNet Network Manager, create logical network structure according to the recommendations in
this document, and then create key sets for ViPNet hosts.
4
On the hosts that will function as coordinators, install the ViPNet Coordinator software (see “ViPNet
VPN. User's Guide”, chapter 2, “Installing ViPNet Coordinator on ViPNet Network Servers”) and
install the key sets created in ViPNet Network Manager.
5
On ViPNet users' computers, including remote ones, install the ViPNet Client software (see “ViPNet
VPN. User's Guide”, chapter 2, “Deploying the ViPNet Network User's Workstations”) and install the
key sets created in ViPNet Network Manager.
6
Check connection between coordinators and remote clients, between different remote users,
between coordinators from different networks.
7
If connection has not been established, follow the recommendations in this document to check
ViPNet Coordinator and ViPNet Client program settings on ViPNet hosts.
Note: To change any settings for a coordinator or a client, in ViPNet Network Manager:
In the navigation pane, choose a ViPNet host, whose settings you are going to
change.
Go through the tabs in the view pane and make the required settings.
Create key sets, copy them to a removable drive, and manually update keys on
ViPNet hosts.
8
Check connection again.
If the connection is still not established, the failure may be caused by wrong firewall configuration or
incompatible software. Contact Infotecs technical support.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 9
Basic ViPNet VPN Deployment
Schemes
Below, we describe six typical network schemes you can deploy with ViPNet VPN:
1
Connection between a remote client and an office (on page 13)
Follow these steps to deploy a ViPNet network and establish a protected connection between a
remote user and an office. A remote user is a laptop user connecting to the Internet from different
locations: home, workplace, a Wi-Fi cafe, and so on. It could also be a desktop PC in a branch office
or at home (or in some other place from where a coordinator is not accessible directly).
2
Remote client to remote client (on page 24)
Follow these steps to deploy a ViPNet network with two remote clients and establish a direct clientto-client connection between them.
3
Office to office connection (on page 29)
Follow these steps to deploy a ViPNet network and establish a protected point-to-point connection
between two ViPNet hosts located in two different offices of an organization.
4
Office to office connection with tunneling (on page 35)
Follow these steps to deploy a ViPNet network and establish a protected connection between such
network devices located in two different offices of an organization, where you can't install the
ViPNet software for some reasons. These hosts can be computers with Apple Mac OS, network
devices like printers, VoIP appliances, NAS, surveillance cameras, and other.
5
Mobile Device to Office Connection (on page 45)
Follow these steps to deploy a ViPNet network and establish connection between Apple or Android
mobile users and an office.
6
Office to office connection both with the ViPNet and IPsec technologies (on page 55)
Follow these steps to deploy a ViPNet network and establish connection with another ViPNet
network.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 10
Before You Begin
Decide beforehand, where your will install the ViPNet Coordinator software (those hosts will be ViPNet
network servers) and the ViPNet Client software (one of those hosts will be the ViPNet network
administrator's workstation). A coordinator must always be accessible to its clients. This means, a
coordinator host must always be online with ViPNet Coordinator software running on it. Static port
forwarding should be enabled on the firewall used by this coordinator to access public (Internet)
resources.
On the ViPNet network administrator's workstation, run the ViPNet VPN setup program and first install
ViPNet Network Manager, then ViPNet Client or ViPNet Coordinator (see ViPNet VPN. User's Guide,”
chapter 2, “Deploying the ViPNet Network Administrator's Workstation”). ViPNet Network Manager
allows you to create, configure and maintain a protected ViPNet network that may include hosts located
in the head office, branch offices, and remote computers.
To establish connection between head office computers and branch office computers, partner company
computers or remote users, there should be at least one coordinator in a ViPNet network which is always
accessible from outside by either an external (public) static IP address or a DNS name. In the first two
scenarios described in this document, there is only one coordinator on the network, while in the last two
scenarios, the described functions are performed by a coordinator located in the head office. In the first
two and the second two scenarios described in this document, there is only one coordinator on the
network, while in the third and the fourth scenarios, the described functions are performed by a
coordinator located in the head office.
If your coordinator does not have a public static IP address, use the dynamic DNS service, which
translates your firewall’s public dynamic addresses to a specified DNS name (for example, you may use a
www.dynDNS.com http://www.dynDNS.com service).
Warning: Before configuring settings on ViPNet hosts, check network parameters, as
described below.
Check network parameters on the computers functioning as coordinators and on the firewalls:
Make sure the coordinator's network interface connected to the firewall has a static local IP address.
Make sure you know the public static IP address or the DNS name of the head office coordinator.
Make sure the following filtering rules are configured on the firewalls behind which your
coordinators are located: allow all traffic incoming to the UDP port specified in coordinator's options
(55777 by default) and forward it to the coordinator's local IP address;
To learn the number of your coordinators’ UDP packets encapsulation port:
o
In the ViPNet Coordinator Monitor main window, on the Service menu, click Options.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 11
Figure 1. Viewing the UDP packets encapsulation port number
o
In the Private Network section, in the UDP packets encapsulation port box, check the specified
port number.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 12
1
Connection between
a Remote Client and an Office
Overview
14
Configuring Network Structure in ViPNet Network Manager
15
Checking Settings on a Firewall
18
Checking Settings on a Coordinator
19
Checking Settings on Clients in the Office
20
Checking Settings on a Remote Client
22
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 13
Overview
This chapter describes a scheme of establishing connection between a remote user and the head office
using the ViPNet VPN software. A remote user is a laptop user connecting to the Internet from different
locations (home, workplace, a Wi-Fi cafe, and so on), or a desktop PC user working at any place from
where he or she can't connect to the coordinator directly.
Figure 2. Connection between a remote client and an office
Suppose there are a coordinator and several clients in the head office. The clients use the coordinator as
a firewall. The coordinator is located behind a firewall with static NAT. Port forwarding rules (see
Checking Settings on a Firewall on page 18) for the coordinator are configured on the firewall. A remote
ViPNet user establishes connection to the office over the Internet (see. figure 2 on page 14).
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 14
Configuring Network Structure
in ViPNet Network Manager
Creating a ViPNet Network
Create the initial ViPNet network structure using the ViPNet Network Creation Wizard (see “ViPNet VPN.
User’s Guide,” chapter 3, section “Creating a ViPNet Network”):
1
Specify the required number of coordinators and clients. To implement the scheme of connecting a
remote user to an office (see. figure 2 on page 14), you need one coordinator.
2
Choose how your ViPNet hosts will be linked with each other.
3
Edit the created network structure and links if necessary.
4
To configure access parameters for the coordinator, select the Using a firewall Internet connection
type (see the “Configuring Access to a Coordinator” section, the “Configuring Access to a
Coordinator behind a Firewall” topic) and specify the firewall's IP addresses or DNS name.
If you want to configure the firewall parameters later, select the Configure in ViPNet Network
Manager main window option.
Note: With the ViPNet Network Creation Wizard, you may configure access
parameters only for the first created coordinator (where the ViPNet administrator's
workstation is registered by default). If you need to set up access parameters for
another coordinator, use the main ViPNet Network Manager window.
5
Configure random password options.
6
On the last page of the Wizard, clear the Create key sets upon completing ViPNet Network
Creation Wizard check box and click Close.
Configuring a ViPNet Network
To configure ViPNet hosts:
1
In the navigation pane of the main ViPNet Network Manager window, select the coordinator to be
used for communication with external hosts. Click the Access IP addresses tab.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 15
Figure 3. Assigning an IP address for a coordinator
If you have configured access options for the coordinator (see Creating a ViPNet Network on page
15) when creating a network, then the firewall is already configured.
To add an IP address or DNS name, in the corresponding group, click Add. In the IP Address or DNS
name window, add a new IP address or DNS name and click OK.
Figure 4. Adding an IP address
2
Click the Firewall tab.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 16
Figure 5. Configuring firewall parameters
If you have configured access options for the coordinator (see Creating a ViPNet Network on page
15) when creating a network, then the required firewall parameters are already specified.
Otherwise, follow the steps below:
o
Select the Use firewall check box.
o
In the Firewall type list, select With static address translation.
3
In the navigation pane, choose the client. Open the Links tab and make sure that the list includes all
ViPNet hosts this client should communicate with.
4
On the Tools menu, select Keys, and then click Save Key Sets. Copy the created key sets to a
removable drive and use them to install the ViPNet keys on the coordinator and clients.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 17
Checking Settings on a Firewall
We recommend that the firewall (or another NAT device) has a static public IP address. If the firewall does
not have a public static IP address, use the dynamic DNS service, which translates your firewall’s public
dynamic addresses to a specified DNS name (for example, you may use a www.dynDNS.com service).
On the firewall, configure the following rules:
1
Specify the UDP access port to exchange protected traffic with any networks.
Note: By default, the ViPNet software uses port number 55777, but you can change it if
needed.
2
Create the following port forwarding rule for incoming and outgoing UDP traffic: allow any UDP
traffic incoming to the specified port and forward it to the corresponding coordinator.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 18
Checking Settings on a Coordinator
Make sure the coordinator has been configured correctly. To do this:
1
In the main window of the ViPNet Coordinator program, on the Service menu, click Options. The
Options dialog box will be displayed.
Figure 6. Checking settings on a coordinator
2
Make sure that, in the Private Network section, the Use external firewall check box is selected.
3
Make sure that, in the Firewall type list, With static NAT is selected.
4
Make sure that, in the UDP packets encapsulation port box, the same port number is specified as
the one in port forwarding rules on the firewall.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 19
Checking Settings on Clients
in the Office
To check settings on clients located in the office:
1
In the ViPNet Client Monitor program, log on as an administrator.
2
On the Tools menu, click Options. The Options dialog box will be displayed.
3
In the Options dialog box, make sure that, in the Private Network section, a coordinator installed in
the office is selected as the coordinator for connections.
Figure 7. Private network settings
4
Click OK.
5
In the navigation pane of the main ViPNet Client window, select the Private Network section.
6
In the Private Network section, in the hosts list, double-click the coordinator chosen as this client's
coordinator for connections. The ViPNet Host Properties dialog box will be displayed.
7
In the ViPNet Host Properties dialog box, click the IP Addresses tab.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 20
Figure 8. Viewing coordinator's IP addresses
8
Make sure that, in the IP Addresses list, in the Real IP addresses column, the correct coordinator's
address is specified.
If DNS names are used, make sure that the Use DNS name check box is selected and, in the DNS
name list, the correct coordinator's DNS name is specified.
9
Check connection to the coordinator. To do this, in the Private Network section, select the
coordinator and, on the toolbar, click Connection or press F5.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 21
Checking Settings on a Remote
Client
To check settings on a remote client:
1
In the ViPNet Client Monitor program, log on as an administrator.
2
On the Tools menu, click Options. The Options dialog box will be displayed.
3
In the Options dialog box, make sure that, in the Private Network section, a coordinator installed in
the office is selected as the coordinator for connections.
4
Click OK.
5
In the navigation pane of the main ViPNet Client window, select the Private Network section.
6
In the Private Network section, in the hosts list, double-click the coordinator chosen as this client's
coordinator for connections. The ViPNet Host Properties dialog box will be displayed.
7
In the ViPNet Host Properties dialog box, click the Firewall tab.
Figure 9. Access IP addresses
8
In the Access IP addresses list, a public IP address of the firewall behind which the coordinator is
installed must be specified. If the firewall has no static public IP address, verify its DNS name (step
12).
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 22
9
In the ViPNet Host Properties dialog box, click the IP Addresses tab (see. figure 8 on page 21).
10 Make sure that, in the IP Addresses list, in the Real IP addresses column, the correct coordinator's
address is specified.
If DNS names are used, make sure that the Use DNS name check box is selected and, in the DNS
name list, the correct DNS name of the firewall behind which the coordinator is installed is specified.
11 Check connection to the coordinator. To do this, in the Private Network section, select the
coordinator and, on the toolbar, click Connection or press F5.
If all the settings have been configured correctly, connection between a remote client and the head office
will be established.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 23
2
Remote Client to Remote
Client
Overview
25
Configuring Network Structure in ViPNet Network Manager
26
Checking Settings on a Firewall and a Coordinator
27
Checking Settings on a Remote Client
28
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 24
Overview
This chapter describes a scheme of establishing connection between two remote users using the ViPNet
VPN software.
Figure 10. Remote client to remote client connection
This scheme has much in common with the previous one (see Connection between a Remote Client and
an Office on page 13). Suppose there are a coordinator and several clients in the head office. The
coordinator is installed behind a firewall with static NAT. Port forwarding rules (see Checking Settings on
a Firewall on page 18) for the coordinator are configured on the firewall. A remote ViPNet user and a
home ViPNet user establish connection with each other and with the office over the Internet.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 25
Configuring Network Structure
in ViPNet Network Manager
First, create the required ViPNet network structure, as described in Creating a ViPNet Network (on page
15). To implement the above-described scheme (see figure on page 25), create one coordinator, the
required number of clients that will work in the office, and two more clients that will work remotely.
To configure the created network structure, in ViPNet Network Manager:
1
In the navigation pane of the main ViPNet Manager window, select the coordinator to be used for
communication with external hosts. Open the Access IP addresses (see figure on page 16) tab.
If you have configured access options for the coordinator (see Creating a ViPNet Network on page
15) when creating a network, the IP address of the coordinator is already specified. If you didn't
specify the IP address in the IP addresses group, click Add. In the IP Address window, add the
coordinator's address and click OK.
If the firewall is accessible from the Internet by a DNS name (for example, the dynDNS service is
used), in the DNS names group, click Add and type the DNS name of the firewall.
2
Click the Firewall tab (see figure on page 17).
If you have configured access options for the coordinator (see Creating a ViPNet Network on page
15) when creating a network, the firewall parameters are already specified.
Otherwise, follow the steps below:
o
Select the Use firewall check box.
o
In the Firewall type list, select With static address translation.
3
In the navigation pane, choose the client. Open the Links tab and make sure that the list includes all
ViPNet hosts this client should communicate with.
4
Repeat steps 3 and 4 to configure the other remote client.
5
On the Tools menu, select Keys, and then click Save Key Sets. Copy the created key sets to a
removable drive and use them to install the ViPNet keys on the coordinator and clients.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 26
Checking Settings on a Firewall
and a Coordinator
Make sure that the firewall has a static public IP address or a DNS name provided by a dynamic DNS
service. Port forwarding rules (see Checking Settings on a Firewall on page 18) must be configured on
the firewall.
On the computer that functions as the coordinator, check the ViPNet Monitor settings (see Checking
Settings on a Coordinator on page 19).
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 27
Checking Settings on a Remote
Client
Note: All remote clients of the ViPNet network should be configured as follows.
To check settings on a remote client:
1
In the ViPNet Client Monitor program, log on as an administrator.
2
On the Service menu, click Options. The Options dialog box will be displayed.
3
In the Options dialog box, make sure that, in the Private Network section (see figure on page 20), a
coordinator installed in the office is selected as the coordinator for connections.
4
Click OK.
5
In the navigation pane of the main ViPNet Client window, select the Private Network section.
6
In the Private Network section, in the hosts list, double-click the coordinator chosen as this client's
coordinator for connections. The ViPNet Host Properties dialog box will be displayed.
7
In the ViPNet Host Properties dialog box, click the Firewall tab (see figure on page 22).
8
In the Access IP addresses table, check that a public IP address of the firewall, behind which the
coordinator is located, is specified. If the firewall has no static public IP address, verify its DNS name
(step 12).
9
In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21).
10 Make sure that, in the IP Addresses list, in the Real IP addresses column, the correct coordinator's
address is specified.
If DNS names are used, make sure that the Use DNS name check box is selected and, in the DNS
name list, the correct DNS name of the firewall behind which coordinator A is installed is specified.
11 Make sure that, in the Private Network section, the other remote user and other ViPNet hosts your
client should communicate with are included in the hosts list.
12 Check connection to the office coordinator and the other remote client. To do this, in the Private
Network section, select the required ViPNet host and, on the toolbar, click Connection or press F5.
If all the settings have been configured correctly, connection between remote clients with each other and
between remote clients and the head office will be established.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 28
3
Office to Office Connection
Overview
30
Configuring Network Structure in ViPNet Network Manager
31
Checking Settings on Firewalls and Coordinators in Both Offices
33
Checking Settings on Clients in Both Offices
34
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 29
Overview
This chapter describes a scheme of establishing protected connection between the head office and the
branch office using the ViPNet VPN software.
Figure 11. Office to office connection
Suppose there are two offices in an organization: head and branch. A corporate ViPNet network includes
hosts in both offices. Coordinator A located in the head office and Coordinator B located in the branch
office establish a protected connection to each other over the Internet. Coordinator A is located behind a
firewall on which a static port forwarding rule is configured for protected traffic exchange. Coordinator B
is located behind a firewall with no specially configured settings for protected traffic exchange. Clients in
the head office (one of them functions as a ViPNet network administrator's workstation) use coordinator
A as a firewall. Clients in the branch office use coordinator B as a firewall.
Only one office (in our example, the head office) should be accessible from the outside either by a public
static IP address or by a DNS name (see Before You Begin on page 11).
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 30
Configuring Network Structure
in ViPNet Network Manager
First, create the required ViPNet network structure, as described in Creating a ViPNet Network (on page
15). To implement the above-described scheme (see figure on page 30), create two coordinators. On
coordinator A, register the clients intended to be installed in the head office. On coordinator B, register
the clients intended to be installed in the branch office.
In ViPNet Network Manager, configure each coordinator:
1
In the main ViPNet Network Manager window, in the navigation pane, select coordinator A and click
the Access IP addresses tab.
Figure 12. Assigning an IP address for a coordinator
If you have configured access options for the coordinator (see Creating a ViPNet Network on page
15) when creating a network, the IP address of the coordinator is already specified. If you didn't
specify the IP address in the IP addresses group, click Add. In the IP Address window, type the IP
address of the coordinator A (in this example, it is 192.168.134.11) and click OK.
If Coordinator A is accessed from the Internet by its DNS name (for example, the dynDNS service is
used), in the DNS names group, click Add and type the DNS name of the coordinator.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 31
2
Click the Firewall tab.
If you have configured access options for the coordinator A (see Creating a ViPNet Network on
page 15) when creating a network, the firewall parameters are already specified.
Otherwise, follow the steps below:
o
Select the Use firewall check box.
o
In the Firewall type list, select With static address translation.
3
In the navigation pane of the main ViPNet Network Manager window, select coordinator B, open the
Access IP addresses tab and, in the IP addresses group, click Add. In the IP Address window, type
the local IP address of the coordinator B (in this example, it is 192.168.187.19) and click OK.
4
Click the Firewall tab:
5
o
Select the Use firewall check box.
o
In the Firewall type list, select With dynamic address translation.
o
In the Coordinator to manage connections with external hosts list, select coordinator A.
o
Make sure that the Direct all VPN traffic with external hosts through the coordinator check
box is cleared.
On the Tools menu, select Keys, and then click Save Key Sets. Copy the created key sets to a
removable drive and use them to install the ViPNet keys on the coordinator and clients.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 32
Checking Settings on Firewalls
and Coordinators in Both Offices
Make sure that the head office firewall is accessible by a static public IP address or a DNS name provided
by a dynamic DNS service. On this firewall, a port forwarding rule (see Checking Settings on a Firewall on
page 18) must be configured for the local IP address of coordinator A (UDP, 55777). On the branch office
firewall, no additional settings are required.
To make sure both coordinators are configured correctly, on each coordinator:
1
In the ViPNet Coordinator main window, on the Service menu, click Options.
2
Make sure that, in the Private Network section, the Use external firewall check box is selected.
3
Make sure that, in the Firewall type list, on coordinator A, With static address translation is
selected, while on coordinator B, the With dynamic address translation firewall type is selected.
4
Make sure that, on coordinator A, in the UDP packets encapsulation port box, the same port
number is specified as the one in port forwarding rules on the firewall.
5
Make sure that, on coordinator B, in the Connection server list, coordinator A is selected.
6
On coordinator B, in the navigation pane of the main ViPNet Coordinator window, select Private
Network.
7
In the view pane of the Private Network section, double-click coordinator A. The ViPNet Host
Properties dialog box will be displayed.
8
If coordinator A is accessible by a static public IP address:
8.1 In the ViPNet Host Properties dialog box, click the Firewall tab (see figure on page 22).
8.2 In the Access IP addresses list, a static public IP address must be specified for the firewall
behind which the coordinator of the other office is installed (in this example, it is 129.48.161.19).
9
If the head office firewall does not have a static public IP address, make sure that the firewall's DNS
name is specified.
In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21). Make
sure that the Use DNS name check box is selected and, in the DNS name list, the correct DNS name
of the firewall behind which the coordinator of the other office is installed is specified.
10 On coordinator B, check connection to coordinator A. To do this, in the Private Network section,
select coordinator A and, on the toolbar, click Connection or press F5.
If all the settings have been configured correctly, connection between the coordinators of the head and
branch offices will be established.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 33
Checking Settings on Clients in Both
Offices
Note: You should check the settings on every client in the head and branch offices as
follows.
To check the settings on a client:
1
In the ViPNet Client Monitor program, log on as an administrator.
2
On the Tools menu, click Options. The Options dialog box will be displayed.
3
In the Options dialog box, make sure that, in the Private Network (see figure on page 20) section, a
coordinator installed in the office is selected as the coordinator for connections.
4
Click OK.
5
In the navigation pane of the main ViPNet Client window, select the Private Network section.
6
In the Private Network section, in the hosts list, double-click the coordinator chosen as this client's
coordinator for connections. The ViPNet Host Properties dialog box will be displayed.
7
In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21).
8
Make sure that, in the IP Addresses list, in the Real IP addresses column, the correct coordinator's
address is specified (in the head office: 192.168.134.11, in the branch office: 192.168.87.19).
9
Check connection to the coordinator of the office where this client is installed. To do this, in the
Private Network section, select the coordinator and, on the toolbar, click Connection or press F5.
10 Check connection to any ViPNet host in the other office.
If all the settings have been configured correctly, connection between the head office and the branch
office will be established. If there is no connection, the problem may be in the firewall or some
incompatible software. Contact Infotecs technical support.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 34
4
Office to Office Connection
with Tunneling
Overview
36
Configuring Network Structure in ViPNet Network Manager
37
Checking Settings on Firewalls and Coordinators in Both Offices
40
Checking Routing Settings on Tunneled Hosts
42
Checking Settings on a Remote Client
44
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 35
Overview
This chapter describes a scheme of establishing protected connection between the head office and the
branch office using the ViPNet VPN software and the tunneling technology.
Tunneling is a method of protecting traffic passing through unprotected communications channels. IP
packets go unencrypted between a tunneled host and a coordinator, and encrypted between a
coordinator and other ViPNet hosts.
A tunneled host is a network host without ViPNet software installed that should be accessible from an
external network through a coordinator via a protected communications channel. It may be any device
connected to the network that has an IP address: an Apple PC, a network printer, a Network Attached
Storage (NAS), a VoIP device, IP-based manufacturing equipment, and so on.
Figure 13. Office to office connection with tunneling
Suppose there are two offices in an organization: head and branch. The corporate ViPNet network
includes two coordinators, a network control center (ViPNet Network Manager host), and a remote
ViPNet host. Coordinator A located in the head office and coordinator B located in the branch office
establish a protected connection to each other over the Internet. Coordinator A is located behind a
firewall on which a static port forwarding rule is configured for protected traffic exchange. Coordinator B
is located behind a firewall where no special settings for protected traffic exchange have been made.
Coordinator A tunnels several unprotected (without ViPNet software installed) computers and network
devices located in the head office. Coordinator B tunnels several unprotected computers and network
devices in the branch office. The remote client establishes connection to tunneled hosts in both offices.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 36
Configuring Network Structure
in ViPNet Network Manager
First, create the required ViPNet network structure as described in chapter 1 (see Creating a ViPNet
Network on page 15). To implement the above-described scheme (see figure on page 36), create two
coordinators and two clients (a ViPNet network administrator's workstation and a remote ViPNet host).
Note: You may create more clients if you need more protected hosts to be used in
offices or remotely.
In ViPNet Network Manager, configure each coordinator:
1
In the main ViPNet Network Manager window, in the navigation pane, select the coordinator A and
click the Access IP addresses tab (see figure on page 31).
If you have configured access options for the coordinator A (see Creating a ViPNet Network on
page 15) when creating a network, the IP address of the network adapter directly connected to the
firewall is already specified.
To assign an IP address, under IP addresses click Add. In the IP Address window, type the local IP
address of the coordinator and click OK.
If the coordinator is accessible from the Internet by a DNS name (for example, the dynDNS service is
used), under DNS names, click Add. Then, specify the coordinator's DNS name.
2
Click the Firewall tab (see figure on page 17).
If you have configured access options for the coordinator A (see Creating a ViPNet Network on
page 15) when creating a network, the firewall parameters are already specified.
Otherwise, follow the steps below:
o
Select the Use firewall check box.
o
In the Firewall type list, select With static address translation.
3
In the navigation pane of the main ViPNet Network Manager window, select the coordinator B.
Then, click the Access IP addresses tab and click Add. In the IP Address window, type a local IP
address of the coordinator and click OK.
4
Click the Firewall tab:
o
Select the Use firewall check box.
o
In the Firewall type list, select With dynamic address translation.
o
In the Coordinator for incoming traffic list, select coordinator A.
o
Make sure that the Direct all VPN traffic with external hosts through the coordinator check
box is cleared.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 37
For each coordinator:
5
Click the Tunnel tab.
Figure 14. Specifying IP addresses of tunneled hosts
o
On the Tunnel tab, specify the IP addresses of the computers and network devices to be
tunneled by this coordinator. We recommend that a coordinator and its tunneled hosts are
located in the same network segment.
Note: For our recommendations on the case when a coordinator and its tunneled hosts
are placed in different network segments, see the document “Common Scenarios of
ViPNet VPN Administering. Supplement to ViPNet Documentation.”
To specify an IP address:
Click Add. The IP Address or Range window will be displayed.
If you want to add a single tunneled IP address, select IP address and type the required IP
address in the box.
If you want to add a range of tunneled IP addresses, select Range and type the starting and
the ending IP addresses of the range in the boxes.
Click OK.
To configure a remote client:
1
In the navigation pane, select the client that is intended to be used remotely.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 38
2
Open the Links tab and make sure that the list includes all ViPNet hosts this client should
communicate with. Links with tunneled hosts are always allowed. These hosts are not listed.
On the Tools menu, select Keys, and then click Save Key Sets. Copy the created key sets to a removable
drive and use them to install the ViPNet keys on the coordinator and clients.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 39
Checking Settings on Firewalls
and Coordinators in Both Offices
Make sure that the head office firewall is accessible by a static public IP address or a DNS name provided
by a dynamic DNS service. On this firewall, a port forwarding rule (see Checking Settings on a Firewall on
page 18) must be configured for the local IP address of coordinator A (UDP, 55777). On the branch office
firewall, no additional settings are required.
To make sure both coordinators are configured correctly, on each coordinator:
1
In the main window of the ViPNet Coordinator program, on the Service menu, click Options.
2
Make sure that, in the Private Network section, the Use external firewall check box is selected.
3
Make sure that, in the Firewall type list, on coordinator A, With static address translation is
selected, while on coordinator B, the With dynamic address translation firewall type is selected.
4
Make sure that, on coordinator A, in the UDP packets encapsulation port box, the same port
number is specified as the one in port forwarding rules on the firewall.
5
Make sure that, on coordinator B, in the Connection server list, coordinator A is selected.
6
For each coordinator: In the Options dialog box, select Tunneling.
Figure 15. Checking tunneled IP addresses
Check tunneled hosts' IP addresses. A coordinator and its tunneled hosts must be located in the
same subnetwork.
7
On coordinator B, in the navigation pane of the main ViPNet Coordinator window, select Private
Network.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 40
8
In the view pane of the Private Network section, double-click coordinator A. The ViPNet Host
Properties dialog box will be displayed.
9
If coordinator A is accessible by a static public IP address:
o
In the ViPNet Host Properties dialog box, click the Firewall tab (see figure on page 22).
o
In the Access IP addresses list, the firewall's static public IP address must be specified.
10 If the head office firewall does not have a static public IP address, make sure that the firewall's DNS
name is specified.
In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21). Make
sure that the Use DNS name check box is selected and, in the DNS name list, the correct DNS name
of the firewall behind which the coordinator of the other office is installed is specified.
11 In the ViPNet Host Properties dialog box, click the Tunnel tab.
Figure 16. Checking IP addresses tunneled by the other coordinator
Make sure that, on the Tunnel tab, the Use IP addresses for tunneling check box is selected and IP
addresses tunneled by the other coordinator are specified.
If similar IP addresses are used in the head and branch offices, select the Use virtual IP addresses
check box. This allows avoiding a conflict of IP addresses.
12 On coordinator B, check connection to coordinator A. To do this, in the Private Network section,
select coordinator A and, on the toolbar, click Connection or press F5.
If all the settings have been configured correctly, connection between the coordinators of the head and
branch offices will be established.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 41
Checking Routing Settings
on Tunneled Hosts
We recommend you that each tunneled host should use its tunneling coordinator as its default gateway.
In this case, no additional routing settings are required.
On the hosts where you can't set the coordinator as the default gateway, add static routes to forward all
traffic to be tunneled to the branch office through the coordinator.
Figure 17. Viewing a virtual address
To add a static route, in Windows Command Prompt, enter the following command:
route add <destination IP address> mask <subnet mask> <gateway> -p,
where:
<destination IP address> is the virtual IP address of the destination subnetwork.
<subnet mask> is a destination subnet mask value.
<gateway> is the coordinator's local IP address.
-p identifies that the route is static and will be the saved after each reboot.
To learn the destination subnetwork IP address:
1
On the coordinator installed in the tunneled host's LAN, in the main ViPNet Coordinator Monitor
window, click Private Network.
2
In the list of ViPNet hosts, double-click the coordinator of the other office. The ViPNet Host
Properties dialog box will be displayed.
3
Click the Tunnel tab and make sure that the Use virtual IP addresses check box is selected. Use the
network addresses displayed in the Virtual IP addresses column to set a static route (in our
example, network 11).
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 42
For example, a tunneled host in the branch office should connect to tunneled hosts in the head office.
Tunneled hosts of the head office are accessible by virtual IP addresses that belong to the 11.0.0.0
network (see figure on page 42). The local IP address of the branch office coordinator is 192.168.1.1. To
set a static route on the branch office host, use the following command:
route add 11.0.0.0 mask 255.0.0.0 192.168.1.1 -p
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 43
Checking Settings on a Remote
Client
To check the settings on a remote client:
1
In the ViPNet Client Monitor program, log on as an administrator.
2
On the Tools menu, click Options. The Options dialog box will be displayed.
3
In the Options dialog box, make sure that, in the Private Network (see figure on page 20) section, a
coordinator installed in the office is selected as the coordinator for connections.
4
Click OK.
5
In the navigation pane of the main ViPNet Client window, select the Private Network section.
6
In the view pane of the Private Network section, double-click coordinator A. The ViPNet Host
Properties dialog box will be displayed.
7
In the ViPNet Host Properties dialog box, click the Firewall tab (see figure on page 22).
8
In the Access IP addresses list, a static public IP address of the firewall behind which coordinator A
is installed must be specified. If the firewall has no static public IP address, verify its DNS name (step
10).
9
In the ViPNet Host Properties dialog box, click the IP Addresses tab (see figure on page 21).
10 Make sure that, in the IP addresses list, in the Real IP addresses column, the correct local address of
coordinator A is specified.
If DNS names are used, make sure that the Use DNS name check box is selected and, in the DNS
name list, the correct DNS name of the firewall behind which coordinator A is installed is specified.
11 In the ViPNet Host Properties dialog box, click the Tunnel tab (see figure on page 41).
Make sure that the Use IP addresses for tunneling check box is selected and the IP addresses
tunneled by coordinator A are specified.
12 In the view pane of the Private Network section, double-click coordinator B. In the ViPNet Host
Properties dialog box, click the Tunnel tab. Make sure that the Use IP addresses for tunneling
check box is selected and the IP addresses tunneled by this coordinator are specified.
13 Check connection to each coordinator. To do this, in the Private Network section, select the
coordinator and, on the toolbar, click Check connection or press F5.
14 Try to connect to some tunneled host using its IP address (for example, by executing the ping
command).
If all the settings have been configured correctly, connection between remote clients and tunneled hosts
will be established. If there is no connection, the problem may be in the firewall or some incompatible
software. Contact Infotecs technical support.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 44
5
Mobile Device to Office
Connection
Overview
46
Configuring a Network in ViPNet Network Manager
48
Configuring a Coordinator for Windows
50
Verifying Settings on an External Firewall
52
Configuring Mobile Devices
53
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 45
Overview
This chapter describes a connection scheme within a ViPNet VPN network, where Apple and Android
device users establish connection to the office.
Figure 18. Connection between office and mobile devices
Your mobile device connects to a protected ViPNet host through a coordinator functioning as an IPsecViPNet gateway. The mobile device establishes connection to the coordinator over the IPsec protocol.
Thus, there is a protected tunnel from this device to the coordinator. On the coordinator, an IP address
from the specified range (in the scheme, it is 10.0.0.5) is assigned to the mobile device.
The coordinator is configured to tunnel the range of the IP addresses assigned to IPsec hosts (mobile
devices) using the ViPNet technology. Thus, an IPsec host is accessible for ViPNet hosts either by the
address the coordinator has assigned for it (10.0.0.5 in the scheme), or by the corresponding virtual IP
address of the tunneled host. ViPNet hosts will be accessible to the IPsec host by their visibility addresses
on the coordinator (in the scheme, the visibility address is 192.168.2.10).
When IPsec and ViPNet hosts communicate as described in the scheme, no advanced route setup is
required.
The IP packets are transferred as follows. IP packets from mobile devices are sent over the IPsec protocol.
On the coordinator, the packets are decrypted. Then, the ViPNet driver encrypts the packets again. The
coordinator forwards the packets to the destination host in the ViPNet network. Response IP packets are
transferred in the same way.
The coordinator functioning as an IPsec server should meet the following requirements:
Use a coordinator of one of the two following types:
o
ViPNet Coordinator HW/VA coordinator.
o
ViPNet Coordinator for Windows deployed on a computer with the operating system Windows
Server 2008 R2.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 46
Note: The feature of an IPsec gateway can be also implemented by a computer working
under Windows Server 2003 operating system. However, in this document, we cover
configuration of an IPsec gateway only for Windows Server 2008 R2.
For help on configuring an IPsec gateway for Windows Server 2003, contact Infotecs
technical support (see Feedback on page 8).
The coordinator must be accessible on the Internet by its IP address or DNS name (the name can be
registered in the dynamic DNS service).
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 47
Configuring a Network
in ViPNet Network Manager
First, create the required ViPNet network structure, as described in Creating a ViPNet Network (on page
15). To implement this scheme, you need a network with a coordinator, clients, and mobile clients.
This section describes a general workflow on configuring an IPsec gateway deployed on a coordinator
running Windows OS or on a ViPNet Coordinator HW/VA coordinator. We recommend you to use a
ViPNet Coordinator HW/VA coordinator because it requires few settings. You can configure a ViPNet
Coordinator HW/VA host in ViPNet Network Manager only if your ViPNet Network Manager license
allows it.
In ViPNet Network Manager, make the following settings (for more information, see the document
“ViPNet VPN. User's Guide”, the chapter “Configuring IPsec Connection to Mobile Devices and Other
Networks”):
1
Choose or create a coordinator (ViPNet Coordinator Windows or ViPNet Coordinator HW/VA) that
will function as an IPsec gateway.
2
On the IPsec connection tab, configure IPsec connection to the coordinator.
Figure 19. Configuring IPsec connection parameters
3
If you want to provide access for mobile devices to ViPNet hosts, specify the range of tunneled IP
addresses for the mobile clients.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 48
4
Add a mobile client to the coordinator and, on the Profile tab, configure an IPsec profile for the
mobile client.
Though only the iOS option is available on the Mobile client type list, you should make other
settings even if the mobile device you are connecting runs Android. This is required because the
IPsec gateway coordinator also uses these settings.
Figure 20. Mobile client parameters
5
If the mobile client is an Apple device, send the configured profile to the mobile device.
6
If a coordinator for Windows is chosen as an IPsec gateway, save the profile configured on the IPsec
connection tab of the coordinator.
7
If you choose a ViPNet Coordinator HW/VA coordinator as an IPsec gateway, send the keys to the
ViPNet Coordinator HW/VA coordinator.
If no key set has been installed on the coordinator, create a key set for it and give it to the
coordinator host's administrator together with the hwinit_set.xml file.
Next, if you use a ViPNet Coordinator HW/VA coordinator, start configuring the mobile device (see
Configuring Mobile Devices on page 53). If you use a coordinator for Windows, first configure the
coordinator (see Configuring a Coordinator for Windows on page 50), then start configuring the mobile
device.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 49
Configuring a Coordinator
for Windows
On a coordinator running Windows Server 2008 R2, do the following:
1
In the Server Manager snap-in, run the Add Roles Wizard and set the Network Policy and Access
Services role, selecting the Routing and Remote Access Services component.
Figure 21. Selecting services to be installed
2
In the Server Manager snap-in, enable the Routing and Remote Access service by choosing the
Remote access (dial-up or VPN) configuration in the wizard.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 50
Figure 22. Choosing a configuration
3
On the coordinator, apply the IPsec profile you created for it in ViPNet Network Manager. To do
this, run the run.bat file on it.
4
In ViPNet Coordinator, configure a public network local filter, allowing you to connect mobile
devices over the IPsec technology. Also:
5
o
as a destination, specify My ViPNet host and the coordinator's network interface connected to
the Internet;
o
add the 50-ESP IP protocol and the UDP protocols 500-isakmp and 4500.
If you need to ensure access of mobile devices to application servers and information resources
located right on the coordinator, you should configure a local network filter for a public network, so
that the traffic transferred over certain protocols and ports was allowed. Also:
o
as sources, specify the IP addresses range, from which addresses are distributed for mobile
devices when they connect to the coordinator and which you specified in ViPNet Network
Manager when configuring the IPsec gateway's profile;
o
as a destination, specify My ViPNet host;
o
add the TCP protocol 80-http.
6
After you configure the filters, in ViPNet Coordinator, in the Local Public Network Filters section,
click Apply all.
7
To provide access to ViPNet hosts for mobile devices by DNS names, install and configure a DNS
server on the coordinator and register DNS names of ViPNet hosts on it (see the document “ViPNet
VPN. User's Guide”, the chapter “Configuring and Using DNS and WINS Services in ViPNet
Networks”).
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 51
Verifying Settings on an External
Firewall
If the coordinator is connected to the Internet via an external firewall, on this firewall (or a DSL router),
you need to configure a rule for UDP packets transferred when the connection is established over the
IPsec or L2TP technology.
Do one of the following:
Make sure that, on the device functioning as a firewall, the L2TP Passthrough and IPsec
Passthrough modes are enabled (if such parameters are available on your device).
No additional configuring is required after that.
Figure 23. Router settings
If the L2TP Passthrough and IPsec Passthrough parameters are not available on your device,
configure the rule manually specifying the following parameter values:
o
The IP address of the server with the ViPNet Coordinator software installed to which ports will
be redirected.
o
Protocol: UDP.
o
Ports: 500 and 4500.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 52
Configuring Mobile Devices
Configuring an Apple Mobile Device
After you create an IPsec profile for a mobile client in ViPNet Network Manager, you should install it on
your Apple device. To do this:
1
On your iPad or iPhone, open the email message with the attached IPsec profile (a file with the
.mobileconfig extension).
2
Choose the attached file. The profile setup window will be displayed.
3
Click Install. When you are warned that the profile is not signed, click Install once again.
4
Type the user password specified for the mobile client in ViPNet Network Manager. This password
should be received from the ViPNet network administrator.
5
The profile installation is finished. Click Finish.
6
To configure the parameters of the installed profile, open the Settings program and, in the
navigation pane, choose VPN.
7
In the view pane, select the installed IPsec profile.
8
In the profile properties window, in the Proxy section, choose Off.
9
Click Save.
The profile is installed and configured.
To connect to the ViPNet network, on your device go to Settings > > General > Network > VPN. Then
switch VPN to
.
To get access to hosts in the protected network, in your browser or other application, type the IP address
or DNS name of the protected ViPNet host.
Configuring an Android Mobile Device
To connect an Android device to protected corporate resources:
1
On your Android device, add an IPsec profile:
1.1 Open the Settings application and tap Wireless & Networking > VPN.
1.2 Add a new VPN profile.
1.3 Specify the connection type L2TP/IPSec PSK.
1.4 To specify the server address, type the IP address or DNS name of the ViPNet Coordinator
HW/VA host you specified in ViPNet Network Manager, on the IPsec connection tab.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 53
1.5 To specify the IPsec pre-shared key, type the pre-shared key you specified on the IPsec
connection tab.
1.6 Save the VPN profile.
2
Tap the created VPN profile. User credentials will be requested:
2.1 Type the user name you specified in ViPNet Network Manager, on the mobile client's properties
tab.
2.2 Type the password you specified on the mobile client's properties tab.
2.3 Tap Connect.
Note: On your Android device, the names and positions of the options described in this
section may be different.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 54
6
Office to Office Connection
Both with the ViPNet
and IPsec Technologies
Overview
56
Configuring Network in ViPNet Network Manager
57
Settings Check on a Remote Gateway
60
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 55
Overview
This chapter describes a workflow for configuring connection between a ViPNet VPN network and a
network, where the ViPNet technology isn't used.
Assume that your corporate network is protected with ViPNet software. You need to create a protected
communication channel with your partner company, but they do not use the ViPNet technology.
In this case, you may establish a tunnel between the two corporate networks over the IPsec protocol. An
IPsec tunnel is an encrypted traffic channel established between the two IPsec gateways deployed in each
of the two networks. There is a variety of IPsec gateway software servers and appliances (Cisco
appliances, servers running Linux, FreeBSD, Windows Server, and others).
You may use a ViPNet Coordinator HW host as your network's IPsec gateway.
Note: You can't configure a coordinator for Windows as a ViPNet–IPsec gateway in
ViPNet Network Manager.
You configure a ViPNet Coordinator HW/VA coordinator as an IPsec gateway in ViPNet Network
Manager. You can do it only if your ViPNet Network Manager license allows it.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 56
Configuring Network
in ViPNet Network Manager
First, do the following:
1
Create the required ViPNet network structure as described in Creating a ViPNet Network (on page
15).
2
Make sure that your ViPNet Network Manager license allows you to use a ViPNet Coordinator
HW/VA coordinator in the network. Otherwise, contact a representative of Infotecs and make a
request for a new license.
3
Create keys for the ViPNet Coordinator HW/VA coordinator and install them.
In the navigation pane of the ViPNet Network Manager main window, select the ViPNet Coordinator
HW/VA coordinator and do the following:
1
In the view pane, click the IPsec connection tab.
2
In the Network interface name list, select the network interface of the ViPNet Coordinator HW/VA
host, which is accessible from the Internet.
3
Select the Use coordinator to establish protected IPsec connection for other networks check box.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 57
Figure 24. Adding an IPsec channel to another network
4
To configure a new IPsec connection to a remote network, click Add. The IPsec Gateway New
window will be displayed.
5
On the Connection tab, in the Remote gateway name box, specify a unique name for the remote
network connection.
Figure 25. Specifying remote IPsec gateway properties
6
In the Remote gateway IP address box, type the access IP address of the remote IPsec gateway.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 58
7
Click Add and then, in the Local and Remote Network Addresses window, specify the IP addresses
of the two networks that will be connected over the IPsec channel. The network addresses should be
specified in the CIDR notation, for example: 172.16.0.0/24.
Figure 26. Specifying local and remote networks
If necessary, repeat this step to add more pairs of local and remote networks.
8
Click the Encryption tab and specify the connection encryption parameters:
o
In the Pre-shared Key box, type a string (8 to 63 characters) that will be used as the password
for connection authentication.
Warning: The pre-shared key should not contain the following characters: the question
mark (?), the backslash (\), and the single quote (').
o
If necessary, in other boxes, specify encryption and hashing algorithms, the Diffie–Hellman
parameter value, and key lifetime.
Figure 27. Specifying encryption parameters
Warning: Inform the administrator of the remote network that the same encryption
parameters should be specified on the remote gateway.
9
In the view pane, on the Keys tab, click Send Keys to transfer the IPsec connection settings to the
ViPNet Coordinator HW/VA host.
10 Then send key set updates to the ViPNet Coordinator HW/VA host and configure a forward rule
allowing traffic exchange between the ViPNet network and the remote network.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 59
Settings Check on a Remote
Gateway
Contact the remote network administrator to make sure that the encryption parameters (pre-shared key,
encryption and hashing algorithms, and others) specified on the remote gateway are the same as the
IPsec connection settings in the ViPNet Network Manager program.
Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation | 60
© Copyright 2024