BANDIT CMG: Virtual Private Networks

Chapter 8

Virtual PrivateNetworks

ne of the principal features of the VPN products is their use in virtual private networks (VPNs). This chapter discusses transmission security, VPNs, and the way a BANDIT device sets up

and uses a VPN.

Note: Virtual private networks are supported in the VSR-30, the VSR-1200, the ILR-100, the BANDIT Mini, the original BANDIT, the BANDIT IP, and the BANDIT Plus.

A VPN is a secure encrypted transmission between two or more private endpoints over a public network. Tunneling—encapsulating data within secure packets—isolates the private data from other traffic carried by the public network, providing secure transport over the network. The public network uses the header information in the packets to deliver the packets to their destination. When the destination endpoint receives the packets, it authenticates and unpackages them, and decrypts the data.

O

VPN and Legacy-to-IP Products Customization and Maintenance Guide

8-2 Chapter 8: Virtual Private Networks

Use of VPNs allows for dynamic, temporary connections instead of permanent physical connections. This allows an organization to build a private network over the public IP network, reducing the number of leased lines that the organization needs to maintain for connections, resulting in a saving of money. In addition, connection (via VPN client software) over the internet allows business travelers to communicate with the office network from any site that has a connection to the internet.

Note: For a quick VPN setup conforming to the recommendations of the Virtual Private Network Consortium (VPNC), see Appendix B, VPNC Scenario for IPsec Interoperability. For setup with a VPN client, see Appendix C, Scenarios for Operation with a VPN Client.

8.1 The BANDIT in Virtual Private Networks

This section deals principally with a VPN device’s role as a VPN gateway. A VPN device can encapsulate information into IP packets, so it can perform as a VPN gateway over public networks that use IP. The VSR-30, the ILR-100, the BANDIT Mini, the original BANDIT, and the BANDIT IP each support a maximum of 30 local tunnel terminations. The BANDIT Plus supports a maximum of 100 tunnels. The VSR-1200 supports 1200 tunnels. The VSR-1200 uses HiFn processors for hardware assistance; the other VPN products use an MPC 180 chip for hardware assistance.

As a VPN gateway, a VPN device can perform IPsec tunnel initiation, IPsec tunnel termination, and IPsec passthrough. They use IPsec (described in RFC 2401) for VPN security, performing the functions listed in Table 8-1.

Table 8-1. IPsec Components Used in the BANDIT Devices (1 of 2)

Function Protocols Acronym Standard1

Key Exchange Internet Key Exchange IKE RFC 2409

Internet Security Association and Key Management Protocol

ISAKMP RFC 2408

Encryption Data Encryption Standard DES FIPS PUB 46-2

Triple Data Encryption Standard

3DES FIPS PUB 46-3


The BANDIT in Virtual Private Networks 8-3

An Encore Networks VPN device can implement tunnels with another Encore Networks VPN device or with another IPsec-compliant VPN gateway or VPN client. The Encore Networks VPN products have the following modes of tunnel use:

• Tunnel initiation: The device receives packets from a local user terminal. The device encapsulates the packets according to the IPsec user policy, and sends them across the public network to a remote VPN gateway to establish a VPN tunnel.

• Tunnel passthrough: The device receives IPsec-encapsulated packets from a client VPN terminal, and provides transparent forwarding of the IP packets according to the IPsec user policy. The device sends the packets across the public network without repackaging them.

• Tunnel termination: The device terminates (accepts) an IPsec tunnel initiated by a remote VPN gateway or VPN client across the public network. The device authenticates and unpackages the tunnel’s packets, and delivers them to the destination terminal. (To perform tunnel termination, the device must maintain a table of VPN users that function as prospective tunnel initiators.

Table 8-3 provides an example of this: If a record’s Direction is “incoming,” then the record’s Source IP Addresses (in the range from Low to High) indicate one or more remote devices. If the Action is “tunnel termination,” a device with an IP address in the source range can initiate a tunnel that the local device will accept.)

Security Protocols

Encapsulating Security Payload

ESP RFC 2406

Authentication Header AH RFC 2402

Authentication Hashed Message Authentication Code: Message Digest 5

HMAC MD5

RFC 2403

Hashed Message Authentication Code: Secure Hash Algorithm 1

HMAC SHA-1

RFC 2404

1. Each publication is from the Internet Engineering Task Force (IETF) unless noted as a Federal Information Processing Standard (FIPS).

Table 8-1. IPsec Components Used in the BANDIT Devices (2 of 2)

Function Protocols Acronym Standard1



Note: Care must be taken when a VPN connection crosses a device that performs network address translation (NAT). As part of address translation, NAT repackages packets. In certain situations, repackaging will disrupt encrypted VPN packets and render them unintelligible even to the VPN tunnel endpoints.

Be sure to use the appropriate configuration when a VPN connection will cross a device that performs NAT. When a BANDIT VPN product uses the ESP protocol, the connection can cross a device that performs NAT. When the BANDIT product uses the AH protocol, the connection must not cross a device that performs NAT.

Figure 8-1 illustrates two BANDITs functioning as VPN gateways over the IP network.

Figure 8-1. Sample Network: BANDITs as VPN Gateways

Figure 8-2 shows a simplified example of the BANDIT’s encryption and encapsulation of data.

Note: The transmission shown in Figure 8-2 originates from the laptop terminal (IP address 1.1.1.2) shown in Figure 8-1, and is destined for the desktop terminal (IP address 4.4.4.2) in Figure 8-1.

To set up IP routing tables, see Section 6.2, IP Routing.


Internet Key Exchange 8-5

Figure 8-2. Sample Encryption and Encapsulation

8.2 Internet Key Exchange

When a BANDIT device uses automatic keying, it uses the Internet Key Exchange (IKE) protocol to provide secure transmission between VPN endpoints. IKE negotiates security associations (SAs) and provides authenticated keys for these SAs. (A security association is a set of policies that establish a protected, authenticated connection for data transmission.) IKE can be used to do the following:

• Set up virtual private networks (VPNs).

• Provide a remote user secure access to a network. (The remote user’s IP address does not need to be known in advance.)

• Negotiate SAs (and hide identities) for VPN client endpoints.



The Internet Key Exchange protocol has two phases:

• Phase 1 is used for key exchange. In this phase, IKE negotiates the following items to establish an SA for Phase 2:

- The encryption algorithm

- The hash algorithm

- The authentication method

- The Diffie–Hellman group

• Phase 2 negotiates an SA for services (such as IPsec) in the transmission. Then this phase is used for data transmission.

The BANDIT products implement IKE in conformance to IETF RFC 2409.

8.2.1 Perfect Forward Secrecy

Perfect forward secrecy (PFS)—the use of uniquely derived keys to establish security associations (SAs)—is an important feature of the IKE protocol. PFS comprises the following principles:

• Material used to derive one key cannot be used to derive additional keys.

• No key can be used to derive additional keys.

• Discovery of a key endangers only transmissions protected by that key.

IKE maintains PFS in the way it performs the following:

• IKE uses a Diffie-Hellman (DH) exchange to set up phase 1. (A DH exchange protects the identities of the originator and the recipient.) Phase 1 can use main mode or aggressive mode (but not both).

Phase 1 establishes an SA for phase 2, as follows:

- The originator presents proposals for the SA. (The originator may send an unlimited number of proposals; the recipient can limit the number it will consider.)

- The recipient chooses one proposal and sends its response. The recipient cannot change the proposal. If the originator notices that the proposal has changed in any way, the originator refuses the response.

- When the originator accepts the response, the SA is set up for phase 2.


Tunnel Features 8-7

• In phase 2, IKE establishes an SA for data transmission. as follows:

- Phase 2 negotiates for services that will be used, such as IPsec.

- When the phase 2 SA is ready for data transmission, IKE deletes the SA that phase 1 had established.

- In the SA for data transmission, quick mode is used for transmission. Both sides of the connection can transmit data.

Instead of extensive authentication, which consumes time and CPU resources, the SA now uses cookies for authentication. The cookie order established in phase 1 (originator vs. recipient) is always used; the cookies do not change order when the transmission direction changes.

Note: Each IKE phase has a fixed lifetime. The lifetime can be defined in units of time, number of transmissions, or total amount of transmission (in kilobytes). A phase’s lifetime cannot be increased during the phase.

8.3 Tunnel Features

The VSR-30, the original BANDIT, or the BANDIT IP can provide 1 to 30 tunnels for use at the same time. The BANDIT Plus provides 1 to 100 tunnels. The VSR-1200 provides 1 to 1200 tunnels. In some situations, a single VPN tunnel can provide services for more than one user. The following subsections discuss VPN tunnel features in the BANDITs.

8.3.1 Tunnel Initiation

A BANDIT device can initiate a tunnel to another BANDIT device or to another IPsec-compliant VPN gateway. When a local user originates packets to the BANDIT, and the packets need to travel over a VPN tunnel, the BANDIT searches its database for an appropriate VPN policy and VPN profile.

When an appropriate VPN policy and VPN profile have been determined, the BANDIT contacts the remote VPN gateway specified by the profile, and negotiates a security association. When the gateways agree on an SA and set up a VPN tunnel, the BANDIT encapsulates the packets according to the policy, and sends them across the public network. When the remote VPN gateway receives the packets, it forwards them to the remote destination.



Note: In order to use a VPN tunnel, the combination of origination and destination must conform to a VPN policy. Otherwise, the request will be rejected. (The policy specifies the VPN profile that the connection must use; the user must also be authorized to use the specified profile.)

8.3.2 Tunnel Termination

A BANDIT device can terminate a tunnel for another VPN gateway or for a VPN remote user. When a BANDIT acts as a tunnel terminator, it looks for matches against the following items presented by the VPN gateway that initiated the tunnel:

• IDs

• Preshared key

• Peer (remote) user ID (This can be a group ID or a single ID.)

If the values match a VPN policy record, the BANDIT accepts the tunnel termination. Then the BANDIT negotiates the key, and accepts or rejects the proposals presented by the initiating VPN gateway.

In Figure 8-3, a VPN remote user initiates a tunnel to the BANDIT’s external IP address. Because the remote user’s IDs matches a record in the BANDIT’s database, the BANDIT agrees to terminate the tunnel. Then, because the VPN remote user wishes to communicate with another site, the BANDIT initiates a tunnel to the other site, so that the VPN remote user can communicate with the site.

Table 8-2 lists sample parameters for a remote VPN tunnel user.


Tunnel Features 8-9

Figure 8-3. VPN Remote User Tunneling to BANDIT Tunneling to VPN Host

Table 8-2. Sample Remote User Record (1 of 2)

Field Sample Value

Peer ID (Remote User ID) [email protected]

Preshared Key ***********

Profile Group 1,2,4,5

Note: The profile group choices can include up to four VPN profiles. The BANDIT chooses the first profile that the peer ID matches.

One of the group choices can be a wildcard. A wildcard means “any profile listed in the VPN Profile database.” You may list VPN profiles before a wildcard, but there is no need to list any profiles after a wildcard.



8.3.3 Tunnel Passthrough

Tunnel passthrough is used when a remote or local user sends IPsec-encapsulated packets to the BANDIT device. In passthrough mode, the BANDIT provides transparent forwarding of the IP packets according to the VPN policy.

Tunnel passthrough occurs most often when packets are received from a VPN client. If a remote user is using VPN client software, the client sets up a VPN tunnel through the BANDIT to a remote network. In this case, the BANDIT uses passthrough mode; it does not initiate a new tunnel.

In Figure 8-3, let the remote user be a VPN client. The client initiates a tunnel to the BANDIT’s external IP address. Because the VPN client’s IP address is in the BANDIT’s tunnel user profile table, the BANDIT terminates the tunnel. Because the VPN client wishes to use a VPN tunnel to communicate with another site, the BANDIT passes the tunnel through to the other site, so that the VPN client can communicate with the site. (This also hides the VPN client’s IP address.)

8.3.4 Tunnel Sharing

More than one VPN profile can specify the same local and remote VPN gateways to reach its remote endpoint. If two such profiles are active at the same time, they are using the same tunnel between the gateways for their VPN connections to different endpoints. This is called tunnel sharing (or tunnel multiplexing).

8.3.5 Tunnel Switching

A remote endpoint can initiate a VPN tunnel into the network. If the remote endpoint wishes to communicate with a destination endpoint that is outside the network, the BANDIT checks to see whether there is a VPN profile describing a tunnel to the requested destination. If so, the BANDIT initiates

certificate ***********

Note: The remote user’s IP address does not have to be known in advance.

Table 8-2. Sample Remote User Record (2 of 2)

Field Sample Value


VPN over Satellite Networks 8-11

a VPN tunnel to that destination, and routes the traffic from the initiating endpoint to the destination. This is called tunnel switching.

8.4 VPN over Satellite Networks

Satellite networks permit telecommunication without laying ground lines. Satellite networks also permit communication across longer distances than do ground-based wireless networks. For reasons of topography or mobility, a satellite connection may be the best telecommunication choice for some users. Remote areas that cannot be reached easily with ground lines and mobile users who may not always be in reach of a ground connection or wireless tower can easily maintain access to a satellite network.

The VSR-30, the VSR-1200, the ILR-100, the BANDIT Mini, the original BANDIT, the BANDIT IP, and the BANDIT Plus support connection to satellite networks, allowing transmission of information to any location that has a satellite dish—including a very small aperture terminal (VSAT), a small dish typically used in remote sites. A BANDIT product usually uses its WAN port for broadband IP connection to a satellite groundstation. Figure 8-4 shows BANDITs connecting LANs across a satellite network.

Figure 8-4. BANDITs Connecting LANs across a Satellite Network



8.4.1 Spoofing Transmissions

Most satellite networks use a star topology, with a hub directing transmissions to the proper groundstation. These satellite networks have the following components:

• Hub (the main groundstation)

• Satellite

• Other groundstations

Geosynchronous-orbit satellites (satellites that maintain the same position above a geographic point on the earth's surface) orbit at about 22,300 miles (about 35,900 km) above the earth's surface. Because of the distance that transmissions travel from one node (a groundstation) to a satellite node and then to another groundstation node, satellite networks have a significant transmission delay (Figure 8-5)—about ½ second per round trip.

Figure 8-5. Ground-to-Satellite-to-Ground Transmission

Many protocols will time out when they encounter the delay in a satellite network. Others, such as TCP, misinterpret the long delay as network congestion and, as a result, reduce their transmission rate. Because of these problems, a transmission from outside a satellite network is not generally sent directly from endpoint to endpoint across the satellite network. Instead, a groundstation node uses a performance-enhancing proxy (PEP) in its connection with an endpoint outside the satellite network. A PEP spoofs its transmission with the endpoint.



Note: Satellite vendors and systems integrators developed PEPs as proprietary mechanisms to spoof TCP over satellite connections. There is not yet an official standard for PEPs.

In spoofing, a groundstation’s PEP receives a transmission from an originating node outside the satellite network. The PEP acts as if it were the destination endpoint, and sends acknowledgment packets (ACK packets) to the originating node. This allows standard protocols to be used for transmission without timing out, as they would in the delay incurred across the satellite network.

While the groundstation’s PEP is spoofing its transmission with the originating node, the groundstation is also taking the packets received from the originating node and is transmitting them across the satellite network to another groundstation node, for transmission to the destination endpoint.

Satellite networks can use any protocol, including IP, to carry information. For IP transmissions, satellite networks use TCP (in the IP transport layer). Satellite network PEPs read the TCP header in order to send IP transmissions across the satellite network. TCP guarantees delivery of packets and guarantees that the packets will be assembled in the proper sequence.

8.4.2 Satellite Networks and Security

Because satellite networks broadcast transmissions, they are inherently insecure; anyone with a satellite dish can receive a transmission. Therefore, endpoints have to create their own security. Virtual private networks based on the IPsec protocol provide one of the most secure transmissions from endpoint to endpoint over ground-based networks, because no node can decrypt the information except the VPN endpoints.

IP Security (IPsec) comes in two formats:

• Encapsulating Security Payload (ESP) encrypts each user IP packet, including the TCP header, and places it inside a new IP packet generated by the customer’s VPN router.

• Authentication Header (AH) does not encrypt the payload, and thus leaves the TCP header visible.



Until now, there have been problems in using VPNs over satellite networks:

• ESP encryption prevents the PEP from seeing or modifying the TCP header’s ACK and Window fields, so these sessions cannot be accelerated.

• AH’s strong authentication process rejects a packet in which PEP modifies a header field; this also prevents acceleration by PEP.

If the PEP cannot read the TCP header, it cannot spoof the packet; this inability to spoof the packet slows the transmission over the satellite network. The PEP needs to read the TCP header in order to improve performance.

There are several proposed methods for getting around this situation. Most of the proposed methods involve a trade-off of VPN security for TCP use. However, Encore Networks, Inc., has developed a method that maintains VPN security while allowing satellite-network nodes to read TCP headers. This method—Selective Layer Encryption™—improves performance of IPsec-based VPNs over a satellite network.

8.4.3 Selective Layer Encryption

Encore Networks has developed a proprietary technology, Selective Layer Encryption™ (SLE), for VPNs that traverse a satellite network. SLE works with a satellite groundstation’s PEP and maintains VPN security over satellite networks. Encore Networks’ technique preserves the authentication and encryption integrity of the IPsec VPN standards, yet allows the TCP to be spoofed over the satellite connection. Combining the use of SLE and PEP allows delay-sensitive applications to traverse satellite networks.

Selective Layer Encryption™ creates satellite VPN solutions with IPsec that are both secure and channel-efficient. This combination of SLE and PEP significantly increases IPsec performance over satellite networks. Encore Networks, Inc., believes that SLE is the preferred method of maintaining IPsec VPN security over satellite networks.

Test results have demonstrated interoperability with different satellite modem vendors that preserve the integrity of TCP fields across the satellite link. (To interpret SLE, a BANDIT VPN product must also sit somewhere on the other side of these modems.)

The VSR-30, VSR-1200, original BANDIT, and BANDIT Plus models can use SLE VPNs with satellite networks, and they can support non-SLE VPNs over ground-based networks. A single BANDIT device in one of these models can support both types of VPNs at the same time. Figure 8-6 shows a sample satellite network combining PEP and the BANDIT’s SLE.



Figure 8-6. Sample Satellite Network Configuration Using BANDIT VPN with SLE

8.4.3.1 SLE Configuration

When you ordered your BANDIT device, you indicated whether it would use SLE. If you have a BANDIT that does not use SLE and you wish to enable the SLE feature in the BANDIT software, contact your Encore Networks sales representative. (SLE VPN configuration and non-SLE VPN configuration are the same for most parameters in the BANDIT.) A BANDIT device can support VPN tunnels with SLE and VPN tunnels without SLE, both at the same time.

Note: The VSR products (the VSR-30 and the VSR-1200) are designed to support satellite networks as well as ground-based networks. Any BANDIT VPN device can support both VPN with SLE (for use over satellite networks) and VPN without SLE (for ground-based networks), depending on the software installed in the device. Most VPN devices can also support legacy applications.)



The VSR-1200 is a high-end, high-performance router, and functions especially well as a hub for a large terrestrial (ground-based) or satellite network (or for a combined terrestrial–satellite network).

In the BANDIT’s IPsec VPN software with SLE, all VPN tunnels use SLE, except in the following instance:

• In SLE software, in the IP Policy Table, if you select a record, the record’s detail screen appears. Look at the name for the Description. If you start the description name with the letter “I” or “i,” the tunnel configuration uses IPsec VPN without SLE. (See Figure 8-11.) If the Description name begins with any other initial character, the tunnel configuration uses IPsec VPN with SLE. (See Figure 8-8.)

You configure both types of IPsec the same way, except for this parameter. All other items needed are configured automatically. (However, you need to supply the appropriate IP addresses.)

Note: In BANDIT software release 5.0 and above, the user does not configure FTP/HTTP ports 20, 21, and 80 for SLE. In addition, Network Address Translation is no longer required for SLE.

The user can modify the VPN configuration, if desired. We recommend consulting with your Encore Networks sales representative before modifying an automatically generated configuration.

Figure 8-7 shows part of the IP Policy Table for the BANDIT (A) in Figure 8-6. Note that record 3 is a catch-all policy for VPN with SLE; because it is a catch-all, it must follow all other records for VPN with SLE. Note that record 4 is a catch-all for VPN without SLE (and must follow all other records for VPN without SLE).

Figure 8-8 through Figure 8-11 show details of the records.



Figure 8-7. Sample Entries in IP Policy Table for BANDIT in Figure 8-6, Including SLE over Satellite Networks

Figure 8-8. Detail of Record 1 in IP Policy Table, for SLE over Satellite Networks

Source Src Destination Dest Protocol# Address Port Address Port /Flag Path Name I/O Action--- --------------- ------ --------------- ------ -------- ----------- --- ------

1 172.16.10.131 * 10.10.11.1 * * * * 172.16.10.131 * 10.10.11.1 * H-3 Action: Allow

2 172.16.10.128 * 10.10.11.1 * * * * 172.16.10.255 * 10.10.11.1 * Tunnel To Remote 1 Action: Initiate VPN Profile: REMOTE

3 * * * * * * * * * * * H-1 Action: Allow

4 * * * * * * * * * * * I-Allow ALL Action: Allow

1) Source Address Low : 172.16.10.131 Source Address High : 172.16.10.131 Source TCP/UDP Port Low : * Source TCP/UDP Port High : * Destination Address Low : 10.10.11.1 Destination Address High : 10.10.11.1 Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Allow VPN Profile name : N/A Description : H-3





2) Source Address Low : 172.16.10.128 Source Address High : 172.16.10.255 So Address Low : 10.10.11.1 Destination Address High : 10.10.11.1 Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Initiate VPN Profile name : REMOTE Description : Tunnel To Remote 1

3) Source Address Low : * Source Address High : * Source TCP/UDP Port Low : * Source TCP/UDP Port High : * Destination Address Low : * Destination Address High : * Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Allow VPN Profile name : N/A Description : H-1


Sample VPN Configuration 8-19

Figure 8-11. Detail of Record 4 in IP Policy Table, for IPsec VPN Traffic without SLE

Note: For VPN with SLE over satellites, there must be another BANDIT VPN with SLE product somewhere in the network on the other side of the modem, handling SLE for the remote side of the connection.

Over ground-based networks, the BANDIT VPN products use non-SLE software and can interoperate with non-BANDIT VPN gateways. See Appendix B, VPNC Scenario for IPsec Interoperability.

8.5 Sample VPN Configuration

Note: For a quick VPN setup, conforming to the recommendations of the VPN Consortium (VPNC), see Appendix B, VPNC Scenario for IPsec Interoperability.

The following tables provide an example of planning a configuration for your virtual private network users.

Table 8-3 is a sample IP Policy Table. (Your IP Policy Table may include additional fields.) IP Policy Tables are used to establish processes and types of connections. The BANDIT’s IP Policy Table is described in Section 6.4, IP/VPN Policy.

4) Source Address Low : * Source Address High : * Source TCP/UDP Port Low : * Source TCP/UDP Port High : * Destination Address Low : * Destination Address High : * Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Allow VPN Profile name : N/A Description : I-Allow ALL



The IP Policy Table must include a field naming the profile used in the policy. (In Table 8-3, this is the field VPN Profile Used.) The value in this field cross-references the profile’s configuration, shown in a VPN Profile Table.

Table 8-4 shows a sample VPN profile table, with the field VPN Profile Name cross-referenced against profiles listed in the IP Policy Table. (Your VPN Profile Table may show additional fields.) The BANDIT’s VPN Profile Table is described in Section 8.6.1, Configuring VPN Profiles.

You also need to configure an IP Routing Table. See Section 6.2, IP Routing.

Note: Appendix A, Site Planning Worksheets, contains worksheets for preparing entries for the BANDIT’s IP Policy Table and VPN Profile Table.

Table 8-3. Sample IP Policy Table

Field Value for Record 1

Value for Record 2

Records 3, 4, 5, . . .

Low IP Address for Source

1.1.1.1 4.4.4.1 . . .

High IP Address for Source

1.1.1.255 4.4.4.255 . . .

Low IP Address for Destination

4.4.4.1 1.1.1.1 . . .

High IP Address for Destination

4.4.4.255 1.1.1.255 . . .

Global Path LAN LAN . . .

Direction Outgoing Incoming . . .

Action Tunnel Initiation

Tunnel Termination

. . .

Description Tunnel A Terminate P27 . . .

VPN Profile Used Profile 1 Profile 7 . . .



Table 8-4. Sample VPN Profile Table (1 of 2)

Field1 Value for Record 1

Value for Record 2

Records 3, 4, 5, . . .

VPN Profile Name

Profile 1 John’s VPN Connection

. . .

Local ID (User ID)

1.2.1.12 [email protected]

. . .

Remote VPN Gateway Address

3.43.3.12 3.43.3.12 . . .

Keying Manual2 Auto-Key . . .

Security Protocol ESP ——— . . .

Local SPI 1ffff ——— . . .

Remote SPI 1000 ——— . . .

Authentication Mode

——— Main mode,

Aggressive mode

. . .

Authentication Protocol

HMAC-SHA1 ——— . . .

Authentication Key

48454C4C4F0000000000000000000000

——— . . .

Preshared key ——— ****** . . .

Encryption 3DES ——— . . .

Encryption Key 48454C4C4F000000 ——— . . .

Phase 1, Proposal 1

——— PRE-G2-DES-MD5 . . .

Phase 1, Proposal 2

——— VSA-G2-3DES-SHA

. . .

Phase 2, Proposal 1

——— STD-G2-3DES-MD5

. . .

Phase 2, Proposal 2

——— PFS-G2-3DES-SHA . . .

Replay Protection

——— enabled . . .

User ID Verification

——— enabled . . .



8.5.1 Manual Keying

Manual keying—the use of manual keys for authentication and encryption—was the original method of exchanging security information between two VPN gateways. This method involves manually entering long strings of characters. The keys do not change during the connection, and may be used for subsequent connections as well. Because the authentication and encryption keys are constant, manual keying is vulnerable to persistent attack, and thus does not provide much security.

Today manual keying is used mostly for troubleshooting VPN connections. Except for troubleshooting, most VPN gateways now use automatic keying to set up VPN connections. (Autokeying provides excellent security because the keys are always changing and being re-negotiated. IKE autokeying is the industry-preferred option for VPN tunnel negotiation. See Section 8.5.2, Automatic Keying.)

Note: With software version 0171 and above, the BANDIT products do not use manual keying in normal operation. If you wish to use manual keying in a BANDIT, contact your Encore Networks representative.

Table 8-5 shows sample parameters used to set up manual keying for a VPN connection.

Password Verification

——— disabled . . .

Timeout ——— 30 . . .

1. A VPN Profile Table includes all records—those that use fields for manual keying and those that use fields for autokeying. (Some fields are used by both types of records.) When the user specifies the type of keying the profile will use, the BANDIT presents for configuration only the fields that apply to the specified keying. (Table 8-5 presents parameters for manual keying. Table 8-6 presents parameters for autokeying.) 2. The BANDIT products do not use manual keying in normal operation. If you wish to use manual keying, contact your Encore Networks representative.

Table 8-4. Sample VPN Profile Table (2 of 2)

Field1 Value for Record 1

Value for Record 2

Records 3, 4, 5, . . .



8.5.2 Automatic Keying

In autokeying, keys are dynamic, always changing. Special keys are exchanged at the beginning of the connection, and the VPN gateways negotiate other keys for the connection. If desired, keys can be timed out, and new keys can be negotiated for subsequent parts of the connection.

The BANDIT products use the Internet Key Exchange (IKE) protocol for automatic generation of keys in VPN connections. When a BANDIT uses the automatic keying feature, an IKE tunnel is set up for key exchange. The IKE tunnel sets up keys for the subsequent data tunnel. The data tunnel is used for data exchange. See Section 8.2, Internet Key Exchange.

Table 8-6 shows sample parameters to set up automatic keying for a VPN connection.

Table 8-5. Sample VPN Profile, Manual Keying

Field Sample Values

Profile Name profile 1

Keying manual

Remote Gateway w.w.w.w

Security Protocol ESP

Local SPI1 ****

Remote SPI1 ***

Authentication Protocol MD5, SHA-1

Authentication Key ******************************

Encryption Protocol 3DES, DES

Encryption Key ****************************

1. If keying is manual, the SPI (security parameter index) must be indicated.

Table 8-6. Sample VPN Profile, Automatic Keying (1 of 2)

Sample Fields Sample Values

Authentication Mode Main mode (also known as ID Protection),

Aggressive mode

Local ID (User ID)1 [email protected]



Table 8-7 and Table 8-8 illustrate sample proposal combinations for phase 1 and phase 2, respectively.

Remote Gateway IP Address2

3.3.3.1

Preshared Key3 ******

Phase 1, Proposal 1 4 PRE-G2-DES-MD5

Phase 1, Proposal 2 VSA-G2-3DES-SHA

Phase 2, Proposal 1 STD-G2-3DES-MD5

Phase 2, Proposal 2 PFS-G2-3DES-SHA

Replay Protection Enable/Disable

1. There are three formats for the local ID: • E-mail format: ascii-format@ascii-format • IP address format: x.x.x.x • Perfect domain name format: hostdomain.net

2. There are two kinds of remote IP addresses: static and dynamic. (Dynamic is not implemented at this time.) 3. The preshared key is used to establish the IKE tunnel. This preshared key must be protected as a super-password. The preshared key uses Diffie–Hellman Exchange 2 (DH2). 4. The BANDIT lets you provide up to four proposals per phase. The recipient must choose at least one proposal for each phase.

Table 8-7. Sample Phase 1 Proposal

Sample Fields Sample Values1

Authentication mode preshared

Diffie–Hellman (DH) group

group 2

Encryption DES, 3DES

Authentication HMAC-MD5, HMAC-SHA1

Lifetime2 1–100 units

Lifetime units2 seconds, minutes, hours, days

1. This sample proposal is tunnel-specific, not session-specific. 2. When the lifetime is reached for the indicated unit, a new key is exchanged.

Table 8-6. Sample VPN Profile, Automatic Keying (2 of 2)




8.5.3 Sample Configuration for a Remote User

Figure 8-3 shows a VPN remote user tunneling to a BANDIT gateway. The BANDIT, in turn, has created a tunnel to a VPN host at another site. Table 8-9 lists a sample set of values for the connection between the BANDIT and the remote user.

Table 8-8. Sample Phase 2 Proposal


Perfect forward secrecy (PFS)

none

DH2 (Diffie–Hellman 2)

Security protocol ESP

AH

Encryption 3DES

DES

Authentication HMAC-MD5

HMAC-SHA1

Lifetime1 1–100 units

Lifetime unit1 number of seconds

number of minutes

number of hours

number of days

kilobytes of data sent through the tunnel

1. When the lifetime is reached for the unit indicated, a new key is exchanged.

Table 8-9. Sample Tunnel User Table (1 of 2)

Fields Values

Profile Name profile 2

Authentication Mode aggressive

Keying auto-IKE

Local User ID [email protected]



8.6 Configuring the BANDIT for VPN

To configure the BANDIT for virtual private network connections, use the following procedure.

Note: For a quick VPN setup, conforming to the recommendations of the VPN Consortium (VPNC), see Appendix B, VPNC Scenario for IPsec Interoperability.

For a sample setup of a BANDIT VPN gateway operating with a remote VPN client, see Appendix C, Scenarios for Operation with a VPN Client.

In addition to the procedures in this section, you need to configure an IP routing table, an IP policy table, and an IP quality of service table for the VPN. See the following:

• Section 6.2, IP Routing

• Section 6.4, IP/VPN Policy

• Section 6.5, IP Quality of Service

Note: All VPN tables are maintained by BANDIT software inside the BANDIT device. The tables are not copied to or maintained at any other point in the network.

Gateway 3.3.3.1

Preshared Key ********

Phase 1, Proposal 1 PRE-G2-DES-MD5

Phase 1, Proposal 2 VSA-G2-3DES-SHA

Phase 2, Proposal 1 STD-G2-3DES-MD5

Phase 2, Proposal 2 PFS-G2-3DES-SHA

Replay Protection enable

Table 8-9. Sample Tunnel User Table (2 of 2)

Fields Values


Configuring the BANDIT for VPN 8-27

Note: In the VSR-1200, a VPN tunnel can be added and brought up without resetting the box, provided the tunnel’s IP routing entries are already configured and working. This allows active VPN tunnels to remain up, so that calls are not dropped. (Active calls are dropped during a standard reset.)

A VPN tunnel needs a policy table entry and a VPN profile entry; both entries must be properly configured in order for a VPN tunnel to work properly.

When a VPN profile is added or edited in the database, the configuration menu displays a prompt asking whether to activate the changes. If the user answers “yes,” the changes takes effect the next time the tunnel comes up; no system reset has to be executed.

In like manner, when an IP policy table entry with an associated VPN tunnel is added or edited, the configuration menu displays a prompt asking whether to activate the changes (without resetting). If the user answers “yes,” the system implements the changes the next time the tunnel comes up.

Filtering must be enabled in order for tunnel configurations to have any effect. In the situations mentioned above, changes made to an active tunnel do not take effect until the tunnel goes down. When the tunnel comes back up the next time, it uses the new configuration.

How to Configure VPN Connections

1 To configure VPN connections, do the following:

a Log in to the BANDIT device. (For details, see Section 3.2, Connecting a Supervisory Terminal and Logging in to the BANDIT.)

b When the Main Menu appears, select Advanced Configurations. (For details, see Section 3.3, The Main Menu.)

The Advanced Configurations menu is displayed.

c On the Advanced Configurations menu, select Routing. (For details, see Section 3.3.4, The Advanced Configurations Menu.)

The Configure Routing menu appears.



d On the Configure Routing menu, select IP Routing. (For details, see Section 6.1, The Routing Menu.)

The IP Routing Configuration menu appears.

e On the IP Routing Configuration menu, select IP/VPN Routing. (For details, see Section 6.2.1, Configuring IP Routing.)

The Virtual Private Network Configuration menu appears.

2 To see the BANDIT’s list of VPN connections and associated security protocols, select VPN Profiles.

The VPN Profile Table appears. Go to Section 8.6.1, Configuring VPN Profiles.

3 To see the BANDIT’s list of policies for secure connections, select IP/VPN Policy.

The IP/VPN Policy Table appears. Go to Section 6.4, IP/VPN Policy.

4 To return to the Main Menu, press the Escape key several times.

The Main Menu appears. Go to Section 3.3, The Main Menu.

Note: You must also configure an IP routing table and an IP quality of service table, for use by the virtual private network. See Section 6.2, IP Routing, and Section 6.5, IP Quality of Service.

8.6.1 Configuring VPN Profiles

1 To configure VPN profiles, do the following:

Virtual Private Network Configuration--------------------------------------1) VPN Profiles2) IP/VPN Policy Table

Enter choice :



a Log in to the BANDIT device. (See Section 3.2, Connecting a Supervisory Terminal and Logging in to the BANDIT.)

b On the Main Menu, select Advanced Configurations. (For details, see Section 3.3, The Main Menu.)








f On the Virtual Private Network Configuration menu, select VPN Profile. (See Section 8.6, Configuring the BANDIT for VPN.)

The VPN Profile Table appears. Each VPN profile lists the following:

• The record number (line number)

• The connection’s profile name

• The profile’ tunneling mode

• The IP address of the BANDIT at the other end of the VPN (the remote gateway)

• The security protocols associated with this profile’s connection

• Ping status

• The users allowed to use this profile



2 Do one of the following:

a To change the profile of an item in the list, type m.

The following prompt is displayed. Go to Step 3.

b To delete an item, type d.

A prompt similar to the following is displayed. Go to Step 4.

c To add an item, type c.

A prompt similar to the following is displayed. Go to Step 5.

VPN Profile Table-----------------------------------------------------------------------------No. Name Mode VPN Gateway Phase1 Proposal#1 Ping User ID--- ---------- ---- --------------- ----------------- ---- ----------------- 1) profile 1 AGGR 0.0.0.0 ESP HMAC-MD5 3DES OFF 2) profile 2 AGGR 0.0.0.0 psk-g1-des-md5 OFF 3) profile 3 MAIN 0.0.0.0 psk-g2-des-md5 OFF 4) profile 4 MAIN 0.0.0.0 psk-g5-des-md5 OFF 5) Remote AGGR 22.23.24.25 psk-g2-des-md5 OFF bandit 6) AGGR_G2 AGGR None psk-g2-3des-sha1 OFF 7) AGGR_G1 AGGR None psk-g1-des-md5 OFF 8) MAIN_G2 MAIN None psk-g2-des-md5 OFF 9) MAIN_G5 MAIN None psk-g5-des-md5 OFF

Enter 'm' to modify, 'd' to delete, 'c' to copy or <ESC> to exit:

Enter the entry number to modify (1 to 7)

Enter the entry number to delete (1 to 7)

Enter the entry number to Copy FROM:(1 to 5)[1] :



d To return to the Virtual Private Network Configuration menu, press Escape.

The Virtual Private Network Configuration menu is redisplayed. Go to Section 8.6, Configuring the BANDIT for VPN.

3 To modify an entry in the VPN Profile Table, do all of the following:

a Enter the line number of the profile to modify (listed under the heading No., shown above), and press Enter.

The fields for the selected profile are displayed.

Note: Although all records have all fields, the profile displays only the fields pertinent to the keying used—automatic keying (IKE) or manual keying.

Note: The BANDIT products do not use manual keying in normal operation. If you wish to use manual keying in the BANDIT, contact your Encore Networks representative.

• Sample display for autokeying (IKE):

b Type the line number of the field whose value you wish to change, and press Enter.

VPN PROFILE ENTRY---------------------------- 1) Profile Name: AGGR_G1 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: 0.0.0.0 4) User ID: 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal10) Phase 2 ProposalEnter the number of the item to change:9



If you select a phase proposal, a menu similar to the following is presented. Go to Section 8.6.1.1, Configuring Phase Proposals for IKE Autokeying.

If you select any other field (from either display), the field is presented, so that you may enter a new value. (This example shows the VPN Gateway field, to enter the IP address or DNS for the remote VPN gateway.)

c Type the new value for the field, and press Enter.

The new value is accepted, and the selected profile is displayed with the new value.

Phase 1 Proposals------------------------ 1) Proposal 1: Preshared - DH GROUP G2 - DES - HMAC-MD5 2) Proposal 2: Preshared - DH GROUP G1 - DES - HMAC-SHA1 3) Proposal 3: Preshared - DH GROUP G5 - 3DES - HMAC-MD5 4) Proposal 4: Preshared - DH GROUP G2 - 3DES - HMAC-SHA1Enter your choice:

Enter Peer VPN Gateway (1 = IP, 2 = DNS URL), [1]:

VPN PROFILE ENTRY---------------------------- 1) Profile Name: MAIN_G2 2) Tunneling Mode: MAIN 3) VPN Gateway: 0.0.0.0 4) User ID: N/A 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal10) Phase 2 ProposalEnter the number of the item to change:



Note: You can configure a VPN profile to use pings to maintain or monitor connections. See Section 8.6.1.2, Configuring Pings in VPN Profiles.

d Do one of the following:

• If you wish to modify another field’s value, return to Step 3b.

• When you have finished modifying this profile, press Escape to save the new values.

The following prompt is displayed:

e Do one of the following:

• To save the changes, press Y.

• To discard the changes and keep the prior information, press N.

Whether you answer Y or N, the VPN Profile Table is redisplayed. Return to Step 2.

4 To delete a profile from the VPN Profile Table, do all of the following:

a Type the line number of the profile to delete (listed under the heading No., shown above), and press Enter.

A prompt similar to the following is displayed.

b Do one of the following:

• To delete the profile, press Y.

Do you want to keep your change? (Y/N):

Do you want to delete this profile? (Y/N):



• To discard the changes and keep the profile, press N.

Whether you answer Y or N, the VPN Profile Table is redisplayed. Return to Step 2.

5 To add a profile to the VPN Profile Table, do all of the following:

a Enter the line number of the profile you wish to use as a model for a new profile, and press Enter.

The following message appears, listing the name of the profile you have copied, and asking for a name to identify the new profile.

b Enter a unique name for the new profile, and press Enter.

Note: You may use profile names that are meaningful in your network—for example, Springfield Office, or Business Traveler 9.

The new profile name is accepted, and the VPN Profile Table is displayed, with the new profile at the bottom of the list.

c Return to Step 2. (Then select m to modify the new profile.)

8.6.1.1 Configuring Phase Proposals for IKE Autokeying

In connections that use automatic keying, a BANDIT product negotiates keys and proposals (sets of protocols) for data transmission. You can configure the proposals presented for each phase in the Internet Key Exchange.

How to Configure Phase Proposals

1 To configure phase proposals for automatic keying, do the following:

You selected COPY FROM profile name : profile 1Please enter COPY TO profile name :



a Log in to the BANDIT. (See Section 3.2, Connecting a Supervisory Terminal and Logging in to the BANDIT.)

b On the Main Menu, select Advanced Configurations. (For details, see Section 3.3, The Main Menu.)








f On the Virtual Private Network Configuration menu, select VPN Profiles. (See Section 8.6, Configuring the BANDIT for VPN.)

The VPN Profile Table appears.

g On the VPN Profile Table, indicate that you wish to modify a line that uses autokeying (IKE). Then select the line number.

The fields for autokeying are displayed.

VPN PROFILE ENTRY---------------------------- 1) Profile Name: AGGR_G2 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: 0.0.0.0 4) User ID: 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal10) Phase 2 ProposalEnter the number of the item to change:



h Select the phase you wish to modify.

The proposals already configured for the phase are listed.

• Sample Phase 1 Proposal List:

• Sample Phase 2 Proposal List:


a To return to the profile display, press Escape.

The autokeying profile’s list of fields is displayed. Go to Step 3d in Section 8.6.1, Configuring VPN Profiles.

b Select the proposal you wish to modify.

The proposal’s values are listed.

Phase 1 Proposals------------------------ 1) Proposal 1: Preshared - DH GROUP G2 - DES - HMAC-MD5 2) Proposal 2: Preshared - DH GROUP G2 - DES - HMAC-SHA1 3) Proposal 3: Preshared - DH GROUP G2 - 3DES - HMAC-MD5 4) Proposal 4: Preshared - DH GROUP G2 - 3DES - HMAC-SHA1Enter your choice:

Phase 2 Proposals---------------------------- 1) Proposal 1: PFS ON - ESP - DES - HMAC-MD5 2) Proposal 2: PFS ON - ESP - DES - HMAC-SHA1 3) Proposal 3: PFS ON - ESP - DES - HMAC-SHA1 4) Proposal 4: PFS ON - ESP - DES - HMAC-MD5Enter your choice:



• Sample Phase 1 Proposal Menu:

• Sample Phase 2 Proposal Menu:

3 Select the field whose value you wish to change, and press Enter.

Possible values for the field are listed. (The values shown are for Authentication Mode in a phase 1 proposal.)

4 Enter a new value for the field, and press Enter.

The field’s new value is accepted and the proposal’s values are listed again.


a To change another field’s value, return to Step 3.

b To return to the list of proposals configured for the selected phase, press Escape.

Phase 1 Proposal 4------------------------ 1) Authentication Mode : Preshared 2) DH Group: DH GROUP G2 3) Encryption: 3DES 4) Authentication: HMAC-SHA1 5) Life: 28800 sec 6) Life Units: secEnter your choice:

Phase 2 Proposal 3--------------------- 1) PFS : PFS ON 2) Security Protocol: ESP 3) Encryption: DES 4) Authentication: HMAC-SHA1 5) Life: 28800 sec 6) Life Units: secEnter your choice:

Enter Authentication (1 = HMAC-MD5, 2 = HMAC-SHA1, 3 = NULL) [1]:



The list of configured proposals is displayed again. Return to Step 2.

8.6.1.2 Configuring Pings in VPN Profiles

You can configure pings as part of a VPN profile, in order to maintain connections. In the VPN Profile Entry menu, pings can be configured for the following purposes:

• The Phase 1 Ping keeps Phase 1 tunnels up.

• The Phase 2 Ping keeps Phase 2 tunnels up.

• The Monitor Ping (also called the “backup ping”) monitors the status of the tunnel after set-up. If the tunnel is dropped, the BANDIT can use dial backup to re-establish the tunnel connection. (Dial backup must have already been configured in order to re-establish the connection.)

To configure a ping, do the following:

1 On the VPN Profile Entry menu, select one of the following:

• Phase 1 Ping

• Phase 2 Ping

• Monitor Ping

The ping’s configuration menu is displayed.

VPN PROFILE ENTRY---------------------------- 1) Profile Name: AGGR_G2 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: 0.0.0.0 4) User ID: 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal10) Phase 2 ProposalEnter the number of the item to change:



2 Select IP Address and configure the IP address of a device in the remote network. (Although this can be the remote VPN gateway, we recommend that this be another device in the remote network.)

Caution: This must be the IP address of a device that is always up on the network. If a device is regularly powered down or removed from the network, the ping will initiate a dial backup connection because it is not receiving a reply.

3 Select Packet Size and configure the size of the packet to send when pinging.

4 Select Interval and configure the amount of time between pings.

Phase1 Ping------------------------ 1) IP Address : 0.0.0.0 2) Packet Size : 50 Bytes 3) Interval : 20 Seconds 4) Idle Time : 120 Seconds

Enter Choice :

Enter PING IP Address:

Enter PING Packet Size(50 to 100)[50] :

Enter PING Interval(seconds)(5 to 300)[30] :

!



5 Select Idle Time. If the ping receives no reply from the remote device, this is the amount of time the BANDIT waits before initiating a dial backup. Type the number of seconds to wait, and press Enter.

6 When you have finished configuring this ping, press Enter to return to the VPN Profile Entry menu.

8.7 Using and Tracking VPN Connections

Note: Before you can use or track VPN connections, you must configure the BANDIT device for VPN, as described in Section 8.6, Configuring the BANDIT for VPN.

How to Use and Track VPN Connections

1 To use and track VPN connections, do the following:

a Log in to the BANDIT device. (See Section 3.2, Connecting a Supervisory Terminal and Logging in to the BANDIT.)

b On the Main Menu, select System Administration. (See Section 3.3, The Main Menu.)

c If the BANDIT requests your password for the System Administration menu, type the password and press Enter. (The default password is encore. For details, see Section 3.3.1, The System Administration Menu.)

The System Administration menu appears.

d On the System Administration menu, select VPN Commands. (For details, see Section 3.3.1, The System Administration Menu.)

The VPN Commands menu appears.

Enter Receive Idle Time(Seconds)(30 to 30000)[90] :


Using and Tracking VPN Connections 8-41


a To initiate a tunnel, select Establish VPN Tunnel.

The menu to Initiate a Manual VPN Tunnel is displayed. Go to Step 3.

b To terminate a tunnel, select Conclude VPN Tunnel.

The menu to Terminate a VPN Tunnel is displayed. Go to Step 3.

c To set the VPN trace level, select VPN Trace Level.

The Virtual Private Network Tracing menu appears. Go to Step 5.

VPN Commands-------------1) Establish VPN Tunnel2) Conclude VPN Tunnel3) VPN Trace Level - current value : None4) Show VPN Trace5) Clear VPN Trace Log

Enter Choice :

Initiate a Manual VPN Tunnel-----------------------------Y) YesN) No

Are You Sure? :

Terminate a VPN Tunnel-----------------------Y) YesN) No

Are You Sure? :



d To see the VPN trace, select Show VPN Trace.

Information about the VPN connection is shown. (A sample appears here.) Then the VPN Commands menu is redisplayed. Return to Step 2.

e To clear the VPN trace information, select Clear VPN Trace.

Information about the VPN connection is erased. (At this point, a Show Trace displays the following message. The trace now begins to collect information from this point forward.) Then the VPN Commands menu is redisplayed. Return to Step 2.

3 To initiate (start) or terminate (accept) the tunnel, select Yes.

One of the following prompts appears (as appropriate for initiating or terminating a tunnel).

Virtual Private Network Tracing--------------------------------N) No Trace - Turn Trace OffH) High Level Trace - Output InformationM) Medium Level Trace - Input/Output InformationL) Low Level Trace - All information except raw dataD) Detail Level Trace - All information including raw data

Enter Choice :

0:added connection description "Remote"

Trace Log is empty

Enter Profile Name of VPN Tunnel to start (Maximum 15 characters):


Using and Tracking VPN Connections 8-43

4 Enter the name of the VPN profile you wish to use, and press Enter.

Note: The VPN profile must already have been defined in the VPN Profile Table. In addition, you must type the profile name exactly as it appears in the VPN Profile Table, including capitalization.

If you are starting a tunnel from one of the preconfigured (automated) scenarios, enter the VPN profile name Remote and press Enter. (For details of preconfigured scenarios, see Appendix B, VPNC Scenario for IPsec Interoperability.)

If the tunnel cannot be established, a message similar to the following message appears. Then the VPN Commands menu is displayed again. Return to Step 2.

If the tunnel is being established, the following message appears. Then the VPN Commands menu is displayed again. Press Enter until you reach the Main Menu.

5 To set the VPN trace, do the following:

a Select the trace level.

If you select No Trace, the trace is turned off, and the VPN Commands menu is redisplayed. Return to Step 2.

Enter Profile Name of VPN Tunnel to terminate (Maximum 15 characters):

Profile Name Incorrect

Manual connection initiation



If you select a trace level, the following menu asks for confirmation of the trace.

b Select Yes.

The following message appears, followed by the VPN Tracing menu.

c Press Escape.

The VPN Commands menu is redisplayed. Return to Step 2.

Initiate background tracing----------------------------Y) YesN) No

Are You Sure? :

Background logging begun.


Documents

BANDIT CMG: Virtual Private Networks