Upload
merilyn-jackson
View
252
Download
1
Tags:
Embed Size (px)
Citation preview
DrayTek VPN Solution
Outline
• What is VPN• What does VPN Do• Supported VPN Protocol• How Many Tunnels does Vigor Support• VPN Application• Special VPN Application• CVM (Central VPN Management)• Trouble Shooting
What is VPN
• A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network.
http://en.wikipedia.org/wiki/Virtual_private_network
http://en.wikipedia.org/wiki/Virtual_private_network
What is VPN
What does VPN Do
• Host to LAN allow employees to securely access their company's intranet while traveling outside the office.
• Similarly, VPNs securely and cost-effectively connect geographically disparate offices of an organization, creating one cohesive virtual network. We call it as LAN to LAN.
http://en.wikipedia.org/wiki/Virtual_private_network
Supported VPN Protocol
• PPTP (TCP 1723)• L2TP (UDP 1701)• IPsec (UDP 500)• L2TP over IPsec• SSL VPN (TCP 443)• mOTP
How Many VPN Tunnel does Vigor Support
Vigor Model IPsec/PPTP/L2TP SSL
Vigor2110 2 N/A
Vigor2130 2 N/A
Vigor2912 16 N/A
Vigor2920 32 N/A
Vigor2925 25 25
Vigor2930 100 30
Vigor2950 200 10
Vigor2960 200 20
Vigor3200 Series 64 10
Vigor3300 Series 200 NA
Vigor3900 500 (PPTP/L2TP 200) 20
How Many VPN Tunnel does Vigor Support
Vigor Model IPsec/PPTP/L2TP SSL
Vigor2710 2 N/A
Vigor2760 2 N/A
Vigor2830 32 10
Vigor2850 32 10
Vigor2860 32 10
VPN Application
• LAN to LAN• Host to LAN
– PPTP/L2TP/IPsec/L2TP over IPsec– SSL VPN– mOTP
• VPN Trunk
LAN to LAN
172.17.1.0/24 192.168.1.0/24
Host to LAN
• Client site OS could be– Windows (may use Smart VPN client)– Mac OS/iOS– Android– Ubuntu
SSL VPN
• SSL Tunnel– TCP port 443
• SSL Application• SSL Proxy
http://www.draytek.com.tw/index.php?option=com_k2&view=itemlist&task=category&id=129:ssl-vpn&Itemid=293&lang=en
SSL VPN
SSL VPN
mOTP: Mobile One Time Password
VPN Trunk-Load Balance
VPN Trunk-Backup
Special VPN Application
• Change default route to this VPN tunnel• Apply VPN Tunnel as Interface for L/B Policy• VPN backup when specified WAN drops• Packets trigger to establish the VPN tunnel• Add more network into Phase 2 SA
Change Default Route to VPN tunnel
• Enable VPN default route
• Go via VPN tunnel for local service
Apply VPN Tunnel as Interface for L/B Policy
• How to Use Load-Balance/Route Policyhttp://www.draytek.com.tw/index.php?option=com_k2&view=item&id=5181&Itemid=293&lang=en
VPN Backup when Specified WAN Down
Add More Network into Phase2 SA
CVM
CVM
• How to Use Central VPN Managementhttp://www.draytek.com.tw/index.php?option=com_k2&view=item&id=5293&Itemid=293&lang=en
Trouble ShootingVPN is up but Traffic cannot pass to
remote network?
What to Do?
• Check Routing Table• Use ping to diagnose• Use trace route to diagnose• Check Firewall Rule
Check Routing Table
• Check Dial-Out Vigor's Routing table• Check Dial-In Vigor's Routing table– If the route to remote VPN network doesn't
exist, check TCP/IP Network Setting in VPN LAN to LAN profile. – If the route to remote VPN network exists,
check if the host can respond ping.
PPTP Dial Out
PPTP Dial In
IPsec Dial Out
IPsec Dial In
Use Ping to Diagnose
• Ping to host from its Local Router– If Local Router cannot get ping response
from the host, check the firewall setting on the host.
• Find a host that can respond ping from its Local Router, and then ping the host from Remote Router.
Ping Diagnostic
Check ARP Table
Use Trace Route to Diagnose
• Use command “tracert -d destination IP” to check if the packet is sending through the right gateway.
Check Firewall Rule
• Check Firewall Rule and see if the packet to remote VPN network is blocked by firewall rule.
Case Study
Case Study
• Router A has two networks connected, which are 192.168.1.0/24 and 192.168.2.0/24.
• Router B has one network connected, which is 192.168.139.0/24.
• Computer with IP 192.168.139.10 can ping IP 192.168.1.10, but cannot ping IP 192.168.2.10.
• What could we do?
• Use Trace Route on Computer with IP 192.168.139.10 to destination IP 192.168.2.10.
• Result: The packet is routed to the Internet?!
Step1:
• Check Router B's Routing Table.• Result: There is no Route to 192.168.2.0/24 on
Router B.
Next Step:
• Add Route 192.168.2.0/24 via More option in VPN LAN to LAN Profile.
• Then disconnect and reconnect VPN.• Result: Router B has route to network
192.168.2.0/24 now.
Next Step:
• Use Trace Route on Computer with IP 192.168.139.10 to destination IP 192.168.2.10 again.
• Result: The packet is stopped at IP 192.168.1.1.
Next Step:
Next Step
Check Routing Table on Router A with IP 192.168.1.1.
Result: Route A has Static Route – to destination 192.168.2.0/24 via 192.168.1.15.
• Try to ping IP 192.168.1.15 from Router A.• Result: No ping response from IP 192.168.1.15
Next Step:
• Check Router A's ARP Table.• Result: There is no ARP for IP 192.168.1.15.It seems the host isn't connected to Router A!
Next Step:
• Check the Router setting that is connected between Router A and network 192.168.2.0/24.
• Result: The correct IP is 192.168.1.13!
Next Step:
Correct the Static Route setting from Router A then use Trace Route on Computer with IP 192.168.139.10 to destination IP 192.168.2.10 again. Result: It succeeds!
Next Step:
Application Note
• When VPN tunnel is established, why can't I access any host in the remote subnet ? - http://www.draytek.com.tw/index.php?option=com_k2&view=item&id=1279&Itemid=293&lang=en