Lancom 7100 VPN User manual
110750/0310
LANCOM Systems GmbH
Adenauerstr. 20/B2
52146 Würselen
Germany
Internet www.lancom.eu
LANCOM 7100 VPN
LANCOM 9100 VPN
LANCOM 7100 VPN – LANCOM 9100 VPN
쮿Handbuch
쮿Manual
...connecting your business
110750_LC-7100-9100-MANUAL_cover1 1110750_LC-7100-9100-MANUAL_cover1 1 19.03.2010 15:25:5919.03.2010 15:25:59
LANCOM 7100 VPN
LANCOM 9100 VPN
© 2010 LANCOM Systems GmbH, Wuerselen (Germany). All rights reserved.
While the information in this manual has been compiled with great care, it may not be deemed an assurance of product
characteristics. LANCOM Systems shall be liable only to the degree specified in the terms of sale and delivery.
The reproduction and distribution of the documentation and software supplied with this product and the use of its contents
is subject to written authorization from LANCOM Systems. We reserve the right to make any alterations that arise as the
result of technical development.
Windows®, Windows Vista™, Windows NT® and Microsoft® are registered trademarks of Microsoft, Corp.
The LANCOM Systems logo, LCOS and the name LANCOM are registered trademarks of LANCOM Systems GmbH. All other
names or descriptions used may be trademarks or registered trademarks of their owners.
Subject to change without notice. No liability for technical errors or omissions.
Products from LANCOM Systems include software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http:/
/www.openssl.org/).
Products from LANCOM Systems include cryptographic software written by Eric Young (eay@cryptsoft.com).
Products from LANCOM Systems include software developed by the NetBSD Foundation, Inc. and its contributors.
Products from LANCOM Systems contain the LZMA SDK developed by Igor Pavlov.
LANCOM Systems GmbH
Adenauerstr. 20/B2
52146 Wuerselen
Germany
www.lancom.eu
Wuerselen, March 2010
11
0
75
0
/
03
1
0
LANCOM 7100 VPN – LANCOM 9100 VPN
Preface
3
EN
Preface
Thank you for your confidence in us!
You have decided on a high quality product from LANCOM. The models
LANCOM 7100 VPN and LANCOM 9100 VPN are high performance central
site VPN gateways which provide connectivity for up to 200 resp. 1000 sites.
The following functions are characteristics of the devices:
LANCOM 7100 VPN provides 100 VPN channels, upgradable to 200
remote sites, LANCOM 9100 VPN provides 200 VPN channels, upgradable
to 1000 remote sites
VRRP and load balancing
Advanced Routing and Forwarding with 256 VLAN / IP contexts with
LANCOM 7100 VPN, 128 VLAN / IP contexts with LANCOM 9100 VPN
Status and error display
4 x Gigabit Ethernet + ISDN BRI
Security settings
To maximize the security available from your product, we recommend that you
undertake all of the security settings (e.g. firewall, encryption, access protec-
tion) that were not already activated when you purchased the product. The
LANconfig Wizard 'Security Settings' will help you with this task. Further infor-
mation is also available in the chapter 'Security settings'.
We would additionally like to ask you to refer to our Internet site
www.lancom.eu for the latest information about your product and technical
developments, and also to download our latest software versions.
Components of the documentation
The documentation of your device consists of the following parts:
Installation Guide
User manual
Reference manual
Menu Reference Guide
You are now reading the user manual. It contains all information you need to
put your device into operation. It also contains all of the important technical
specifications.
LANCOM 7100 VPN – LANCOM 9100 VPN
Preface
4
EN
The Reference Manual is to be found as an Acrobat document (PDF file) at
www.lancom.eu/download or on the CD supplied. It is designed as a supple-
ment to the user manual and goes into detail on topics that apply to a variety
of models. These include, for example:
The system design of the operating system LCOS
Configuration
Management
Diagnosis
Security
Routing and WAN functions
Firewall
Quality of Service (QoS)
Virtual Private Networks (VPN)
Virtual Local Networks (VLAN)
Backup solutions
LANCAPI
Further server services (DHCP, DNS, charge management)
The Menu Reference Guide (also available at www.lancom.eu/download or on
the CD supplied) describes all of the parameters in LCOS, the operating system
used by LANCOM products. This guide is an aid to users during the configu-
ration of devices by means of WEBconfig or the telnet console.
This documentation was created by …
... several members of our staff from a variety of departments in order to
ensure you the best possible support when using your LANCOM product.
Should you find any errors, or if you would like to suggest improvements,
please do not hesitate to send an e-mail directly to:
Our online services www.lancom.eu are available to you around the
clock if you have any questions on the content in this manual, or if you
require any further support. The area 'Support' will help you with
many answers to frequently asked questions (FAQs). Furthermore, the
knowledgebase offers you a large reserve of information. The latest
drivers, firmware, utilities and documentation are constantly available
for download.
In addition, LANCOM Support is available. For telephone numbers
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter :
5
EN
and contact addresses for LANCOM Support, please refer to the
enclosed leaflet or the LANCOM Systems Web site.
Information symbols
Very important instructions. Failure to observe these may result in damage.
Important instruction that should be observed.
Additional information that may be helpful but is not essential.
LANCOM 7100 VPN – LANCOM 9100 VPN
Contents
6
EN
Contents
1 Introduction 9
1.1 What does VPN offer? 10
1.2 Just what can your LANCOM Router do? 11
2 Installation 14
2.1 Package content 14
2.2 System requirements 14
2.3 Status displays and interfaces 15
2.3.1 Front 15
2.3.2 Rear panel 20
2.4 Hardware installation 21
2.5 Software installation 22
2.5.1 Starting the software setup 22
2.5.2 Which software should I install? 23
3 Basic configuration 24
3.1 Details you will need 24
3.1.1 TCP/IP settings 24
3.1.2 Configuration protection 26
3.1.3 Charge protection 26
3.2 Instructions for LANconfig 27
3.3 Instructions for WEBconfig 28
3.4 TCP/IP settings for PC workstations 32
4 Setting up Internet access 33
4.1 The Internet Connection Wizard 35
4.1.1 Instructions for LANconfig 35
4.1.2 Instructions for WEBconfig 36
LANCOM 7100 VPN – LANCOM 9100 VPN
Contents
7
EN
5 Connecting two networks 37
5.1 Which details are necessary? 38
5.1.1 General information 38
5.1.2 Settings for the TCP/IP router 40
5.1.3 Settings for NetBIOS routing 41
5.2 Instructions for LANconfig 42
5.3 1-Click-VPN for networks (site-to-site) 43
5.4 Instructions for WEBconfig 44
6 Providing dial- in access 45
6.1 Which details are necessary? 45
6.1.1 General information 46
6.1.2 Settings for TCP/IP 47
6.1.3 Settings for NetBIOS routing 48
6.2 Settings on the dial-in computer 48
6.2.1 Dialing-in via VPN 48
6.2.2 Dialing-in via ISDN 48
6.3 Instructions for LANconfig 49
6.4 1-Click-VPN for LANCOM Advanced VPN Client 49
6.5 Instructions for WEBconfig 51
7 Fax transmission with LANCAPI 52
7.1 Installing the LANCOM CAPI Faxmodem 53
7.2 Installing the MS Windows Fax Service 54
7.3 Sending a fax 55
7.3.1 Sending faxes from an office application 55
7.3.2 Sending faxes with the Windows Fax Service 55
8 Security settings 57
8.1 Tips for the proper treatment of keys and passphrases 57
8.2 Security settings Wizard 57
8.2.1 LANconfig Wizard 58
8.2.2 WEBconfig Wizard 58
8.3 The security checklist 59
LANCOM 7100 VPN – LANCOM 9100 VPN
Contents
8
EN
9 Advice & assistance 62
9.1 No WAN connection can be established 62
9.2 Slow DSL transmission 62
9.3 Unwanted connections under Windows XP 63
10 Appendix 64
10.1 Performance and characteristics 64
10.2 Connector wiring 65
10.2.1 Ethernet interface 10/100/1000Base-TX, DSL interface
65
10.2.2 ISDN-S0interface 65
10.2.3 Configuration interface (outband) 66
10.3 CE-declarations of conformity 66
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 1: Introduction
9
EN
1Introduction
The models LANCOM 7100 VPN and LANCOM 9100 VPN are high-perform-
ance central-site VPN gateways which support 100 resp. 200 VPN connec-
tions. With the LANCOM VPN Option, the routers provide VPN connections for
up to 200 resp. 1000 sites. Quality-of-Service, dynamic bandwidth manage-
ment and the four Gigabit-Ethernet slots ensure that data is correctly priori-
tized in the network and that speeds are maximized. Various connection
possibilities including ISDN, WAN and the USB 2.0 host port facilitate its inte-
gration into the network. Practical: Various information on the device is per-
manently displayed, including temperature, CPU load, and active VPNs. The
fan's function is permanently monitored by LED and, additionally, an acoustic
signal is emitted should the CPU overheat.
The integrated firewall with security functions such as stateful inspection,
intrusion detection and denial-of-service protection is supplemented by
dynamic bandwidth management and comprehensive backup, high-
availability and redundancy functions over ISDN and VRRP.
IPSec-based VPN provides optimal security for connecting branch offices and
home offices thanks to the high-security 3-DES or AES encryption, integrated
hardware acceleration, and support of digital certificates.
The versatile functions for address translation and routing allow different net-
works to be connected over common infrastructure. The LANCOM Advanced
Routing and Forwarding concept ensures that professional network virtuali-
zation is no longer a problem: Existing networks at partner companies, branch
offices, or home-office workstations can be integrated into the VPN without
problem.
HEADQUARTER
VPN GATEWAY SERVER
NTBA NTBA
VPN ROUTER
INTERNET
ISDN NET
BRANCH
ADSL
LAN
Breakdown of
Provider Network
Breakdown of
Internet Connection
Backup Connection
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 1: Introduction
10
EN
The management systems LANconfig and LANmonitor are included and offer
not only cost-effective remote maintenance of entire installations along with
highly convenient setup wizards, but also full real-time monitoring and log-
ging. Service providers benefit from the broad range of scripting methods and
professional access with individual access rights for administrators via SSH,
HTTPS, TFTP and ISDN dial-in.
1.1 What does VPN offer?
A VPN (Virtual Private Network) can be used to set up secure data communi-
cations over the Internet.
The following structure results when using the Internet instead of direct con-
nections:
All participants have fixed or dial-up connections to the Internet. Expensive
dedicated lines are no longer needed.
쐃All that is required is the Internet connection of the LAN in the headquar-
ters. Special switching devices or routers for dedicated lines to individual
participants are superfluous.
쐇The subsidiary also has its own connection to the Internet.
쐋The RAS PCs connect to the headquarters LAN via the Internet.
HEADQUARTER
VPN GATEWAY
LAN
SERVER
INTERNET
VPN GATEWAY
BRANCH
LAN
PC
LAPTOP
PC
쐃
쐋쐇
Computers using remote access,
e.g. home working
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 1: Introduction
11
EN
The Internet is available virtually everywhere and typically has low access
costs. Significant savings can thus be achieved in relation to switched or ded-
icated connections, especially over long distances.
The physical connection no longer exists directly between two participants;
instead, the participants rely on their connection to the Internet. The access
technology used is not relevant in this case: Broadband technology such as
DSL (Digital Subscriber Line) is ideal. A conventional ISDN line can be used,
too.
The technologies of the individual participants do not have to be compatible
to one another, as would be the case for conventional direct connections. A
single Internet access can be used to establish multiple simultaneous logical
connections to a variety of remote sites.
The resulting savings and high flexibility makes the Internet (or any other IP
network) an outstanding backbone for a corporate network.
1.2 Just what can your LANCOM Router do?
The following table provides a comparison of the properties and functions of
your device.
LANCOM 7100
VPN
LANCOM 9100
VPN
Applications
Internet access ✔✔
LAN-LAN connectivity over VPN ✔✔
LAN-LAN connectivity over ISDN ✔✔
RAS server (over VPN) ✔✔
RAS server (over ISDN) ✔✔
IP router with stateful inspection firewall ✔✔
NetBIOS proxy for connectivity Microsoft peer-to-peer networks ✔✔
DHCP and DNS server (for LAN and WLAN) ✔✔
N:N mapping for routing networks with the same IP-address ranges over
VPN
✔✔
Configuring LAN ports as additional WAN ports ✔✔
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 1: Introduction
12
EN
Policy- based routing ✔✔
Load balancing for bundling multiple DSL channels 4 channels 4 channels
Backup solutions and load balancing with VRRP ✔✔
NAT Traversal (NAT-T) ✔✔
DMZ with configurable IDS checks ✔✔
PPPoE servers ✔✔
WAN RIP ✔✔
Spanning Tree Protocol ✔✔
Layer 2 QoS tagging ✔✔
ISDN leased lines ✔✔
LANCAPI server to provide office applications such as fax or answering
machine via the ISDN interface.
✔✔
WAN connections
Connector for DSL or cable mode (via LAN ports) ✔✔
ISDN-S0connector for establishing Dynamic VPN connections to remote
sites with dynamic IP addresses
✔✔
LAN connection
Individual Gigabit Ethernet LAN ports.
Alternatively switchable as a WAN interface for connecting SDSL
modems.
44
USB connector
USB 2.0 host port (high speed: 480 Mbps) for connecting a USB printer
and for future extensions
✔✔
Security functions
IPSec encryption via external software (VPN client) ✔✔
100 integrated VPN tunnels for secure network connections ✔
200 integrated VPN tunnels for secure network connections ✔
IPsec encryption in hardware ✔✔
IP masquerading (NAT, PAT) to conceal individual LAN workstations
behind a single public IP address.
✔✔
LANCOM 7100
VPN
LANCOM 9100
VPN
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 1: Introduction
13
EN
Stateful-inspection firewall ✔✔
Firewall filter for blocking individual IP addresses, protocols and ports ✔✔
MAC address filter regulates, for example, LAN-workstation access to the
IP routing function
✔✔
Protection of the configuration from brute-force attacks. ✔✔
Configuration
Configuration with LANconfig or via web browser; additional terminal
mode for Telnet or equivalent terminal programs; SNMP interface and
TFTP server function.
✔✔
Remote configuration via ISDN (with ISDN PPP connections, e.g. via Win-
dows Dial-Up Networking).
✔✔
Serial configuration interface ✔✔
Call-back function with PPP authentication mechanisms allowing only
predefined ISDN call numbers
✔✔
FirmSafe for no-risk firmware updates ✔✔
Optional software extensions
LANCOM VPN Option with 200 active tunnels for secure network connec-
tivity
✔
LANCOM VPN Option with 500 active tunnels for secure network connec-
tivity
✔
LANCOM VPN Option with 1000 active tunnels for secure network con-
nectivity
✔
LANCOM Next Buiness Day Service Extension Central Site, item no.
61413
✔✔
LANCOM 2-Year Warranty Extension Central Site, item no. 61416 ✔✔
LANCOM 7100
VPN
LANCOM 9100
VPN
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 2: Installation
14
EN
2 Installation
This chapter will assist you to quickly install hardware and software. First,
check the package contents and system requirements. The device can be
installed and configured quickly and easily if all prerequisites are fulfilled.
2.1 Package content
Before beginning with the installation, please check that nothing is missing
from your package. Along with the device itself, the box should contain the
following accessories:
Should anything be missing, please take up immediate contact to your dealer
or to the address on the delivery note supplied with your device.
2.2 System requirements
Computers that connect to a LANCOM must meet the following minimum
requirements:
Operating system with TCP/IP support, such as Windows, Linux, BSD Unix,
Apple Mac OS, OS/2.
Access to the LAN via the TCP/IP protocol.
The LANtools also require a Windows operating system. A web
browser under any operating system provides access to WEBconfig.
LANCOM 7100
VPN
LANCOM 9100
VPN
IEC cable ✔✔
LAN connector cable (green connectors) ✔✔
WAN connector cable (dark-blue connectors) ✔✔
ISDN connector cable (light-blue connectors) ✔✔
Connector cable for the configuration interface ✔✔
Mounting brackets for 19" cabinets ✔✔
Rubber feet ✔✔
LANCOM CD ✔✔
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 2: Installation
15
EN
2.3 Status displays and interfaces
Meanings of the LEDs
In the following sections we will use different terms to describe the behaviour
of the LEDs:
Blinking means, that the LED is switched on or off at regular intervals in
the respective indicated colour.
Flashing means, that the LED lights up very briefly in the respective col-
our and stay then clearly longer (approximately 10x longer) switched off.
Inverse flashing means the opposite. The LED lights permanently in the
respective colour and is only briefly interrupted.
Flickering means, that the LED is switched on and off in irregular inter-
vals.
2.3.1 Front
The LANCOM Routers are equipped with the following status displays on the
front panel:
LANCOM 7100 VPN
LANCOM 9100 VPN
쐃Power This LED provides information on the device's operating state.
Power
Fan
Online
Online
Backup
Security
VPN
쐃쐇 쐏쐋 쐄 쐂 쐊쐆
Off Device switched off
Green blinking Self-test after power-up
Green On (perma-
nently)
Device operational
Red/green Blinking alter-
nately
Device insecure: Configuration password not set
Red blinking Time or charge limit on online connections has been
reached
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 2: Installation
16
EN
The power LED blinks alternately in red/green until a configuration
password has been set. Without a configuration password, the con-
figuration data in the LANCOM is unprotected. Normally you would
set a configuration password during the basic configuration (instruc-
tions in the following chapter). Information about setting a configu-
ration password at a later time is available in the section 'The Security
Wizard'.
쐇Fan The Fan LED displays the fan's status:
To prevent damage to the hardware, this LED is complemented by an acoustic
signal. If the fan is blocked or the CPU temperature exceeds 60°, a pulsed
acoustic signal is emitted.
The power LED is blinking and no connection can be
made?
If the power LED blinks red and no WAN connections can be
established, there is no cause for concern. This merely means
that a pre-set charge or time limit has been reached.
There are three ways to remove the lock:
Reset the toll protection.
Increase the limit.
Deactivate the lock completely (set limit to '0').
LANmonitor shows you when a charge or time limit has been reached. To reset the toll protec-
tion, activate the context menu (right-mouse click) Reset charge and time limits. The charge
settings are defined in LANconfig under Management Costs (these settings are only avail-
able if the 'Complete configuration display' is activated under Tools Options).
With WEBconfig, charge protection and all parameters are to be found under LCOS menu tree
Setup Charges Reset budgets.
Power
Power
Signal that a
charge or time
limit has been
reached
Green On (permanently) CPU temperature OK
Orange On (permanently) CPU temperature > 55°
Red blinking Hardware failure of the fan or CPU temperature > 60°;
additional acoustic signal
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 2: Installation
17
EN
쐋COM Connection status of the serial configuration interface
쐏Online The online LED displays the general status of all WAN interfaces:
쐄Backup Displays the backup status:
쐂Standby Displays the standby status:
Off No session logged on
Green On (perma-
nently)
Serial configuration session logged on
Orange Flickering Data transmission during the configuration session
Off No active connection
Green Flashing Opening the first connection
Green Inverse flashing Opening an additional connection
Green On (perma-
nently)
At least one connection is established
Red On (perma-
nently)
Error establishing the last connection
Off None of the WAN connections or virtual routers is in the
backup state
Red On (perma-
nently)
At least one of the WAN connections or virtual routers is in
the backup state
Off No VRRP aktive
or
VRRP active an one virtual router defined in the device is in
the Master state.
Red On (perma-
nently)
All virtual routers defined in the device are deactivated.
A virtual router is deactivated in the following situations:
the link is broken,
the virtual router is already in backup state and the backup
connection is broken,
the main connections fails and no backup priority is
defined for the virtual router.
Green On (perma-
nently)
All virtual routers defined in the device are in Standby state.
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 2: Installation
18
EN
쐆VPN Status of a VPN connection.
쐊LCD display The LC display has two lines of 16 characters each to display the following
information in rotation:
Device name
Firmware version
Device temperature
Date and time
CPU load
Memory load
Number of VPN tunnels
Data transfer in reception direction
Data transfer in transmission direction
The LANCOM Routers are equipped with the following interfaces on the front
panel:
LANCOM 7100 VPN
LANCOM 9100 VPN
쐎COM Connector for the serial configuration cable.
쐅ETH 1 to 4 Ethernet sockets ( 10/100/1000Base-Tx) for connection to the LAN. 10 Mbit,
100 Mbit or 1000 Mbit connections are supported. The available transfer rate
is detected automatically (autosensing).
Off No VPN tunnel established
Green blinking connection establishment
Green Flashing First connection
Green Inverse flashing Other connections
Green On (perma-
nently)
VPN tunnels are established
ISDNCOM ETH1 ETH2 ETH3 ETH4 USB
쐎 쐈 쐉
쐅씈
LANCOM 7100 VPN – LANCOM 9100 VPN
Chapter 2: Installation
19
EN
Each Ethernet socket has two LEDs (green and yellow).
쐈ISDN ISDN-S0connector. Each ISDN/S0socket has two LEDs (green and orange):
쐉USB USB connector (USB host)
씈Reset Reset button (see 'Reset button functions')
Reset button functions
The reset button offers two basic functions—boot (restart) and reset (to the
factory settings)—which are called by pressing the button for different
lengths of time.
It is not always possible to install a device under lock and key. There is conse-
quently a risk that the configuration will be deleted by mistake if a co-worker
presses the reset button too long. You can define the behavior of the reset but-
ton with a setting in WEBconfig (LCOS menu tree Setup Config):
Green Off No networking device attached
Green On (perma-
nently)
Connection to network device operational, not data traffic
Green Flickering Data traffic
Yellow Off 1000 Mbps
Yellow On (perma-
nently)
10/100 Mbps
Green Orange
blinking blinking Hardware error
On (perma-
nently)
blinking D channel connected, B channel not connected
On (perma-
nently)
Flashing ISDN protocol negotiation (B channel)
On (perma-
nently)
On (perma-
nently)
B channel connected
blinking Off Layer-1 being established
Off Off Layer-1 deactivated
On (perma-
nently)
Off TEI or Layer-2 activation available
This manual suits for next models
1
Table of contents
Other Lancom Network Hardware manuals
