Lancom 9100 vpn User manual

110644/0409

LANCOM Systems GmbH

Adenauerstr. 20/B2

52146 Würselen

Germany

E-Mail: [email protected]

Internet www.lancom.eu

LANCOM 9100 VPN

LANCOM 9100 VPN Wireless

쮿Handbuch

쮿Manual

...connecting your business

110644_LC-9100-MANUAL_cover.indd1 1110644_LC-9100-MANUAL_cover.indd1 1 01.04.2009 18:12:5701.04.2009 18:12:57

LANCOM 9100 VPN

While the information in this manual has been compiled with great care, it may not be deemed an assurance of product

characteristics. LANCOM Systems shall be liable only to the degree specified in the terms of sale and delivery.

The reproduction and distribution of the documentation and software supplied with this product and the use of its contents

is subject to written authorization from LANCOM Systems. We reserve the right to make any alterations that arise as the

result of technical development.

Windows®, Windows Vista™, Windows NT® and Microsoft® are registered trademarks of Microsoft, Corp.

The LANCOM Systems logo, LCOS and the name LANCOM are registered trademarks of LANCOM Systems GmbH. All other

names or descriptions used may be trademarks or registered trademarks of their owners.

Subject to change without notice. No liability for technical errors or omissions.

Products from LANCOM Systems include software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http:/

/www.openssl.org/).

Products from LANCOM Systems include cryptographic software written by Eric Young (eay@cryptsoft.com).

Products from LANCOM Systems include software developed by the NetBSD Foundation, Inc. and its contributors.

Products from LANCOM Systems contain the LZMA SDK developed by Igor Pavlov.

LANCOM Systems GmbH

Adenauerstr. 20/B2

52146 Wuerselen

Germany

www.lancom.eu

Wuerselen, April 2009

44/

LANCOM 9100 VPN

Preface

Preface

Thank you for your confidence in us!

You have decided on a high quality product from LANCOM. The LANCOM

9100 VPN is a high performance central site VPN gateway that provides con-

nectivity for up to 1000 sites. The following functions are characteristics of the

LANCOM 9100 VPN:

Provides 200 VPN channels, upgradable to 1000 remote sites

VRRP and load balancing

Advanced Routing and Forwarding with 256 VLAN / IP contexts

Status and error display

4 x Gigabit Ethernet + ISDN BRI

Security settings

To maximize the security available from your product, we recommend that you

undertake all of the security settings (e.g. firewall, encryption, access protec-

tion) that were not already activated when you purchased the product. The

LANconfig Wizard 'Security Settings' will help you with this task. Further infor-

mation is also available in the chapter 'Security settings'.

We would additionally like to ask you to refer to our Internet site www.lan-

com.eu for the latest information about your product and technical develop-

ments, and also to download our latest software versions.

Components of the documentation

The documentation of your device consists of the following parts:

Installation Guide

User manual

Reference manual

Menu Reference Guide

You are now reading the user manual. It contains all information you need to

put your device into operation. It also contains all of the important technical

specifications.

The Reference Manual is to be found as an Acrobat document (PDF file) at

www.lancom.eu/download or on the CD supplied. It is designed as a supple-

ment to the user manual and goes into detail on topics that apply to a variety

of models. These include, for example:

LANCOM 9100 VPN

Preface

The system design of the operating system LCOS

Configuration

Management

Diagnosis

Security

Routing and WAN functions

Firewall

Quality of Service (QoS)

Virtual Private Networks (VPN)

Virtual Local Networks (VLAN)

Backup solutions

LANCAPI

Further server services (DHCP, DNS, charge management)

The Menu Reference Guide (also available at www.lancom.eu/download or on

the CD supplied) describes all of the parameters in LCOS, the operating system

used by LANCOM products. This guide is an aid to users during the configu-

ration of devices by means of WEBconfig or the telnet console.

An der Erstellung dieser Dokumentation …

… haben mehrere Mitarbeiter/innen aus verschiedenen Teilen des Unterneh-

mens mitgewirkt, um Ihnen die bestmögliche Unterstützung bei der Nutzung

Ihres LANCOM-Produktes anzubieten.

Sollten Sie einen Fehler finden oder einfach nur Kritik oder Anregung zu dieser

Dokumentation äußern wollen, senden Sie bitte eine E-Mail direkt an:

[email protected]

LANCOM 9100 VPN

Content

Content

1 Introduction 8

1.1 What does VPN offer? 9

1.2 Just what can your LANCOM Router do? 10

2 Installation 13

2.1 Package content 13

2.2 System requirements 13

2.3 Status displays and interfaces 14

2.3.1 Front 14

2.3.2 Rear panel 20

2.4 Hardware installation 20

2.5 Software installation 21

2.5.1 Starting the software setup 21

2.5.2 Which software should I install? 22

3 Basic configuration 23

3.1 What details are necessary? 23

3.1.1 TCP/IP settings 23

3.1.2 Configuration protection 25

3.1.3 Charge protection 25

3.2 Instructions for LANconfig 26

3.3 Instructions for WEBconfig 27

3.4 TCP/IP settings for PC workstations 31

4 Setting up Internet access 32

4.1 The Internet Connection Wizard 34

4.1.1 Instructions for LANconfig 34

4.1.2 Instructions for WEBconfig 35

LANCOM 9100 VPN

Content

5 Connecting two networks 36

5.1 Which details are necessary? 37

5.1.1 General information 37

5.1.2 Settings for the TCP/IP router 39

5.1.3 Settings for NetBIOS routing 40

5.2 Instructions for LANconfig 41

5.3 1-Click-VPN for networks (site-to-site) 42

5.4 Instructions for WEBconfig 43

6 Providing dial-in access 45

6.1 Which details are necessary? 45

6.1.1 General information 46

6.1.2 Settings for TCP/IP 47

6.1.3 Settings for NetBIOS routing 47

6.2 Settings on the dial-in computer 48

6.2.1 Dialing-in via VPN 48

6.2.2 Dialing-in via ISDN 48

6.3 Instructions for LANconfig 49

6.4 1-Click-VPN for LANCOM Advanced VPN Client 49

6.5 Instructions for WEBconfig 50

7 Fax transmission with LANCAPI 51

7.1 Installing the LANCOM CAPI Faxmodem 52

7.2 Installing the MS Windows Fax Service 53

7.3 Sending a fax 54

7.3.1 Sending faxes from an office application 54

7.3.2 Sending faxes with the Windows Fax Service 54

8 Security settings 56

8.1 Tips for the proper treatment of keys and passphrases 56

8.2 Security settings Wizard 56

8.2.1 LANconfig Wizard 57

8.2.2 WEBconfig Wizard 57

8.3 The security checklist 58

LANCOM 9100 VPN

Content

9 Advice & assistance 61

9.1 No WAN connection can be established 61

9.2 Slow DSL transmission 61

9.3 Unwanted connections under Windows XP 62

10 Appendix 63

10.1 Performance and characteristics 63

10.2 Connector wiring 64

10.2.1 LAN/WAN interface 10/100/1000Base-TX, DSL interface

10.2.2 ISDN-S0interface 64

10.2.3 Configuration interface (outband) 65

10.3 Declaration of conformity 65

11 Index 66

LANCOM 9100 VPN

Chapter 1: Introduction

1Introduction

The LANCOM 9100 VPN is a high-performance central-site VPN gateway that

supports 200 VPN connections. With the LANCOM VPN Option, it provides

VPN connections for up to 1000 sites. Quality-of-Service, dynamic bandwidth

management and the four Gigabit-Ethernet slots ensure that data is correctly

prioritized in the network and that speeds are maximized. Various connection

possibilities including ISDN, WAN and the USB 2.0 host port facilitate its inte-

gration into the network. Practical: Various information on the device is per-

manently displayed, including temperature, CPU load, and active VPNs. The

fan's function is permanently monitored by LED and, additionally, an acoustic

signal is emitted should the CPU overheat.

The integrated firewall with security functions such as stateful inspection,

intrusion detection and denial-of-service protection is supplemented by

dynamic bandwidth management and comprehensive backup, high-

availability and redundancy functions over ISDN and VRRP.

IPSec-based VPN provides optimal security for connecting branch offices and

home offices thanks to the high-security 3-DES or AES encryption, integrated

hardware acceleration, and support of digital certificates.

The versatile functions for address translation and routing allow different net-

works to be connected over common infrastructure. The LANCOM Advanced

Routing and Forwarding concept ensures that professional network virtuali-

zation is no longer a problem: Existing networks at partner companies, branch

offices, or home-office workstations can be integrated into the VPN without

problem.

HEADQUARTER

VPN GATEWAY SERVER

NTBA NTBA

VPN ROUTER

INTERNET

ISDN NET

BRANCH

ADSL

LAN

Breakdown of

Provider Network

Breakdown of

Internet Connection

Backup Connection

LANCOM 9100 VPN

Chapter 1: Introduction

The management systems LANconfig and LANmonitor are included and offer

not only cost-effective remote maintenance of entire installations along with

highly convenient setup wizards, but also full real-time monitoring and log-

ging. Service providers benefit from the broad range of scripting methods and

professional access with individual access rights for administrators via SSH,

HTTPS, TFTP and ISDN dial-in.

1.1 What does VPN offer?

A VPN (Virtual Private Network) can be used to set up secure data communi-

cations over the Internet.

The following structure results when using the Internet instead of direct con-

nections:

All participants have fixed or dial-up connections to the Internet. Expensive

dedicated lines are no longer needed.

쐃All that is required is the Internet connection of the LAN in the headquar-

ters. Special switching devices or routers for dedicated lines to individual

participants are superfluous.

쐇The subsidiary also has its own connection to the Internet.

쐋The RAS PCs connect to the headquarters LAN via the Internet.

HEADQUARTER

VPN GATEWAY

LAN

SERVER

LAPTOP

INTERNET

VPN ROUTER ROUTER

BRANCH

LAN

LANCOM 9100 VPN

Chapter 1: Introduction

The Internet is available virtually everywhere and typically has low access

costs. Significant savings can thus be achieved in relation to switched or ded-

icated connections, especially over long distances.

The physical connection no longer exists directly between two participants;

instead, the participants rely on their connection to the Internet. The access

technology used is not relevant in this case: Broadband technology such as

DSL (Digital Subscriber Line) is ideal. A conventional ISDN line can be used,

too.

The technologies of the individual participants do not have to be compatible

to one another, as would be the case for conventional direct connections. A

single Internet access can be used to establish multiple simultaneous logical

connections to a variety of remote sites.

The resulting savings and high flexibility makes the Internet (or any other IP

network) an outstanding backbone for a corporate network.

1.2 Just what can your LANCOM Router do?

The following table provides a comparison of the properties and functions of

your device.

LANCOM 9100 VPN

Applications

Internet access ✔

LAN-LAN connectivity over VPN ✔

LAN-LAN connectivity over ISDN ✔

RAS server (over VPN) ✔

RAS server (over ISDN) ✔

IP router with stateful inspection firewall ✔

NetBIOS proxy for connectivity Microsoft peer-to-peer networks ✔

DHCP and DNS server (for LAN and WLAN) ✔

N:N mapping for routing networks with the same IP-address ranges over VPN ✔

Configuring LAN ports as additional WAN ports ✔

Policy- based routing ✔

LANCOM 9100 VPN

Chapter 1: Introduction

Load balancing for bundling multiple DSL channels 4 channels

Backup solutions and load balancing with VRRP ✔

NAT Traversal (NAT-T) ✔

DMZ with configurable IDS checks ✔

PPPoE servers ✔

WAN RIP ✔

Spanning Tree Protocol ✔

Layer 2 QoS tagging ✔

ISDN leased lines ✔

LANCAPI server to provide office applications such as fax or answering machine via the

ISDN interface.

✔

WAN connections

Connector for DSL or cable mode (via LAN ports) ✔

ISDN-S0connector for establishing Dynamic VPN connections to remote sites with

dynamic IP addresses

✔

LAN connection

Individual Gigabit Ethernet LAN ports.

Alternatively switchable as a WAN interface for connecting SDSL modems.

USB connector

USB 2.0 host port (high speed: 12 Mbps) for connecting a USB printer and for future

extensions

✔

Security functions

IPSec encryption via external software (VPN client) ✔

200 integrated VPN tunnels for secure network connections ✔

IPsec encryption in hardware ✔

IP masquerading (NAT, PAT) to conceal individual LAN workstations behind a single pub-

lic IP address.

✔

Stateful-inspection firewall ✔

Firewall filter for blocking individual IP addresses, protocols and ports ✔

MAC address filter regulates, for example, LAN-workstation access to the IP routing

function

✔

LANCOM 9100 VPN

Chapter 1: Introduction

Protection of the configuration from brute-force attacks. ✔

Configuration

Configuration with LANconfig or via web browser; additional terminal mode for Telnet or

equivalent terminal programs; SNMP interface and TFTP server function.

✔

Remote configuration via ISDN (with ISDN PPP connections, e.g. via Windows Dial-Up

Networking).

✔

Serial configuration interface ✔

Call-back function with PPP authentication mechanisms allowing only predefined ISDN

call numbers

✔

FirmSafe for no-risk firmware updates ✔

Optional software extensions

LANCOM VPN Option with 500 active tunnels for secure network connectivity ✔

LANCOM VPN Option with 1000 active tunnels for secure network connectivity ✔

LANCOM Service option ✔

LANCOM 9100 VPN

Chapter 2: Installation

2 Installation

This chapter will assist you to quickly install hardware and software. First,

check the package contents and system requirements. The device can be

installed and configured quickly and easily if all prerequisites are fulfilled.

2.1 Package content

Before beginning with the installation, please check that nothing is missing

from your package. Along with the device itself, the box should contain the

following accessories:

Should anything be missing, please take up immediate contact to your dealer

or to the address on the delivery note supplied with your device.

2.2 System requirements

Computers that connect to a LANCOM must meet the following minimum

requirements:

Operating system that supports TCP/IP, e.g. Windows Vista™,

Windows XP, Windows Millennium Edition (Me), Windows 2000, Win-

dows 98, Linux, BSD Unix, Apple Mac OS, OS/2.

Access to the LAN via the TCP/IP protocol.

LANCOM 9100

VPN

IEC cable ✔

LAN connector cable (green connectors) ✔

WAN connector cable (dark-blue connectors) ✔

ISDN connector cable (light-blue connectors) ✔

Connector cable for the configuration interface ✔

Mounting brackets for 19" cabinets ✔

Rubber feet ✔

LANCOM CD ✔

Printed documentation ✔

LANCOM 9100 VPN

Chapter 2: Installation

The LANtools also require a Windows operating system. A web brow-

ser under any operating system provides access to WEBconfig.

2.3 Status displays and interfaces

Meanings of the LEDs

In the following sections we will use different terms to describe the behaviour

of the LEDs:

Blinking means, that the LED is switched on or off at regular intervals in

the respective indicated colour.

Flashing means, that the LED lights up very briefly in the respective

colour and stay then clearly longer (approximately 10x longer) switched

off.

Inverse flashing means the opposite. The LED lights permanently in the

respective colour and is only briefly interrupted.

Flickering means, that the LED is switched on and off in irregular inter-

vals.

2.3.1 Front

The LANCOM 9100 VPN is equipped with the following status displays on the

front panel:

LANCOM 9100 VPN

쐃Power This LED provides information on the device's operating state.

Power

Fan

Online

Backup

Security

VPN

쐃쐇 쐏쐋 쐄 쐂 쐊쐆

Off Device switched off

Green blinking Self-test after power-up

LANCOM 9100 VPN

Chapter 2: Installation

The power LED blinks alternately in red/green until a configuration

password has been set. Without a configuration password, the confi-

guration data in the LANCOM is unprotected. Normally you would set

a configuration password during the basic configuration (instructions

in the following chapter). Information about setting a configuration

password at a later time is available in the section 'The Security

Wizard'.

Green On (perma-

nently)

Device operational

Red/green Blinking alterna-

tely

Device insecure: Configuration password not set

Red blinking Time or charge limit on online connections has been

reached

The power LED is blinking and no connection can be

made?

If the power LED blinks red and no WAN connections can be

established, there is no cause for concern. This merely means

that a pre-set charge or time limit has been reached.

There are three ways to remove the lock:

Reset the toll protection.

Increase the limit.

Deactivate the lock completely (set limit to '0').

LANmonitor shows you when a charge or time limit has been reached. To reset the toll protec-

tion, activate the context menu (right-mouse click) Reset charge and time limits. The charge

settings are defined in LANconfig under Management Costs (these settings are only avai-

lable if the 'Complete configuration display' is activated under Tools Options).

With WEBconfig, charge protection and all parameters are to be found under LCOS menu tree

Setup Charges Reset budgets.

Power

Signal that a

charge or time

limit has been

reached

LANCOM 9100 VPN

Chapter 2: Installation

쐇Fan The Fan LED displays the fan's status:

To prevent damage to the hardware, this LED is complemented by an acoustic

signal. If the fan is blocked or the CPU temperature exceeds 60°, a pulsed

acoustic signal is emitted.

쐋COM Connection status of the serial configuration interface

쐏Online The online LED displays the general status of all WAN interfaces:

쐄Backup Displays the backup status:

Green On (perma-

nently)

CPU temperature OK

Orange On (perma-

nently)

CPU temperature > 55°

Red blinking Hardware failure of the fan or CPU temperature > 60°; addi-

tional acoustic signal

Off No session logged on

Green On (perma-

nently)

Serial configuration session logged on

Orange Flickering Data transmission during the configuration session

Off No active connection

Green Flashing Opening the first connection

Green Inverse flashing Opening an additional connection

Green On (perma-

nently)

At least one connection is established

Red On (perma-

nently)

Error establishing the last connection

Off None of the WAN connections or virtual routers is in the

backup state

Red On (perma-

nently)

At least one of the WAN connections or virtual routers is in

the backup state

LANCOM 9100 VPN

Chapter 2: Installation

쐂Standby Displays the standby status:

쐆VPN Status of a VPN connection.

쐊LCD display The LC display has two lines of 16 characters each to display the following

information in rotation:

Device name

Firmware version

Device temperature

Date and time

CPU load

Memory load

Number of VPN tunnels

Data transfer in reception direction

Data transfer in transmission direction

The LANCOM 9100 VPN is equipped with the following interfaces on the front

panel:

Off No VRRP aktive

VRRP active an one virtual router defined in the device is in

the Master state.

Red On (perma-

nently)

All virtual routers defined in the device are deactivated.

A virtual router is deactivated in the following situations:

the link is broken,

the virtual router is already in backup state and the backup

connection is broken,

the main connections fails and no backup priority is defi-

ned for the virtual router.

Green On (perma-

nently)

All virtual routers defined in the device are in Standby state.

Off No VPN tunnel established

Green Blinking Connection establishment

Green Flashing First connection

Green Inverse flashing Other connections

Green On (perma-

nently)

VPN tunnels are established

LANCOM 9100 VPN

Chapter 2: Installation

쐎COM Connector for the serial configuration cable.

쐅ETH 1 to 4 Ethernet sockets ( 10/100/1000Base-Tx) for connection to the LAN. 10 Mbit,

100 Mbit or 1000 Mbit connections are supported. The available transfer rate

is detected automatically (autosensing).

Each Ethernet socket has two LEDs (green and yellow).

쐈ISDN ISDN-S0connector. Each ISDN/S0socket has two LEDs (green and orange):

쐉USB USB connector (USB host)

LANCOM 9100 VPN

ISDNCOM ETH1 ETH2 ETH3 ETH4 USB

쐎 쐈 쐉

쐅씈

Green Off No networking device attached

Green On (perma-

nently)

Connection to network device operational, not data traffic

Green Flickering Data traffic

Yellow Off 1000 Mbps

Yellow On (perma-

nently)

10/100 Mbps

Green Orange

blinking blinking Hardware error

On (perma-

nently)

blinking D channel connected, B channel not connected

On (perma-

nently)

Flashing ISDN protocol negotiation (B channel)

On (perma-

nently)

On (perma-

nently)

B channel connected

blinking Off Layer-1 being established

Off Off Layer-1 deactivated

On (perma-

nently)

Off TEI or Layer-2 activation available

LANCOM 9100 VPN

Chapter 2: Installation

씈Reset Reset button (see 'Reset button functions')

Reset button functions

The reset button offers two basic functions—boot (restart) and reset (to the

factory settings)—which are called by pressing the button for different

lengths of time.

It is not always possible to install a device under lock and key. There is conse-

quently a risk that the configuration will be deleted by mistake if a co-worker

presses the reset button too long. With the suitable setting, the behavior of

the reset button can be controlled.

Reset button

This option controls the behavior of the reset button when it is pressed:

Ignore: The button is ignored.

Boot only: With a suitable setting, the behavior of the reset button can

be controlled; the button is then ignored or a press of the button

prompts a re-start only, however long it is held down.

Reset-or-boot (standard setting): Press the button briefly to re-start

the device. Pressing the button for 5 seconds or longer restarts the

device and resets the configuration to its factory settings.

All green LEDs on the device light up continuously.

Once the switch is released the device will restart with the restored

factory settings.

Configuration tool Call

WEBconfig, Telnet Expert configuration > Setup > Config

Please observe the following notice: The settings 'Ignore' or 'Boot only' makes it

impossible to reset the configuration to the factory settings. If the password is lost for

a device with this setting, there is no way to access the configuration! In this case the

serial communications interface can be used to upload a new firmware version to the

device—this resets the device to its factory settings, which results in the deletion of the

former configuration. Instructions on firmware uploads via the serial configuration

interface are available in the LCOS reference manual.

Table of contents

Other Lancom Network Router manuals

Popular Network Router manuals by other brands

Netopia

Netopia 4622 T1 Getting started guide

Juniper

Juniper ACX5096 quick start guide

Seethelight

Seethelight VMG8324 Internet user guide

VADDIO

VADDIO CCU Image Controller manual

HP 12500 Series Configuration guide

Versitron

Versitron S7085x installation guide

Asus

Asus DSL-N12E_C1 user guide

AudioCodes

AudioCodes Mediant 500 MSBR Hardware installation manual

Chaparral

Chaparral VFS226 user guide

Ravpower

Ravpower RP-WD009 user guide

Comnet

Comnet CNGE2FE24MS Installation and operation manual

MikroTik

MikroTik RB2011 Series quick start guide

iSP Technologies

iSP Technologies BRC1 owner's manual

Cisco

Cisco ASR 9901 manual

Cisco

Cisco Cable Mgmt Bracket Cisco 7513/7576 installation instructions

H3C

H3C CR19000-20 installation guide

Newland

Newland ME50N user manual

Digicom

Digicom 3G Industrial Router VPN Pro quick guide

Lancom 9100 VPN User manual

Popular Network Router manuals by other brands