Secure Computing SnapGear Installation and operating instructions
PUT LOGO HERE
APPLICATION NOTE
www.securecomputing.com
Setting up
SnapGear for VoIP
This note describes how to set up
SnapGear as an IPSec VPN gateway
for Voice over Internet Protocol.
286-0948364-A
Table of Contents
Setting up SnapGear for VoIP
About this note ................................................. 3
Powering on ..................................................... 4
Connecting ....................................................... 4
Logging in and configuring ................................... 5
Using QoS traffic shaping .................................. 11
Enabling and configuring ToS prioritization ............ 13
Setting the Ethernet MTU for QoS ........................ 15
Using the SnapGear VPN solution ........................ 16
Updating firmware ............................................ 20
Downloading a TSR .......................................... 21
Setting up SnapGear for VoIP
About this note
86-0948364-A 3
About this note This application note describes how to set up SnapGear as an IPSec VPN
gateway for Voice over Internet Protocol traffic. It also describes how to take
advantage of SnapGear’s Quality of Service (QoS) bandwidth management
features to maintain voice quality. The following is included:
•Powering on
•Connecting
•Logging in and configuring
•Using QoS traffic shaping
•Enabling and configuring ToS prioritization
•Setting the Ethernet MTU for QoS
•Using the SnapGear VPN solution
•Updating firmware
•Downloading a TSR
Note: This document provides one method for configuring SnapGear for VoIP.
Additional configurations are detailed in the SnapGear Administration Guide, which
is available at www.securecomputing.com > Support > Product
documentation > Product Manuals.
Setting up SnapGear for VoIP
Powering on
486-0948364-A
Powering on 1Do not connect any Ethernet cables. Plug the 5V DC mini-plug into the
back of the SnapGear appliance.
2Plug the AC plug (the three-prong plug) of the power adapter into an
electrical outlet.
3After 25 to 30 seconds, confirm the unit is in factory default mode by
resetting it. To reset, gently press the Erase button on the rear panel twice
within three seconds, one second apart. The unit will reboot into the factory
default mode.
Figure 1 shows the SG565 after a reset, but before being connected to the
network. All models except the SG300 power on with the front LEDs blinking
green when in the factory default mode.
Figure 1: SG565 after a
reset
Note: When powering down the appliance, it is a good practice to unplug the AC
plug first in order to drain the power adapter, before unplugging the DC mini-plug.
Connecting To connect the appliance to the network:
1Connect the supplied cable into Ethernet port A1 on the appliance.
2Connect the other end of the cable to a PC or workstation Ethernet jack.
The PC or workstation should have a Java-enabled Internet browser such
as Microsoft Internet Explorer or Mozilla Firefox installed.
Setting up SnapGear for VoIP
Logging in and configuring
86-0948364-A 5
Logging in and
configuring To log in and configure the appliance, follow the process described in Table 1,
“Configuration sequence” below.
Table 1: Configuration sequence
Configuration window Actions
Configure the PC for IP address 192.168.0.2 by doing the
following:
1Select Start > Settings > Control Panel.
2Double-click Network Connections.
3Right-click Local Area Network, and then click
Properties.
4Select the Use the following IP address option, and
then enter 192.168.0.2 in the IP address field.
The default gateway IP address is the factory default address
of the SnapGear unit (192.168.0.1). DNS settings are not
required at this time.
Note: Because the PC and the SnapGear are isolated
during the initial configuration process, you can use any PC
IP address in the range of 192.168.0.2 through
192.168.0.254.
Log into the unit by doing the following:
1Enter http://192.168.0.1 into a Web browser.
2Enter the default user name root in the User name field.
3Enter the default password default in the Password field.
4Click OK.
More...
Setting up SnapGear for VoIP
Logging in and configuring
686-0948364-A
It is good practice to change the default root password.
The SnapGear firmware automates this step after a reset:
1Enter a new password in the New Password field.
2The characters you type are masked, so you are required
to enter the new password the same way twice to ensure
it is changed as intended. Re-enter the password in the
Confirm Password field.
Note: This password will be required for all administrative
access until additional administrative accounts are created. If
forgotten before these accounts are added, the appliance
must be reset to the factory default mode to regain access.
3Click Submit.
To subsequently change the root password:
1Click Users under the System menu.
2Edit the root user. You can also create new administrative
accounts in this area.
It is good practice to cable the Ethernet port B for Internet
access prior to running the Quick Setup Wizard. The Wizard
can automatically configure some circuit types if the port is
cabled prior to completing the Internet steps.
1Connect the other end of the Ethernet cable to the cable
modem, DSL router, or other device supplied by the ISP.
2Cable and power that device as instructed by the ISP.
After setting the new root password, the Quick Setup
Wizard starts on the LAN page. All of the settings
established by the Wizard can be changed later using
the regular menu system.
1Type a unique hostname in the Hostname field. This
name will identify the unit.
2Leave the LAN Direct Connection Settings set to the
default selection of Manual configuration.
3Click Next.
More...
Configuration window Actions
Setting up SnapGear for VoIP
Logging in and configuring
86-0948364-A 7
1Enter the SnapGear LAN address into the IP Address
field. This is the address that all other hosts on the LAN
will use as their default gateway, e.g. 192.168.0.254.
2Enter the network mask into the Subnet Mask field. The
example to the left showing the 24-bit mask length can
also be entered as 255.255.255.0. SnapGear supports
both Class-full and custom subnet masks.
3If the other hosts on the LAN will receive their address
assignments from this unit using the Dynamic Host
Control Protocol, enter the DHCP Server Address
Range starting with the lowest address followed by a
dash and the highest address.
4Click Next.
1Select an Internet Port Configuration for Ethernet
Port B. Typically this port will be wired to a cable modem,
a DSL or ADSL router, or some other router type that
uses a direct connection. The window at left illustrates
cable modem connection.
2Click Next.
Note: Click the round ?icon in any configuration window
and select Open in a new window to read more detail about
the task being performed. Selecting a new window or tab will
avoid losing any work in the configuration window.
1Select the Generic Cable Modem Provider option for
most cable services.
2Click Next.
Note: It is not advisable for a SnapGear to automatically
acquire both its LAN and Internet IP addresses. At least one
IP address should be static for proper administrative access.
Attempting to use dynamic addresses on both the LAN and
Internet interfaces will fail when using a cable modem.
More...
Configuration window Actions
Setting up SnapGear for VoIP
Logging in and configuring
886-0948364-A
1Switch A should be left at the default setting of 4 LAN
Ports if there is no requirement for multiple Internet links.
It can always be changed later. For the greatest flexibility
in setting up the SnapGear’s Quality of Service (QoS)
features, do not configure more than one LAN/DMZ
segment. Using 4 LAN Ports lets you plug up to four
devices directly into the SnapGear. A SnapGear LAN port
can also be expanded by cascading to an additional
switch or hub.
2Click Next.
Note: QoS is important for the quality of VoIP calls. The
SnapGear’s QoS Autoshaper and ToS Packet Priority rules
can prioritize real-time streaming protocols like VoIP.
The last step in the Quick Setup Wizard is the review page. It
is especially important to confirm the new LAN settings. If the
LAN IP address has been moved from the 192.168.0.0/24
network, communication with the PC will cease after the
Finish button is clicked. In this example, all you have to do is
adjust the web address in a Web browser to http://
192.168.0.254.
Remember to plan for any required changes to your PC’s
Ethernet configuration prior to clicking the Finish button.
When all changes are complete, click Finish.
The Quick Setup Wizard completes with a page containing
links to the Save/Restore page and the Secure Computing
SnapGear registration site. Assuming the cable modem is
properly configured and attached, you can right-click the
registration link and choose Open in New Window to
register the SnapGear unit (not illustrated here).
Note: It is good practice to use the register online link
http://my.securecomputing.com to register the unit serial
number, activate Technical Support, and access the SnapGear
Knowledge Base.
More...
Configuration window Actions
Setting up SnapGear for VoIP
Logging in and configuring
86-0948364-A 9
Clicking the Backup/Restore menu option opens the Remote
Configuration Backup/Restore page. Enter and confirm a
backup Password, then click Save.
Click the Save button in the File Download window and
browse to the workstation file system to save the backup.
Internet access and DNS services are confirmed if you were
able to browse to the registration site described earlier. If you
were not able to browse to the site, under the System menu,
select Diagnostics. Under the System tab, check the
Connections table for Port B. If the State entry is Checking,
the connection has not been completely negotiated.
Confirm all Internet cabling, power, and Internet Service
Provider (ISP) instructions. Check the cabling for the ISP
circuit; it can be a coaxial cable, a DSL phone line and filter
adapter, or another cable type. Power cycle the ISP device
and monitor the indicator lights on the device. Some cable
modem providers recommend leaving their devices off for
five minutes or more to insure new circuit negotiation.
More...
Configuration window Actions
Setting up SnapGear for VoIP
Logging in and configuring
10 86-0948364-A
You may also check the connection by selecting Network
Setup from the Network Setup Menu. On the Network Setup
page, click the Retry button labeled Retry unsuccessful
connections, then recheck the data on the Diagnostics,
Connections table.
In the example to the left, the Connections table now shows
that the Internet is up, and that an IP address has been
assigned by the cable modem. The Internet listing above the
Connections table also shows the data for the Internet
Gateway and DNS servers on the ISP networks. If Internet
browsing still fails, connectivity and DNS services can be
further checked using this data. Additionally, you may
• Ping the ISP Gateway and DNS server IP’s to confirm
server availability on the Networks Tests tab.
• Trace Web browsing attempts on the Packet Capture tab.
• Click the Help icon for additional instructions for using
these tabs.
Configuration window Actions
Setting up SnapGear for VoIP
Using QoS traffic shaping
86-0948364-A 11
Using QoS traffic
shaping QoS (Quality of Service) traffic shaping is an advanced feature provided to
allow the fine-tuning of network connections. Traffic shaping allows you to give
preference to certain types of network traffic to maintain quality of service when
a network connection is under heavy load.
Enabling QoS Autoshaper
The Autoshaper uses a set of built-in traffic shaping rules that create rate-
controlled queues based on the upstream and downstream bandwidth to your
ISP. It works in conjunction with the ToS Packet Priority configuration. (See
“Using the SnapGear VPN solution” on page 16.) To activate traffic shaping
and control rules, do the following:
1Under the Network Setup menu, select QoS Traffic Shaping. If the QoS
Autoshaper tab reads like Figure 2, you have failed to configure a LAN or
Internet connection, or you have configured more than one LAN, for
example, a wireless LAN.
If you must use the wireless LAN, additional LANs, or a DMZ, the QoS
Autoshaper cannot be used. Some QoS priorities can still be set using the
ToS Packet Priority tab. You may still use more than one Internet connec-
tion by setting the bandwidth for each connection as discussed below.
Figure 2: QoS
Autoshaper in non-
configurable state
2If the QoS Autoshaper tab reads like Figure 3, click the Pencil & Paper icon
on the far right side of the row to configure each connection.
Figure 3: QoS
Autoshaper in
configurable state
Setting up SnapGear for VoIP
Using QoS traffic shaping
12 86-0948364-A
3Set the Outbound Speed according to your ISP type.
aIf you are running a DSL/ADSL connection to the Internet, enter
bandwidth numbers approximately 80-90% of the most conservative
measured speed.
bIf you have a cable modem or other type of direct IP connection to the
Internet, enter values much closer to 90-100%.
Use inbound or outbound speeds provided by your ISP, or tune these val-
ues by measuring actual conditions using your PC and any one of the free
sites listed below. These sites allow you to select local or distant test serv-
ers to get a practical snapshot of how your VoIP bandwidth may be effected
by call destination. It is good practice to use the most conservative figures
for the most distant call destination that is used during routine business.
This prevents other outbound applications from using too much of the avail-
able bandwidth and degrading call quality.
http://www.speedtest.net/ (international)
http://myvoipspeed.visualware.com/ (limited international)
http://www.speakeasy.net/speedtest/ (U.S. national)
On a cable modem, several sites provided a measured download (Inbound)
speed of 6300 kilobits per second and an upload (Outbound) speed of 360
kilobits per second. In the example shown Figure 3 on page 11, you would
set an Outbound Speed of 324 Kbps (360 Kbps x 0.9).
4Setting the inbound speed has a less pronounced effect on call quality
because the SnapGear must begin processing everything it receives in the
order it is received, even if it is at different prioritized rates. You may wish to
determine if your ISP offers inbound QoS options that will let you prioritize
VoIP traffic over other inbound applications before the packets are sent to
the SnapGear.
5Set the full Inbound speed, for example 6300 Kbps, and click Finish.
Figure 4: Summary table
6Review the Summary table.
7Repeat the steps listed above for each Internet connection.
Setting up SnapGear for VoIP
Enabling and configuring ToS prioritization
86-0948364-A 13
Enabling and
configuring ToS
prioritization
The ToS Packet Priority configuration works in conjunction with the QoS
Autoshaper. (See “Enabling QoS Autoshaper” on page 11.) The ToS Packet
Priority configuration can also be used when the Autoshaper is not available.
1Under the Network Setup menu, select QoS Traffic Shaping.
2Select the ToS Packet Priority tab.
Figure 5: ToS Packet
Priority tab
3Click the Enable ToS Prioritization check box.
4Set the Default priority to Medium or Low.
5Click Submit.
6The SnapGear unit can transmit ToS flagged packets according to ToS
rules governed by VoIP service ports, source or destination address, or a
combination of these factors. To set up rules, on the ToS Packet Priority
tab, click the New button.
Figure 6: Edit ToS
Packet Priority rule
window
7Select TCP or UDP from the Protocol list.
8Click the New button next to the Ports window and enter the VoIP
application port range. If the VoIP service port range is not known, you can
still set a VoIP gateway IP as a source or destination address with a service
of Any.
Setting up SnapGear for VoIP
Enabling and configuring ToS prioritization
14 86-0948364-A
9Select a predefined Source Address and Destination Address or click the
New button to define new addresses.
10 Set the Priority to High, Medium, or Low. Only one or two critical
applications should have a ToS Priority of High.
11 Click Finish. You are returned to the ToS Packet Priority tab.
Figure 7: ToS Packet
Priority tab
12 Continue to define medium and low priority ToS rules as needed. ToS rules
are not required for QoS, but they can solve problems if your VoIP
application does not respond well to the QoS Autoshaper.
13 Services, sources, destinations, and groups of services, endpoints, or
interfaces can also be defined from the Definitions menu. Once created,
these objects appear in option lists throughout the SnapGear interface.
To create these definitions, from the Firewall menu, select Definitions.
Note: Objects created with the New button will also be available.
Figure 8: Service Group
tab
Setting up SnapGear for VoIP
Setting the Ethernet MTU for QoS
86-0948364-A 15
Setting the
Ethernet MTU for
QoS
To optimize traffic shaping performance for VoIP on slower connections, set
the outgoing interface MTU to 600, overriding the default, by doing the fol-
lowing:
1From the Network Setup menu, on the Connections tab, click the Paper &
Pencil icon and open the Ethernet configuration window for each Internet
connection, starting with Port B.
Figure 9: Connections
tab
2Click the Ethernet Configuration tab.
Figure 10: Ethernet
Configuration tab
3Set the MTU field to 600.
4Click the Update button.
Setting up SnapGear for VoIP
Using the SnapGear VPN solution
16 86-0948364-A
Using the
SnapGear VPN
solution
The SnapGear unit can provide an economical, rapidly deployable VPN
solution to carry VoIP traffic, especially when all of the VPN gateways are
SnapGear units.
1From the VPN menu, select IPSec.
Figure 11: IPSec menu
option
2Select the Enable IPSec check box.
3Leave the MTU setting blank.
4Click Submit.
The remainder of these steps assume a SnapGear-to- SnapGear VPN with
fixed IP addresses on their Internet interfaces. Other configurations are pro-
vided in the SnapGear Administration Guide found at:
http://www.securecomputing.com/techpubs_download.cfm?id=2136
5Click Quick Setup.
Figure 12: IPSec VPN
Setup window
6Enter a unique Tunnel name to identify this VPN circuit.
Setting up SnapGear for VoIP
Using the SnapGear VPN solution
86-0948364-A 17
7Click the Enable this tunnel check box.
8Enter The remote party’s IP address using the Internet IP address of the far
end SnapGear. Use IP addresses specific to your networks. Examples
shown are for demo purposes only, and not part of a public test network.
9Click the Predefined button next to the Local Network field.
10 Select Access all networks (default gateway) from the Local Network list.
11 Click the Predefined button across from the Remote Network field.
12 Select Access all networks (default gateway) from the Remote Network
list.
13 Enter a Local Endpoint ID for this SnapGear using the format
uniquename@yourcompany.com.
14 Enter a Remote Endpoint ID using the same format.
15 Enter a Preshared Secret of at least 21 characters that will be used in both
endpoint configurations. Keep this preshared secret confidential.
16 Click Finish.
Figure 13: Tunnel status:
Down example
Unless both VPN endpoints are configured, and have Internet access, the
VPN connection status in the Tunnel List will display a status of Down (see
Figure 13). If both endpoints are configured with reciprocal settings, the sta-
tus quickly transitions from Negotiating Phase 1 to Negotiating Phase 2
and then to Running.
The VPN Quick Setup works best when the principle of reciprocal settings
is understood. In Figure 14, the Local Endpoint ID is Branch27@yourcom-
pany.com.
Setting up SnapGear for VoIP
Using the SnapGear VPN solution
18 86-0948364-A
Figure 14: Reciprocal
settings local endpoint ID
This same data shows up as the Remote Endpoint ID in the HQ SnapGear
VPN Quick Setup, shown in Figure 15. These are reciprocal settings and the
principle is repeated in the remote party’s IP address. It is important to
understand that the settings for a VPN tunnel are the same at both ends, but
that the data for local and remote will change places for the far-end SnapGear.
Figure 15: Reciprocal
settings remote endpoint
ID
Note: The sample configuration is unusual in that it forms a dedicated VoIP VPN
circuit between HQ and Branch27 SnapGear units due to the Access all networks
(default gateway) settings used in the Local Network and Remote Network fields.
This is the simplest possible setup and requires no knowledge of the local networks
protected by each SnapGear, but it routes all outbound traffic between HQ and
Branch27. There is no conventional Internet access without additional policy route
configuration. Local Internet access and more granular LAN security can be
achieved by selecting the Custom buttons and entering specific local and remote
networks. Remember, a specific local network on the HQ SnapGear becomes the
reciprocal remote network on the Branch27 SnapGear. Using specific networks
only allows traffic destined for the remote network into the VPN tunnel.
Setting up SnapGear for VoIP
Using the SnapGear VPN solution
86-0948364-A 19
Figure 16: Typical VPN
failure
A typical VPN failure is illustrated in Figure 16, where one end of the VPN is
stuck in Negotiating Phase 1.
Right-click the Status link and choose Open in New Window to scroll down
the IPSec Log.
Figure 17: IPSec log
The Connection Details and Negotiation State listings usually provide the
best clues as to what is wrong. In Figure 17, the EVENT_RETRANSMIT in
2 s (seconds) indicates that the HQ SnapGear cannot reach the Branch27
SnapGear.
Figure 18: Tunnel status
Running example
A quick phone call to the Branch27 manager reminding them not to unplug
the SnapGear when plugging in the coffee pot solved the problem as
shown in Figure 18. More complex problems may require a call to Secure
Computing Technical Support at 1-800-700-8328. Please have a registered
SnapGear serial number handy when you call.
Setting up SnapGear for VoIP
Updating firmware
20 86-0948364-A
Updating
firmware If your SnapGear unit has different screens than those described in this or
another SnapGear guide, or if it is missing some features, you may check your
firmware version by selecting the Diagnostics option under the System menu.
Figure 19: Diagnostics
page
The SnapGear version that is currently running on the unit is displayed on the
System tab. To download a newer firmware version, open a Web browser to
http://my.securecomputing.com/.
Note: Firmware upgrades for SnapGear products are available for download by
customers who have registered their products and are entitled to software support.
First ensure that you have a username and password for http://
my.securecomputing.com/ and that you have registered your SnapGear products.
Once you have registered an account and have logged into the site, the link for
firmware downloads should be visible within the left navigation pane.
Before downloading firmware to your SnapGear appliance, we recommend
that you read article 2725 in the SnapGear Knowledge Base. Use an Exact
Phrase search for SnapGear: Upgrading your unit. The Knowledge Base is
found at http://sgkb.securecomputing.com.
Table of contents
Other Secure Computing Gateway manuals
