SnapGear VPN Router User manual
SnapGearVPN Router Family
User Manual
Rev: May 30, 2002
7984 South Welby Park Drive #101
Salt Lake City, Utah 84084
Tel: 801-282-8492
Fax: 801-282-8496
1. Introduction...............................................................................................1
Terminology............................................................................................................. 2
Document Style ....................................................................................................... 5
Installing and configuring the SnapGear VPN Router ............................................ 6
The SnapGear VPN Router .................................................................................... 7
SnapGear VPN Router features ............................................................................. 9
2. Getting Started........................................................................................11
New Networks ....................................................................................................... 12
Setup Wizard ......................................................................................................... 13
System requirements ............................................................................................ 13
Configuring the SnapGear VPN Router on your network..................................... 13
Initial setup using Linux......................................................................................... 16
SnapGear Quick Setup Wizard............................................................................. 18
Configuring the PCs on your network ................................................................... 22
3. Connect to the Internet ..........................................................................24
Physically connect modem device........................................................................ 24
Select Internet connection..................................................................................... 25
Configure PCs to use SnapGear VPN Router Internet gateway.......................... 28
iii
Establishing the connection .................................................................................. 28
4. Dial-in server configuration ...................................................................30
Dial-in setup........................................................................................................... 31
Dial-in user accounts............................................................................................. 34
Remote user configuration .................................................................................... 38
5. Network Configuration ...........................................................................48
IP Configuration..................................................................................................... 48
Advanced IP Configuration ................................................................................... 51
DHCP Server......................................................................................................... 53
Advanced Networking ........................................................................................... 54
6. Firewall ....................................................................................................56
Incoming Access ................................................................................................... 56
Outgoing Access ................................................................................................... 59
Firewall Rules........................................................................................................ 61
Intruder Detection and Blocking............................................................................ 62
7. Virtual Private Networking .....................................................................64
PPTP client setup.................................................................................................. 66
PPTP server setup ................................................................................................ 68
iv
IPSec Setup........................................................................................................... 82
IPSec Interoperability ............................................................................................ 87
8. System.....................................................................................................88
Time Server ........................................................................................................... 88
Password............................................................................................................... 88
Diagnostics ............................................................................................................ 88
Advanced............................................................................................................... 89
RESET button........................................................................................................ 89
9. Technical Support.......................................................................................90
Appendix A – LED Status Patterns................................................................91
Introduction
1
1. Introduction
This chapter provides an overview of the SnapGear VPN Router’s features and capabilities, and previews
how to install and configure your SnapGear VPN Router.
The SnapGear VPN Router enables small to medium-sized businesses to securely interconnect computers
on the office network to the Internet. The SnapGear VPN Router has all the features a business needs to
take full advantage of the Internet. Whether you are connecting to the Internet for the first time or looking
for a cost-effective and safe VPN solution, the SnapGear VPN Router will meet your needs.
The SnapGear VPN Router simply and securely interconnects your network to the Internet through a
robust embedded firewall. Shielded behind a NAT gateway, your office computers are protected from
outside threats. The SnapGear VPN Router filters and inspects packets of data to prevent unauthorized
Internet applications from accessing your network.
The SnapGear VPN Router provides your network with a virtual private network (VPN) server. A VPN
enables remote workers or branch offices to securely access your company network to send and receive
data at a very low cost. With the SnapGear VPN Router, you can now remotely access your office network
securely through the Internet. Additionally, the SnapGear VPN Router is able to connect as a client to
external VPNs.
With the SnapGear VPN Router, everyone on your office LAN can access the Internet through the one
connection. Your entire network can log on to the Internet using only one ISP account through the one
analog modem, DSL, or ISDN line, eliminating the need for a separate connection and ISP charge for each
individual user. With a dial-in modem connected to your SnapGear VPN Router, your remote staff can
also securely direct-dial into your office network.
This manual details how to take advantage of the features of your SnapGear VPN Router – including
setting up a VPN, a secure firewall and an Internet connection. It also details how to set up the SnapGear
VPN Router on your existing or new network. This is done through the web configuration interface.
Installing your SnapGear VPN Router into a well-planned network is quick and easy. However, network
planning and design is outside the scope of this manual. Please take some time to plan your network prior
to installing your SnapGear VPN Router.
Introduction
2
Terminology
Some commonly used terms that you will find in this document are as follows:
ADSL Asymmetric Digital Subscriber Line. A technology that allows for high-speed
data transfer over existing telephone lines. ADSL supports data rates between
1.5 and 9 Mb/s when receiving data and between 16 and 640 Kb/s when sending
data.
BOOTP Bootstrap Protocol is a protocol that lets a network user automatically receive an
IP address and have an operating system boot without user involvement. BOOTP
is the basis for the more advanced DHCP.
DHCP Dynamic Host Configuration Protocol. A communications protocol that assigns
IP addresses to computers when they are connected to the network.
DNS Domain Name System. This system allocates Internet domain names and
translates them into IP addresses. A domain name is a meaningful and easy to
remember name for an IP address.
DUN Dial Up Networking.
Ethernet A physical layer protocol based upon IEEE standards.
Extranet A private network that uses the public Internet to securely share part of a
business's information or operations with suppliers, vendors, partners, customers,
or other businesses. Extranets add external parties to a company’s intranet.
Firewall A network gateway device that protects a private network from users on other
networks. Typically, a firewall is installed to allow users on an intranet access to
the public Internet without allowing all public Internet users access to the
intranet.
Gateway A machine that provides a route (or pathway) to the outside world.
Hub A network device that allows more than one computer to be connected as a
LAN, usually using UTP cabling.
Introduction
3
IDB Intruder Detection and Blocking. A feature of your SnapGear VPN Router that
detects connection attempts from intruders and optionally blocks all further
connection attempts from the intruders’ machine.
Internet A worldwide system of computer networks - a public, cooperative, and self-
sustaining network of networks accessible to hundreds of millions of people
worldwide. Technically, what distinguishes the Internet is its use of a set of
protocols called TCP/IP.
Intranet A private TCP/IP network contained within an enterprise.
IPSec Internet Protocol Security. IPSec provides interoperable, high quality,
cryptographically based security at the IP layer, thus offering protection for all
network communications.
LAN Local Area Network.
LED Light-Emitting Diode.
MAC Address An Ethernet address set by the manufacturer.
Masquerade The process by which a gateway on the local network modifies outgoing packets
to replace the source address of these packets with its own IP address. In this
way, all IP traffic originating from the local network appears to come from the
gateway itself and not the machines on the local network.
NAT Network Address Translation. The translation of an IP address used on one
network to another IP address known on another network.
Net Mask The way that computers know which part of a TCP/IP address refers to the
network, and which part refers to the host range.
NTP Network Time Protocol (NTP) is used to synchronize clock times in a network
of computers.
PAT Port Address Translation. The translation of a port number used on one network
to another port number known on another network.
Introduction
4
PPP Point-to-Point Protocol. A networking protocol designed for simple links
between two peers.
PPPoE Point to Point Protocol over Ethernet. A protocol for connecting the users on an
Ethernet to the Internet through a common broadband medium, such as a single
DSL line, wireless device or cable modem.
PPTP Point-To-Point-Tunneling-Protocol. This is a protocol developed by Microsoft™
that is now popular for VPN applications. While generally not considered as
secure as IPSec it is considered “good enough” technology, especially since
Microsoft responded to a number of flaws in the original implementations.
Road Warrior A remote machine that does not have a fixed IP address.
Router A network device that moves packets of data. Differs from a hub or switch in
that a router usually is “intelligent” enough to know where final destinations
should be and how to get the packets there.
Subnet Mask See “Net Mask”.
Switch A network device that is like a hub, but much smarter. Although not a full router,
a switch understands, to some degree, the routing of Ethernet packets and adds
efficiency to a LAN by utilizing bandwidth more effectively.
TCP/IP Transmission Control Protocol / Internet Protocol – the basis of Internet
communications!
TCP/IP Address An address of the form nnn.nnn.nnn.nnn is the fundamental addressing form of
the Internet.
UTC Coordinated Universal Time.
UTP Unshielded Twisted Pair cabling. Most commonly known as Category 5 or CAT
5, representing a type of Ethernet cable that can operate up to 100Mb/s.
Introduction
5
VPN Virtual Private Networking is the concept of having two locations able to
communicate securely and effectively, usually across a public network such as
the Internet. Three key traits of VPN technology are: privacy (nobody else can
see what you are communicating), authentication (you know who you are
communicating with), and integrity (nobody else can tamper with your
messages/data).
WAN Wide Area Network.
WINS Windows Internet Naming Service (WINS) manages the association of
workstation names and locations with Internet Protocol addresses.
Document Style
Warnings: Where there is something that you should take particular note of, warning text like
this will appear.
Bold text in procedures indicates text that you type or the name of a screen object (such as a menu
or button).
Introduction
6
Installing and configuring the SnapGear VPN Router
Instructions for installing and configuring your new SnapGear VPN Router on your network are
contained in this manual. The basic steps and related chapters are as follows:
Step See chapter:
1. Interconnect the SnapGear VPN Router
and PCs on a local area network.
Chapter 2, Getting Started
2. Connect the telecommunications
hardware/modem (for dial in/dial out
internet access).
Chapter 3, Connect to the Internet
3. Set up the network IP addresses and
firewall.
Chapter 2, Configuring the SnapGear VPN
Router on your network
4. Set up Internet hardware and Internet
account and connect to the Internet.
Chapter 3, Connect to the Internet
5. Set up users’ security dial-in/dial
out/VPN.
Chapter 4, Dial-in server configuration
Chapter 7, Virtual Private Networking
Chapter 6, Filtering and Security Groups
Introduction
7
The SnapGear VPN Router
The following items will have been included with your SnapGear VPN Router:
• Power adapter
• Installation CD
• Printed Quick Install guide
• Cabling:
• 1 x normal UTP cable – blue
• 1 x “cross-over” UTP cable – (either gray or red) With the LITE+ you will instead
receive two straight through cables (blue).
Figure 1.1 SnapGear SOHO+/PRO front panel LEDs
As shown above, the front panel contains ‘status’ LEDs. You will also find status LEDs on the rear
panel.
Label Activity Description
POWER / PWR On Power is supplied to the SnapGear VPN
Router.
Flashing System will flash once every second while the
SnapGear VPN Router is operating correctly.
System / SYSTEM
On
If System is on and not flashing, an
operating error has occurred. In this case the
other LEDs form a diagnostic pattern to
indicate what has failed. More information on
these patterns can be found in
Online / ONLINE On Indicates that a valid Internet connection is
present.
Introduction
8
COM 1, 2 Flashing For either of the SnapGear VPN Router COM
ports, these LEDs indicate receive and transmit
data.
VPN On Virtual Private Networking is enabled.
The rear panel contains connector ports for LAN (LAN) and modem (COM1,COM2), LAN
10BaseT status LEDs, WAN 10BaseT status LEDs, a reset button and power inlet. The upper LEDs
represent “Link” condition, where a cable is connected correctly to another device (such as a cable
modem). The lower light represents “Activity” as per the front panel.
Figure 1.2 SnapGear VPN Router back panels
Introduction
9
The SnapGear VPN Router interconnects as shown below. In the case of the SnapGear LITE+ a
secondary hub/switch is not required as the unit provides a 4-port Ethernet switch.
Figure 1.3 Network interconnections
SnapGear VPN Router features
Software features
• Network Address Translation (NAT) firewall, which isolates the LAN from the Internet
and offers network access control and filtering
• DHCP server and client, which ensures simple, flexible IP network configuration
• PPTP VPN server that provides communications to remote users running standard
Windows VPN client software
• PAP, CHAP, MSCHAPv2, RADIUS and TACACS+ tunnel authentication (RFC1334,
RFC1994)
• Transparent tunnel support for PPTP. IPSec pass through.
• Dial-in remote access with PAP, CHAP, MSCHAPv2, RADIUS and TACACS+
authentication
• Dial-on-demand for outgoing Internet connection
• Wizard setup and browser based management and configuration
• Flash upgradeable firmware that allows latest protocols and security software to be
downloaded and installed over the web
• Connect Windows PCs, Macintoshes, Linux and Unix workstations – anything that
talks IP – to the Internet
Introduction
10
Internet link
• Connect to the Internet with an external cable modem, DSL, dial-up or ISDN modem
• Serial ports (COM1, COM2) connect to the Internet through an external modem or
ISDN T/A (LITE/LITE+ models have a single serial port)
• 10baseT Ethernet port (Internet) connects to the Internet through a cable or ADSL
modem
• Front panel serial status LEDs (for TXD/RXD)
• Online status LEDs (for Internet/VPN)
• Rear panel Ethernet LEDs (Link Transmit/Receive)
LAN link
For the SnapGear SOHO+ and PRO models:
• 10BaseT LAN port to connect to local network Ethernet hub
• Rear panel Ethernet LEDs (Link Transmit/Receive)
For the SnapGear LITE and LITE+ models
• 10/100BaseT LAN port to connect to local network
Dial-in Connection
• For SnapGear SOHO+ and PRO, external modems may be attached to the serial ports
for dial-in connection
Environmental
• External power adaptor (voltages/current depend on individual models)
• Front panel status LEDs: Power Test
• Operating temperature 0° C to 40° C
• Storage temperature -20° C to 70° C
• Humidity 0 to 95%, non-condensing
Getting Started
11
2. Getting Started
The SnapGear VPN Router provides a secure, simple gateway to connect PCs and other devices on your
local network to the outside world. This chapter walks you through connecting the SnapGear VPN Router
to your LAN. The procedures in this section are similar to those in the SnapGear Quick Install Guide,
which you may prefer to use if you are in a hurry.
Using an Ethernet cable, connect the SnapGear VPN Router’s LAN Ethernet port (marked LAN) to a
spare port on the existing network hub. At this stage do not apply power to your SnapGear VPN Router.
SnapGear VPN Router comes with an inbuilt DHCP server that can automatically assign IP addresses to
other devices on the network. If you have an existing network, there may already be an active DHCP
server. Additionally, the PCs and devices on the network will already have their IP addresses assigned. So,
to make installation in existing networks simpler, SnapGear VPN Router ships without an initial IP
address of its own and without the DHCP server activated.
Note
The following steps detail the initial setup procedure for networks with at least one
Windows workstation. If you wish to perform the setup procedure using a Linux box, skip to
Initial Setup using Linux later in this chapter.
Getting Started
12
New Networks
If you do not have an existing LAN, follow these steps to get started:
1. Install the hub according to its instructions (LITE+ has an advanced Ethernet switch making a
hub unnecessary for small networks).
2. Install an Ethernet adapter and software driver in at least one of the PCs to be networked.
3. You will have to assign your PC an IP address in order to be able to configure the SnapGear
VPN Router on the network. From the Start menu, select Settings, Control Panel, Network
and click on the Configuration tab (or Protocols if using NT).
4. Ensure that the TCP/IP networking protocol is installed. If not, click Add (then Protocol if
using Windows 95/98, Microsoft then TCP/IP). Your PC will then reboot.
5. Highlight TCP/IP (this is followed by your Ethernet adapter’s name if using 95/98) and click
Properties.
6. In the IP Address pane, select Specify an IP Address. Private network addresses should be
taken from the ranges:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
7. Enter this into the IP Address field followed by a number (1-255) to identify your PC, e.g.
10.0.0.45. You may have to reboot at this point.
8. Connect both the SnapGear VPN Router and the PC to the hub and continue with the steps
below. When you reach the final stages of setting up your SnapGear VPN Router, it is
recommended that you take advantage of using the SnapGear VPN Router as a DHCP server
and set up the PCs on your network to receive TCP/IP configuration information dynamically.
Getting Started
13
Setup Wizard
SnapGear VPN Router ships with a Windows installation program, SnapGear Setup Wizard. If
you are using statically pre-assigned IP addresses on your network (i.e. no active DHCP server, a
static network), Setup Wizard will help assign an IP address to the SnapGear VPN Router. On
DHCP enabled, or dynamic, networks, Setup Wizard will locate the IP address your SnapGear VPN
Router has been assigned. It also gives you the option of configuring the Internet connection setup
and changing the SnapGear VPN Router’s password.
System requirements
Setup Wizard can be run from any PC on the network that is running Windows 2000, Windows XP,
Windows ME, Windows NT 4 or Windows 95/98. If you are using Windows 95 you must have the
MS Dial Up Networking 1.3 update (msdun13.exe) installed. Additionally, users of early versions
of Windows 95 (pre-OSR2) must install the Winsock 2.0 update (w95w2setup.exe). If you are
using Windows NT, you must be logged in as administrator to run Setup Wizard.
Configuring the SnapGear VPN Router on your network
To configure the SnapGear VPN Router on your network:
1. Apply power to the SnapGear VPN Router. When the SnapGear VPN Router is powered on and
it has no IP address, it will flash all front panel LEDs (except POWER). These LEDs will remain
flashing until it has acquired an IP address.
2. Insert the SnapGear VPN Router Installation CD into the CD drive of any Windows PC on your
network that meets the system requirements. From the Start menu, select Run and type z:\setup
(where zis the letter of your CD drive).
3. Select the directory and Start menu group in which to install the software utilities for your
SnapGear VPN Router.
4. The wizard will then search the network for your device. Once the wizard has located your
device, you will be asked to enter an IP address (see Static Networks).
5. If you already have a DHCP server on the network (Dynamic Network), the SnapGear VPN
Router will have automatically been assigned an IP address and its LEDs will no longer be
flashing. Setup Wizard will locate the SnapGear VPN Router on the network.
Getting Started
14
Static Networks
Setup Wizard will ask you to enter an IP address for your SnapGear VPN Router. Select an unused
IP address that you want to assign to the SnapGear VPN Router (e.g. 10.0.0.199). The first three
fields are auto-completed, based on the IP address and net mask of the local machine. Ensure that
the SnapGear VPN Router is powered on and plugged into the network, then click OK. Setup
Wizard will check that the IP address is available; if so, it will be assigned to the SnapGear VPN
Router, otherwise you will be asked to try another.
Figure 2.1 Setup Wizard IP Setup
The LEDs on the front panel of the SnapGear VPN Router will remain flashing until the SnapGear
VPN Router has been assigned an address. Once an IP address has been successfully assigned, they
will all stop flashing.
If more than one SnapGear VPN Router device is found on the network, Setup Wizard will prompt
you to select which one you want to set up based on the device’s unique LAN port MAC address
(see Figure 4). A MAC address is a unique physical address that all Ethernet adapters have assigned
by manufacturers. A MAC address is fixed for the life of the hardware. This is a feature that makes
a MAC address an excellent way of uniquely identifying equipment on a network, as you can be
sure that no two will be the same. Your SnapGear VPN Router’s LAN port MAC address is
displayed on the underside of the device’s case.
Getting Started
15
Figure 2.2 Setup Wizard Internet setup
Once an IP address is allocated, the SnapGear Setup Wizard will then prompt you to change the
SnapGear VPN Router’s internal password. This password controls access to the SnapGear VPN
Router Configuration web pages and the SnapGear VPN Router unit itself. It is recommended that
the new password be chosen so that it is easy or you to remember but hard for others to guess. Your
password must be kept secret to maintain the security provided by the SnapGear VPN Router.
When setup is complete, the wizard will prompt you to launch a web browser and open the
SnapGear VPN Router Configuration web pages.
The SnapGear VPN Router Configuration web pages
Your SnapGear VPN Router is now configured – more configuration options are available through
the SnapGear VPN Router Configuration web pages. To access these, select SnapGear VPN
Router Config Pages from the SnapGear VPN Router Start Menu group, or, alternatively, point
your web browser at the SnapGear VPN Router’s IP address (e.g. http://10.0.0.199/). If you cannot
access the web pages, it could be because your browser’s proxy settings are not properly configured.
In MSIE, this can be modified in Tools, Internet Options, Connection tab, LAN settings.
Getting Started
16
Initial setup using Linux
SnapGear VPN Router as shipped is configured with no Internet (IP) address.
When the SnapGear VPN Router is powered on and it has no IP address, it will flash all of its front
panel LEDs (except the ‘Power’ LED). As soon as it acquires an address, it will stop flashing the
LEDs.
The first setup task is to get an IP address into the SnapGear VPN Router. The primary mechanism
for this is through DHCP or BOOTP. You may choose to use an existing local DHCP/BOOTP
server, set up a new local DHCP/BOOTP server, or use the lin_set_ip program included on the
SnapGear CD in the /tools/ directory.
Using lin_set_ip
This program is a command line tool for assigning the SnapGear VPN Router an IP address.
Depending on your system configuration, you may need to run this program with root privileges.
You may also need to add an extra static route with:
route add –host 255.255.255.255 eth0
Where eth0 is the name of your LAN interface (you may need to prefix this line with the route
command’s directory path, e.g. /sbin/route add.. etc.).
Simply run lin_set_ip from the command line and enter the IP address you wish to assign to your
SnapGear VPN Router. After a short time, the SnapGear VPN Router should be assigned the IP
address and its LEDs will stop flashing.
This manual suits for next models
4
Table of contents
Other SnapGear Network Router manuals
Popular Network Router manuals by other brands
Cradlepoint
Cradlepoint AER1600 Series quick start guide
Motorola
Motorola Netopia Embedded Software Handbook
Coactive Aesthetics
Coactive Aesthetics ROUTER-LL user manual
Advantech
Advantech EKI-2526M/S user manual
Enterasys
Enterasys G3G124-24 Hardware installation guide
Avaya
Avaya P118SX installation guide
