74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-1/100-
OfficeServOfficeServ 7400 7400Enterprise IP Solutions
Quick Install Guide- Data Server –
VPN
Mar, 2006
OfficeServ Lab.
Samsung Electronics Co., Ltd.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-2/100-
> VPN Overview
> IPSec Settings 1. IPSec Connection Between OS7400s
◆ RSA key ◆ Pre-shared key ◆ X.509 Cert
2. IPSec Connection Between OS7400 and PC (Remote User)
◆ Pre-shared key ◆ X.509 Cert
3. IPSec Connection Between OS7400 and Cisco Router
◆ Pre-shared key
> PPTP/L2TP Settings 4. PPTP/L2TP Configuration on OS7400 System 5. PPTP/L2TP Configuration on PC (Windows 2000/XP)
> Application Cases 6. IP Networking (QSIG) Application Cases 7. H.323/SIP Application Cases
ContentsContents
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-3/100-
본사
Internet
Private Line
Serial2Mbps
IPSec VPN TunnelingVPN Tunneling
Remote User
PP
TP, L
2TP
Serial2Mbps
Branch #1
Branch #2
Office
IPSec: Internet Protocol Security ProtocolPPTP: Point to Point Tunneling ProtocolL2TP: Layer2 Tunneling Protocol
VPN: Virtual Private Network
PPTP/L2TP
- System to System
- Need GWIMS D-board
IPSec
- System to Node or Server to Client (ex: PC)- Don’t need GWIMS D-board
VPN Overview - GWIMSVPN Overview - GWIMS
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-4/100-
VPN Overview – IPSec, L2TP/PPTPVPN Overview – IPSec, L2TP/PPTP
Internet
Headquarters
MobileUser
BusinessPartner
Branch
Tunnel
VPN
VPN
VPN S/WRemoteaccess
Extranet
Intranet
VPN S/W
payload
VPN
payload
payload
payload
payload
new header
encryption
payload
payload
payload
payload
payload
payload
payload
- Tunnel Mode (don’t support Transport mode)- Tunnel Protocol (IPSec, L2TP/PPTP)- Key Management : IKE, ISAKMAP, X.509, pre-shared- Authentication : MD5, SHA-1- Encryption : AES, 3DES
- Transform Protocol : AH, ESP
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-5/100-
VPN Overview – VPN ComparedVPN Overview – VPN Compared
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-6/100-
VPN Overview – IPSecVPN Overview – IPSec
• Transport Mode
New IP headerNew IP header AHAH IP headerIP header IP payloadIP payload
Authenticated except for mutable fields in ‘New IP header’
IP headerIP header ESP headerESP header IP payloadIP payload
Authenticated
ESP trailerESP trailer ESP authESP auth
Encrypted
IP headerIP header AHAH IP payloadIP payload
Authenticated except for mutable fields in ‘IP header’
• Tunnel Mode
New IP headerNew IP header ESP headerESP header
Authenticated
Encrypted
IP headerIP header IP payloadIP payload ESP trailerESP trailer ESP authESP auth
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-7/100-
VPN Overview – IKEVPN Overview – IKE
• Internet Key Exchange– Phase 1
• Generate IKE key• Main mode, aggressive mode• Authentication
– Pre-shared key – Digital Signature– Public key encryption– Revised public key encryption
– Phase 2• Generate IPSEC key• Quick mode
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-8/100-
Crypto & Auth algorithm(SA) proposal
SA choice
public key exchange(Diffie-Hellman)
Diffie-Hellman
Transmit Identity
confirm and transmit Identity
SA proposal, public key exchange, transmit identity
SA choice, public key exchange, transmit identity
transmit hash value
Initiator Responder
IKE connection flowIKE connection flow
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-9/100-
VPN Overview – OS7x00VPN Overview – OS7x00
2. Choose Phase 1 / Phase 2 parameters.1. Configuration
3. Check status
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-10/100-
VPN Overview – OS7200 via OS7400VPN Overview – OS7200 via OS7400
ListsLists OS 7200 (v1.12)OS 7200 (v1.12) OS 7400OS 7400
Max. TunnelMax. Tunnel 100 Tunnels100 Tunnels 1024 Tunnels1024 Tunnels
H/W ChipH/W Chip Hifn 7951Hifn 7951 CN 1120CN 1120
ProtocolProtocol IPSec, PPTPIPSec, PPTP
ISAKMPISAKMP
EncryptionEncryption
AuthenticationAuthentication
Phase 1(main), Phase 2(quick)Phase 1(main), Phase 2(quick)
3DES3DES
IPSec, PPTP, L2TPIPSec, PPTP, L2TP
Phase 1(main, aggressive), Phase 2(quick)
Phase 1(main, aggressive), Phase 2(quick)
3DES, AES3DES, AES
RSA, Pre-shared key, X.509RSA, Pre-shared key, X.509
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-11/100-
IPSec ConfigurationIPSec Configuration
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-12/100-
VPN of OS7400 allows you to connect different networks.The following figure illustrates basic network settings for using OS7400 VPN:
1. IPSec Connection Between OS7400s1. IPSec Connection Between OS7400s
WAN1 165.213.89.238
LAN10.0.0.1
WAN1
192.168.0.1LAN
Tunneling (IPSec)
payloadSrc IP
10.0.0.100Dest IP
192.168.0.100payload
PC 10.0.0.100192.168.0.100 PC
165.213.89.227
New Src IP165.213.89.238
New Dest IP165.213.89.227 payload
Src IP10.0.0.100
Dest IP192.168.0.100
payloadSrc IP
10.0.0.100Dest IP
192.168.0.100
④①
②
③
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-13/100-
The above figure shows packet forwarding when making communications from PC (10.0.0.100) to the target PC (192.168.0.100) using VPN.
① Create and forward a packet whose dest IP is 192.168.0.100 and whose src IP is 10.0.0.100 from PC (10.0.0.100).
② The original packet is encrypted through the VPN gateway. Add a new IP header (Dest IP: 165.213.87.227, Src IP: 165.213.89.238) to create and forward a new packet.
③ Decrypt the forwarded packet in the VPN gateway. Then, forward the packet to the destination host by referring to the destination IP of the original packet.
④ The PC (192.168.0.100) receives the original packet properly.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-14/100-
If you click [VPN] from the main menu, the following window will appear. Click the [Add] button to select a VPN gateway and to determine an authorization method.
RSA key (1)RSA key (1)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-15/100-
Set OS7400_1 first. Enter the information on OS7400_1 in Local settings and the information on OS7400_2 in Remote settings. Click “find” button to upload OS7400_2 RSA key. (Click the Management => RSA [Download] button to download the authorization key and to deliver the key to OS7400_2.)
RSA key (2)RSA key (2)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-16/100-
Set OS7400_2 in the same method as OS7400_1.
RSA key (3)RSA key (3)
OS7400_2
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-17/100-
Set the Pre-shared key field in the same method as the RSA key field. Enter the shared key, which is a password to be used for user authorization, in the Pre-shared key field.
Pre-shared key (1)Pre-shared key (1)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-18/100-
Set OS7400_2 in the same method as OS7400_1.
Pre-shared key (2)Pre-shared key (2)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-19/100-
Click Certification from the left menus. Once the window below appears, click the [Add] button to create a CA certification.
X.509 (1)X.509 (1)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-20/100-
Once a window that prompts you to create a CA certification appears, fill out all of the fields, and click the [OK] button.
X.509 (2)X.509 (2)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-21/100-
Once a window that prompts you to create a host certification appears, fill out the fields, and click the [OK] button. Note that you must remember the password.
X.509 (3)X.509 (3)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-22/100-
Click the [Download] button from the window below to download a certification.
X.509 (4)X.509 (4)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-23/100-
Click Config from the left menus, and then select Local Certificate. And click OK. Select X.509 Cert and click the [OK] button.
X.509 (5)X.509 (5)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-24/100-
X.509 (6)X.509 (6)
Then ‘Local Certificate’ and ‘Local ID’ are displayed. Enter the password used for creating a host certification in ‘Password’ and ‘Remote ID’ value. In this case, Remote ID value is OS7400_2’s Local ID that is acquired in the same method as OS7400_1.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-25/100-
In [Management] from the left menu, select external device and click [ok] button.If Activity is set to Stopped, click the [Run] button. (If Activity is set to Running, click the [Stop] button, and then click the [Run] button again.)
X.509 (7)X.509 (7)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-26/100-
Click Status from the left menu to check the current status and log of VPN connections.
X.509 (8)X.509 (8)
OS7400_1
“OS7400_1”
“OS7400_1”
“OS7400_1”
“OS7400_1”
“OS7400_1”
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-27/100-
WAN1
192.168.0.1LAN
Tunneling (IPSec, PPTP, L2TP)
Remote User 165.213.109.101
192.168.0.100 PC
165.213.89.245
2. IPSec Connection Between OS7400s and PC (Remote User)2. IPSec Connection Between OS7400s and PC (Remote User)
Internet
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-28/100-
Enter information on PC in Remote settings. (Since a PC does not have subnet, leave the fields on subnet blank.)
Pre-Shared key (1)Pre-Shared key (1)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-29/100-
If you select [Start] -> [Run], and run ‘mmc’, the window below will appear. Select [File] -> [Add/Remove Snap-In] from the Console window.
Pre-Shared key - VPN Client (1)Pre-Shared key - VPN Client (1)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-30/100-
If you click the [Add] button from the <Add Standalone Snap-in> window, the window below will appear. Select ‘IP Security Policy Management’ from the snap-in list, and click the [Add] button.
Pre-Shared key - VPN Client (2)Pre-Shared key - VPN Client (2)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-31/100-
Once the window below appears, select ‘Local computer’, and click the [Finish] button.
Pre-Shared key - VPN Client (3)Pre-Shared key - VPN Client (3)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-32/100-
If you move the <Console> window, the ‘IP Security Policies on Local Computer’ submenu is created under ‘Console Root’. Right-click the submenu to select [Create IP Security Policy].
Pre-Shared key - VPN Client (4)Pre-Shared key - VPN Client (4)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-33/100-
Enter the name of description of the IP security policy in the <IP Security Policy Wizard> window, and click the [Next] button.
Pre-Shared key - VPN Client (5)Pre-Shared key - VPN Client (5)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-34/100-
Clear the ‘Activate the default response rule’ checkbox, and click the [Next] button. Once the window below appears, select the ‘Edit Properties’ checkbox, and click the [Finish] button.
Pre-Shared key - VPN Client (6)Pre-Shared key - VPN Client (6)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-35/100-
If the <XP IPSec Properties> window appears, the created item will be displayed. Clear the checkbox, and click the [Add] button.
Pre-Shared key - VPN Client (7)Pre-Shared key - VPN Client (7)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-36/100-
Once <Security Rule Wizard> starts, click the [Next] button to select ‘The tunnel endpoint is specified by this IP address:’. Enter the WAN interface IP address (165.213.89.245), and click the [Next] button.
Pre-Shared key - VPN Client (8)Pre-Shared key - VPN Client (8)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-37/100-
If you select ‘ Local Area Network[lan]’ from the <Network Type> window and click the [Next] button, the <Authentication Method> window will appear. Select the ‘Use this string to protect the key exchange [preshared key]:’ checkbox, and enter the user password registered with the firewall. Click the [Next] button.
Pre-Shared key - VPN Client (9)Pre-Shared key - VPN Client (9)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-38/100-
If you click the [Add] button from the <IP Filter List> window, the window below will appear. Enter ‘outbound’ in the Name field, and click the [Add] button.
Pre-Shared key - VPN Client (10)Pre-Shared key - VPN Client (10)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-39/100-
If you click the [Next] button from the <IP Filter Wizard> window, the window below will appear. Select ‘My IP address’ in the Source Address option, and click the [Next] button.
Pre-Shared key - VPN Client (11)Pre-Shared key - VPN Client (11)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-40/100-
Select ‘A specific IP Subnet’ in the Destination address option. Enter the address of the internal network (192.168.0.0) and subnet mask (255.255.255.0), and click the [Next] button.
Pre-Shared key - VPN Client (12)Pre-Shared key - VPN Client (12)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-41/100-
Select ‘Any’ from IP Protocol Type, and click the [Next] button. Select the ‘Edit properties’ checkbox, and click the [Finish] button.
Pre-Shared key - VPN Client (13)Pre-Shared key - VPN Client (13)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-42/100-
If you click the [OK] button, the outbound option will be created as shown in the figure below. Click the [Add] button to create the ‘inbound’ option. Enter 192.168.0.0 and 255.255.255.0 in ‘A specific IP Subnet’ of Source Address. Select ‘My IP Address’ from Destination Address. The next settings are the same as the previous ones.
Pre-Shared key - VPN Client (14)Pre-Shared key - VPN Client (14)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-43/100-
If you click the [OK] button, the window below will appear. Select the ‘outbound’ option, and click the [Next] button.
Pre-Shared key - VPN Client (15)Pre-Shared key - VPN Client (15)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-44/100-
Select the ‘Request Security (Optional)’ option, and click the [Edit] button.
Pre-Shared key - VPN Client (16)Pre-Shared key - VPN Client (16)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-45/100-
Select ‘Negotiate security’, and then select an option from each of ‘AH Integrity (None)’, ‘ESP Confidentiality (3DES)’, and ‘ESP Integrity (MD5)’ in Security Method Priority. Click the [Move Up] button to move to the top. Select the ‘Session key perfect forward security (PFS)’ checkbox, and click the [OK] button.
Pre-Shared key - VPN Client (17)Pre-Shared key - VPN Client (17)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-46/100-
If you select the ‘Edit Properties’ checkbox, and click the [Finish] button, the outbound option will be created as shown in the figure below. Click the [Add] button to create the inbound option.
Pre-Shared key - VPN Client (18)Pre-Shared key - VPN Client (18)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-47/100-
Once <Security Rule Wizard> starts, click the [Next] button to select the ‘The tunnel endpoint is specified by this IP address’ checkbox, and enter the Remote User IP address (165.213.109.101). Click the [Next] button.
Pre-Shared key - VPN Client (19)Pre-Shared key - VPN Client (19)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-48/100-
If you select ‘Local area network[LAN]’ from the <Network Type> window and click the [Next] button, the <Authentication Method> window will appear. Select the ‘Use this string to protect the key exchange (preshared key):’ checkbox, and enter the user password registered with the firewall. Click the [Next] button.
Pre-Shared key - VPN Client (20)Pre-Shared key - VPN Client (20)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-49/100-
If you click the [OK] button, the <IP filter list> window will appear. Select ‘inbound’ from the window, and select the [Next] button. The next settings are the same as the previous ones.
Pre-Shared key - VPN Client (21)Pre-Shared key - VPN Client (21)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-50/100-
Select the [General] tab from the <XP IPSec Properties> window, and click the [Advanced] button. Once the <Key Exchange Settings> window appears, select the ‘Master key perfect forward security (PFS)’ checkbox, and click the [Method] button.
Pre-Shared key - VPN Client (22)Pre-Shared key - VPN Client (22)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-51/100-
Select an option from each of ‘Encryption (3DES)’, ‘Integrity (MD5)’, and ‘Diffie-Hellman (Medium(2))’ of the <Key Exchange Security Methods> window, and click the [Move Up] button to move to the top. Click the [OK] button.
Pre-Shared key - VPN Client (23)Pre-Shared key - VPN Client (23)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-52/100-
Select the ‘IP Security Policy of Local Computer’ submenu from the <Console> window. Right-click the newly created item at the right window, and select the ‘Assign’ menu. The policy assignment is set to ‘Yes’.
Pre-Shared key - VPN Client (24)Pre-Shared key - VPN Client (24)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-53/100-
Select [Start]->[Programs]->[Administrative Tools]->[Services] from the Windows taskbar. Right-click ‘IPSEC Services’, and click ‘Restart’.
Pre-Shared key - VPN Client (25)Pre-Shared key - VPN Client (25)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-54/100-
Check connection status of the internal IP address (192.168.0.1) by executing ping at the command prompt. If a response is made as shown in the figure below, it means that the connection has been successfully made.
Pre-Shared key - VPN Client (26)Pre-Shared key - VPN Client (26)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-55/100-
X.509(1)X.509(1)
Enter information on OS7400 and PC in the same method as the pre-shared key settings. Select X.509 Cert, and set values requested.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-56/100-
Create an additional host certificate to authorize a PC.
X.509(2)X.509(2)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-57/100-
Download a new PC certificate, and deliver it to the PC.
X.509(3)X.509(3)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-58/100-
If you select [Start]-> [Run] from the Windows taskbar and run ‘mmc’, the window below will appear. Select [File]->[Add/Remove Snap-in] from the Console window.
X.509 - VPN Client (1)X.509 - VPN Client (1)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-59/100-
If you click the [Add] button from the <Add/Remove Snap-in> window, the window below will appear. Select ‘Certificates’ from the snap-in list, and click the [Add] button.
X.509 - VPN Client (2)X.509 - VPN Client (2)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-60/100-
Select ‘Computer account’, and click the [Next] button.
X.509 - VPN Client(3)X.509 - VPN Client(3)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-61/100-
Select ‘Local computer: (the computer this console is running on)’, and click the [Finish] button.
X.509 - VPN Client(4)X.509 - VPN Client(4)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-62/100-
Select ‘IP Security Policy Management’ from the snap-in list, and click the [Add] button.
X.509 - VPN Client(5)X.509 - VPN Client(5)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-63/100-
Select ‘Local computer’ from the Select Computer or Domain window, and click the [Finish] button to complete.
X.509 - VPN Client(6)X.509 - VPN Client(6)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-64/100-
Right-click the Private submenu under the Certificate menu of the Console window, and select ‘All Tasks’ -> ‘Import’ in sequence.
X.509 - VPN Client(7)X.509 - VPN Client(7)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-65/100-
Once a window that prompts you to start Certificate Import Wizard appears, click the [Next] button, and find a file to be imported by clicking the [Browse] button. If you find the file, click the [Next] button.
X.509 - VPN Client(8)X.509 - VPN Client(8)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-66/100-
Enter the password used for creating a host certificate, and click the [Next] button.
X.509 - VPN Client(9)X.509 - VPN Client(9)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-67/100-
Select ‘Automatically select the certificate store based on the type of certificate’, and click the [Next] button to exit the wizard.
X.509 - VPN Client (10)X.509 - VPN Client (10)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-68/100-
If you click the Certificate submenu under the Private menu from the Console window, the saved certificate will appear at the right of the window. Double-click the certificate.
X.509 - VPN Client(11)X.509 - VPN Client(11)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-69/100-
Enter like the information in ‘Subject’ from the ‘Details’ tab in the Remote ID field for OS7400 settings.
X.509 - VPN Client (12)X.509 - VPN Client (12)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-70/100-
Right-click ‘IP Security Policy of Local Computer’ under the Console Route menu of the Console window, and click the [Create IP Security Policy]. The next settings are the same as pre-shared key settings.
X.509 - VPN Client (13)X.509 - VPN Client (13)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-71/100-
Select ‘Use a certificate from the certification authority (CA)’ in the Authentication Method window. Then, select a certificate by using the [Browse] button. (Set outbound and inbound in the same method.)
X.509 - VPN Client (14)X.509 - VPN Client (14)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-72/100-
X.509 - VPN Client(15)X.509 - VPN Client(15)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-73/100-
VPN of OS7400 allows you to connect different networks.The following figure illustrates basic network settings for using OS7400 VPN:
3. IPSec Connection Between OS7400 and Cisco Router3. IPSec Connection Between OS7400 and Cisco Router
WAN1 165.213.89.238
LAN10.0.0.1
WAN1
192.168.0.1LAN
Tunneling (IPSec)
payloadSrc IP
10.0.0.100Dest IP
192.168.0.100payload
PC 10.0.0.100
165.213.87.227
New Src IP165.213.89.238
New Dest IP165.213.87.227 payload
Src IP10.0.0.100
Dest IP192.168.0.100
payloadSrc IP
10.0.0.100Dest IP
192.168.0.100
④①
②
③
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-74/100-
The above figure shows packet forwarding when making communications from PC (10.0.0.100) to the target PC (192.168.0.100) using VPN.
1. Cisco Router configuration
1) NAT configure, create Access Rule for NAT, and add routing table
2) Create Keys for IKE and IPSec, and create site-to-site VPN
2. OS 7400 configuration
1) Create connection Mod.
2) Select Pre-Shared Authentication Method.
3) Choose Phase 1 / Phase 2 parameters.
4) running vpn and check status.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-75/100-
•Cisco Router configuration
1) NAT configure, create Access Rule for NAT, and add routing table.
. Outside : GigabiEthernet 0 - 165.213.87.227
. Inside : Vlan1 - 192.168.0.1/24
(Example)interface GigabitEthernet0ip address 165.213.87.227 255.255.255.0ip nat outside! interface Vlan1 ip address 192.168.0.1 255.255.255.0 ip nat inside!ip nat pool natOutIpPool 165.213.87.225 165.213.87.225 netmask 255.255.255.252ip nat inside source list 111 pool natOutIpPool overload!access-list 111 permit ip 192.168.0.0 0.0.0.255 any!ip classlessip route 0.0.0.0 0.0.0.0 165.213.87.1
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-76/100-
2) Create Keys for IKE and IPSec , and create site-to-site VPN
!--create isakmp policy, pre-shared key is cisco123crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 5crypto isakmp key cisco123 address 165.213.89.238!!--- Create an IPSec transform set named "myset". Use 3DES for ESP!--- and ESP with the MD5 (HMAC variant) authentication algorithm
!--- with transport mode crypto ipsec transform-set myset esp-3des esp-md5-hmac!
!--- Create a crypto map "newmap" and assign sequence number 10. crypto map newmap 10 ipsec-isakmp set peer 165.213.89.238 set transform-set myset match address 100
! -- add crypto map to interfaceinterface GigabitEthernet0 crypto map newmap
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-77/100-
2) Create Keys for IKE and IPSec , and create site-to-site VPN (cont’d)
!-- add nat rule for route-map
ip nat inside source route-map newmap pool natoutIpPool
!! Create route-maproute-map SDM_RMAP_1 permit 1 match ip address 111!
! – create access list for VPNaccess-list 100 remark SDM_ACL Category=4access-list 100 remark IPSec Ruleaccess-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255!
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-78/100-
2) Create Keys for IKE and IPSec , and create site-to-site VPN (cont’d)
!--create isakmp policy, pre-shared key is cisco123crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 5crypto isakmp key cisco123 address 165.213.89.238!!--- Create an IPSec transform set named "myset". Use 3DES for ESP!--- and ESP with the MD5 (HMAC variant) authentication algorithm
!--- with transport mode crypto ipsec transform-set myset esp-3des esp-md5-hmac!
!--- Create a crypto map "newmap" and assign sequence number 10. crypto map newmap 10 ipsec-isakmp set peer 165.213.89.238 set transform-set myset match address 100
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-79/100-
2. OS 7400 configuration 1) Create connection Mod. 2) Select Pre-Shared Authentication Method.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-80/100-
3) Choose Phase 1 / Phase 2 parameters.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-81/100-
4) running VPN and check status.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-82/100-
PPTP ConfigurationPPTP Configuration
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-83/100-
4. PPTP Configuration at OS7400 System4. PPTP Configuration at OS7400 System
1. Click [PPTP]->[Config] from the left menu. If you click the [Add] button to add a PPTP user, the window below will appear. Enter the user ID and password, and select a method of assigning a user IP (Auto/static).
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-84/100-
2. Click Management from the left menu. If Activity is set to Stopped, click the [Run] button. (If Activity is set to Running, click the [Stop] button, and then click the [Run] button again.)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-85/100-
5. PPTP Configuration on PC (Windows 2000/XP)5. PPTP Configuration on PC (Windows 2000/XP)
1. Run [Start]->[Settings]->[Control Panel]->[Network Connections]->[Create a new connection] on the Windows taskbar. Once the New Connection Wizard starts, click the [Next] button.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-86/100-
2. Select ‘Connect to the network at my workplace’ from Network Connection Type and ‘Virtual Private Network connection’ in Network Connection. Click the [Next] button.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-87/100-
3. Enter a company name and the IP address of the VPN server. Click the [Next] button.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-88/100-
4. Completing the New Connection Wizard, and Attempt to connect to the corporate VPN server.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-89/100-
- Example -- Example -(VoIP Service Using VPN)(VoIP Service Using VPN)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-90/100-
Network EnvironmentNetwork Environment
WAN1 165.213.89.238
LAN10.0.0.1
WAN1
192.168.0.1LAN
Tunneling (IPSec, L2TP, PPTP)
165.213.89.227
①
②
Internet
VoIP Connection Using VPN
MCP: 10.0.0.10/24MGI: 10.0.0.20/24
MCP: 192.168.0.10/24MGI: 192.168.0.20/24
Site A(Node 0)
Site B(Node 1)
20102050
VoIP Connection Without VPN
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-91/100-
ConditionsConditions
1. Set NAT from [Firewall/Network] of GWIM. Then, set network information as shown in the figure below.
2. Set the external port of MGI to No. 20000.
3. Pre-set static NAPT on MCP and MGI.
4. Set IPSec between Site A and Site B.
E.g.) Refer to the [OfficeServ 7400]Quick Install Guide(VoIP Service) file.
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-92/100-
6. H.323/SIP Application Case6. H.323/SIP Application Case
Site A MMC Configuration
-. MMC 830 IP:10.0.0.10 / GW:10.0.0.1 / Netmask: 255.255.255.0 / Public Port: 1719 / Public IP: 165.213.89.238 System IP Type: Private with Public -. MMC 831 IP:10.0.0.20 / GW:10.0.0.1 / Netmask:255.255.255.0 / Public Port: 20000 / Public IP: 165.213.89.238 System IP Type: Private with Public -. MMC 724 Enter an MGI Dial No. (E.g. 3801 ~ 3816). -. MMC 615 Enter a VoIP trunk and a public IP trunk (E.g. 3801 ~ 3816). -. MMC 838 10.0.0.255 (80) -. MMC 833 165.213.87.227 (Site B WAN IP address)
▶ CASE I: H.323/SIP Call Connection Using NAPT
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-93/100-
Site B MMC Configuration
-. MMC 830 IP:192.168.0.10 / GW:192.168.0.1 / Netmask:255.255.255.0 / Public Port: 1719 / Public IP: 165.213.87.227 System IP Type: Private with Public -. MMC 831 IP:192.168.0.20 / GW: 192.168.0.1 / Netmask: 255.255.255.0 / Public Port: 20000 / Public IP: 165.213.87.227 System IP Type: Private with Public -. MMC 724 Enter an MGI Dial No. (E.g. 3801 ~ 3816). -. MMC 615 Enter a VoIP trunk and a public IP trunk (E.g. 3801 ~ 3816). -. MMC 838 192.168.0.255 (80) -. MMC 833 165.213.89.238 (Site A WAN IP address)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-94/100-
Site A MMC Configuration
-. MMC 830 IP:10.0.0.10 / GW:10.0.0.1 / Netmask:255.255.255.0 / System IP Type:Private -. MMC 831 IP:10.0.0.20 / GW:10.0.0.1 / Netmask:255.255.255.0 / System IP Type:Private -. MMC 724 Enter an MGI Dial No. (E.g. 3801 ~ 3816). -. MMC 615 Enter a VoIP trunk and a IP trunk (E.g. 3801 ~ 3816). -. MMC 838 192.168.0.255 (79) 10.0.0.255 (80) -. MMC 833 192.168.0.10 (Site B MCP private IP address)
▶ CASE II: H.323/SIP Call Connection Using IPSec
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-95/100-
Site B MMC Configuration
-. MMC 830 IP:192.168.0.10 / GW:192.168.0.1 / Netmask:255.255.255.0 / System IP Type:Private -. MMC 831 IP:192.168.0.20 / GW:192.168.0.1 / Netmask:255.255.255.0 / System IP Type:Private -. MMC 724 Enter an MGI Dial No. (E.g. 3801 ~ 3816). -. MMC 615 Enter a VoIP trunk and a IP trunk (E.g. 3801 ~ 3816). -. MMC 838 10.0.0.255 (79) 192.168.0.255 (80) -. MMC 833 10.0.0.10 (Site A MCP private IP address)
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-96/100-
Site A MMC Configuration
-. MMC 830 IP:10.0.0.10 / GW:10.0.0.1 / Netmask:255.255.255.0 / Public Port: 6100 / Public IP: 165.213.89.238 System IP Type:Private or Public -. MMC 831 IP:10.0.0.20 / GW:10.0.0.1 / Netmask:255.255.255.0 / Public Port: 20000 / Public IP: 165.213.89.238 System IP Type:Private or Public -. MMC 724 Enter an MGI Dial No. (E.g. 3801 ~ 3816). -. MMC 615 Enter a VoIP trunk and a public IP trunk (E.g. 3801 ~ 3816). -. MMC 838 10.0.0.255 (80) -. MMC 820 SELF LINK ID:0 / Signal GW:10.0.0.10 SYS01 LINK ID:1 / Signal GW:165.213.87.227 / IP Type:Public
▶ CASE III: IP Networking (Qsig) Call Connection Using NAPT
7. IP Networking (Qsig) Application Case7. IP Networking (Qsig) Application Case
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-97/100-
Site B MMC Configuration
-. MMC 830 IP:192.168.0.10 / GW:192.168.0.1 / Netmask:255.255.255.0 / Public Port: 6100 / Public IP: 165.213.87.227 System IP Type:Private or Public -. MMC 831 IP:192.168.0.20 / GW:192.168.0.1 / Netmask:255.255.255.0 / Public Port: 20000 / Public IP: 165.213.87.227 System IP Type:Private or Public -. MMC 724 Enter an MGI Dial No. (E.g. 3801 ~ 3816). -. MMC 615 Enter a VoIP trunk and a public IP trunk (E.g. 3801 ~ 3816). -. MMC 838 192.168.0.255(80) -. MMC 820 SELF LINK ID:1 / Signal GW:192.168.0.10 SYS01 LINK ID:0 / Signal GW:165.213.89.238 / IP Type:Public
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-98/100-
Site A MMC Configuration
-. MMC 830 IP:10.0.0.10 / GW:10.0.0.1 / Netmask:255.255.255.0 / System IP Type:Private -. MMC 831 IP:10.0.0.20 / GW:10.0.0.1 / Netmask:255.255.255.0 / System IP Type:Private -. MMC 724 Enter an MGI Dial No. (E.g. 3801 ~ 3816). -. MMC 615 Enter a VoIP trunk and a IP trunk (E.g. 3801 ~ 3816). -. MMC 838 192.168.0.255 (79) 10.0.0.255 (80) -. MMC 820 SELF LINK ID:0 / Signal GW:10.0.0.10 SYS01 LINK ID:1 / Signal GW:192.168.0.10 / IP Type:Private
▶ CASE IV: IP Networking (Qsig) Call Connection Using IPSec
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-99/100-
Site B MMC Configuration
-. MMC 830 IP:192.168.0.10 / GW:192.168.0.1 / Netmask:255.255.255.0 / System IP Type:Private -. MMC 831 IP:192.168.0.20 / GW:192.168.0.1 / Netmask:255.255.255.0 / System IP Type:Private -. MMC 724 Enter an MGI Dial No. (E.g. 3801 ~ 3816). -. MMC 615 Enter a VoIP trunk and a IP trunk (E.g. 3801 ~ 3816). -. MMC 838 10.0.0.255(79) 192.168.0.255(80) -. MMC 820 SELF LINK ID:1 / Signal GW:192.168.0.10 SYS01 LINK ID:0 / Signal GW:10.0.0.10 / IP Type:Private
74007400Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
-100/100-
Thank you !