Difference between revisions of "Howto Adtran"

From Shrew Soft Inc
Jump to: navigation, search
 
(9 intermediate revisions by the same user not shown)
Line 24: Line 24:
 
Before users can authenticate, individual accounts must be created. To configure these accounts, navigate to the System / Passwords page using the left hand menu.
 
Before users can authenticate, individual accounts must be created. To configure these accounts, navigate to the System / Passwords page using the left hand menu.
  
[[Image(http://www.shrew.net/static/howto/Adtran/nav-1.png)]]
+
[[File:Adtran-nav-1.png]]
  
 
==== Add VPN User Accounts ====
 
==== Add VPN User Accounts ====
Line 34: Line 34:
 
*Confirm Password = User account password
 
*Confirm Password = User account password
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-1a.png)]]
+
[[File:Adtran-pic-1a.png]]
  
 
==== Enable AAA Authentication ====
 
==== Enable AAA Authentication ====
Line 40: Line 40:
 
Before the user accounts can be used for VPN connections, you will need to enable AAA authentication. Make sure this option is checked and press ''Apply'' when finished.
 
Before the user accounts can be used for VPN connections, you will need to enable AAA authentication. Make sure this option is checked and press ''Apply'' when finished.
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-1b.png)]]
+
[[File:Adtran-pic-1b.png]]
  
 
=== VPN Configuration ===
 
=== VPN Configuration ===
Line 46: Line 46:
 
The VPN settings must be defined before a user can connect to the Netvanta Gateway. To configure these settings, navigate to the Data / VPN / VPN Peer page using the left hand menu.
 
The VPN settings must be defined before a user can connect to the Netvanta Gateway. To configure these settings, navigate to the Data / VPN / VPN Peer page using the left hand menu.
  
[[Image(http://www.shrew.net/static/howto/Adtran/nav-2.png)]]
+
[[File:Adtran-nav-2.png]]
  
 
==== Enable VPN Support ====
 
==== Enable VPN Support ====
Line 52: Line 52:
 
Before the users can connect, you will need to enable VPN support. Make sure this option is checked and press ''Apply'' when finished.
 
Before the users can connect, you will need to enable VPN support. Make sure this option is checked and press ''Apply'' when finished.
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-2a.png)]]
+
[[File:Adtran-pic-2a.png]]
  
 
==== Create a VPN Peer ====
 
==== Create a VPN Peer ====
Line 58: Line 58:
 
A VPN Peer needs to be defined. This will specify the parameters used for the remote access VPN connection. To add a VPN peer definition, click the ''Create New VPN Peer'' button.
 
A VPN Peer needs to be defined. This will specify the parameters used for the remote access VPN connection. To add a VPN peer definition, click the ''Create New VPN Peer'' button.
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-2b.png)]]
+
[[File:Adtran-pic-2b.png]]
  
 
Enter the following parameters and click ''Apply'' when finished.
 
Enter the following parameters and click ''Apply'' when finished.
Line 66: Line 66:
 
*Peer Type = Mobile Peer
 
*Peer Type = Mobile Peer
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-2c.png)]]
+
[[File:Adtran-pic-2c.png]]
  
 
==== Define the VPN Peer Configuration ====
 
==== Define the VPN Peer Configuration ====
Line 83: Line 83:
 
*Lifetime = 3600 seconds
 
*Lifetime = 3600 seconds
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-3a.png)]]
+
[[File:Adtran-pic-3a.png]]
  
 
An IKE attribute definition needs to be added. This sets the Phase1 policy negotiation parameters. Enter the following parameters and click ''Add'' when finished.
 
An IKE attribute definition needs to be added. This sets the Phase1 policy negotiation parameters. Enter the following parameters and click ''Add'' when finished.
Line 93: Line 93:
 
*Lifetime = 28800 seconds
 
*Lifetime = 28800 seconds
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-3b.png)]]
+
[[File:Adtran-pic-3b.png]]
  
 
A Remote ID definition needs to be added. This specifies the ID parameters used to match a VPN client to this peer definition. Enter the following parameters and press ''Add'' when finished.
 
A Remote ID definition needs to be added. This specifies the ID parameters used to match a VPN client to this peer definition. Enter the following parameters and press ''Add'' when finished.
Line 103: Line 103:
 
*Nat Traversal = Allow V1 / Allow V2
 
*Nat Traversal = Allow V1 / Allow V2
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-3c.png)]]
+
[[File:Adtran-pic-3c.png]]
  
 
The Remote Addressing parameters need to be defined. These settings will be negotiated by the client during Mode Config. Enter the following parameters and press ''Apply'' when finished.
 
The Remote Addressing parameters need to be defined. These settings will be negotiated by the client during Mode Config. Enter the following parameters and press ''Apply'' when finished.
Line 115: Line 115:
 
*Secondary WINS Server = ''optional''
 
*Secondary WINS Server = ''optional''
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-3d.png)]]
+
[[File:Adtran-pic-3d.png]]
  
 
==== Define the VPN Peer Policies ====
 
==== Define the VPN Peer Policies ====
Line 121: Line 121:
 
VPN Peer Policies need to be defined for each network the VPN Client will need to connect to. For the purposes of this document, we will assume the client need to connect to a single private network defined as 10.1.2.0/24. Click the ''Add New VPN Selector'' button.
 
VPN Peer Policies need to be defined for each network the VPN Client will need to connect to. For the purposes of this document, we will assume the client need to connect to a single private network defined as 10.1.2.0/24. Click the ''Add New VPN Selector'' button.
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-4a.png)]]
+
[[File:Adtran-pic-4a.png]]
  
 
Define the VPN Selector Entry. Enter the following parameters and click ''Apply'' when finished.
 
Define the VPN Selector Entry. Enter the following parameters and click ''Apply'' when finished.
Line 138: Line 138:
 
*Netmask = 255.255.255.0
 
*Netmask = 255.255.255.0
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-4b.png)]]
+
[[File:Adtran-pic-4b.png]]
  
 
After the new VPN Selector Entry has been added, you will notice that it is placed at the bottom of the list. There is a default policy to Deny all traffic which will be above the entry you just added. We need to move it above the deny policy so it will take precedent. Click the Up Arrow Icon to the left of the Permit policy.
 
After the new VPN Selector Entry has been added, you will notice that it is placed at the bottom of the list. There is a default policy to Deny all traffic which will be above the entry you just added. We need to move it above the deny policy so it will take precedent. Click the Up Arrow Icon to the left of the Permit policy.
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-4c.png)]]
+
[[File:Adtran-pic-4c.png]]
  
 
Now the order should be correct.
 
Now the order should be correct.
  
[[Image(http://www.shrew.net/static/howto/Adtran/pic-4d.png)]]
+
[[File:Adtran-pic-4d.png]]
  
  
Line 187: Line 187:
 
The IPsec Policy information must be manually configured when communicating with Adtran gateways. Create an include Topology entry for each private network behind on the gateway. For our example, a single Topology Entry is defined to include the 10.1.2.0/24 network.
 
The IPsec Policy information must be manually configured when communicating with Adtran gateways. Create an include Topology entry for each private network behind on the gateway. For our example, a single Topology Entry is defined to include the 10.1.2.0/24 network.
  
=== Credits ===
+
== Credits ==
  
 
Many thanks to Adtran who donated a Netvanta 3120 appliance for testing and to create this documentation.
 
Many thanks to Adtran who donated a Netvanta 3120 appliance for testing and to create this documentation.
  
=== Resources ===
+
== Resources ==
  
*[http://www.shrew.net/vpn/howto/Adtran/netvanta.vpn Example Client configuration]
+
[[Media:Adtran.vpn.txt]]

Latest revision as of 04:49, 9 January 2013

Introduction

This guide provides information that can be used to configure an Adtran Netvanta device to support IPsec VPN client connectivity. The Shrew Soft VPN Client has been tested with Adtran products to ensure interoperability. The configuration guild below shows examples from a Netvanta 3120.

Overview

The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the pull configuration method to acquire the following parameters automatically from the gateway.

  • IP Address
  • IP Netmask
  • DNS Servers
  • WINS Servers

Gateway Configuration

This example assumes you have knowledge of the Netvanta gateway web configuration interface. For more information, please consult your gateway product documentation.

Interfaces

Two network interfaces are configured. The Internet Primary interface has a static public IP address of 10.1.1.27 which faces the internet. The internal interface has a static private IP address of 10.1.2.27 which faces the internal private network. The default gateway is configured as 10.1.1.1 via the WAN interface.

User Authentication

Before users can authenticate, individual accounts must be created. To configure these accounts, navigate to the System / Passwords page using the left hand menu.

Adtran-nav-1.png

Add VPN User Accounts

To add user accounts, enter the following information and then type add for each user.

  • Username = User account name
  • Password = User account password
  • Confirm Password = User account password

Adtran-pic-1a.png

Enable AAA Authentication

Before the user accounts can be used for VPN connections, you will need to enable AAA authentication. Make sure this option is checked and press Apply when finished.

Adtran-pic-1b.png

VPN Configuration

The VPN settings must be defined before a user can connect to the Netvanta Gateway. To configure these settings, navigate to the Data / VPN / VPN Peer page using the left hand menu.

Adtran-nav-2.png

Enable VPN Support

Before the users can connect, you will need to enable VPN support. Make sure this option is checked and press Apply when finished.

Adtran-pic-2a.png

Create a VPN Peer

A VPN Peer needs to be defined. This will specify the parameters used for the remote access VPN connection. To add a VPN peer definition, click the Create New VPN Peer button.

Adtran-pic-2b.png

Enter the following parameters and click Apply when finished.

  • Name = client vpn
  • VPN Interface = Public
  • Peer Type = Mobile Peer

Adtran-pic-2c.png

Define the VPN Peer Configuration

The Peer configuration needs to be defined. Enter the following parameters and click Apply when finished.

IKE Configuration

  • XAUTH Enabled = Local Userlist
  • Respond Mode = Aggressive
  • Nat Traversal = Allow V1 / Allow V2
  • Local ID = IP Address / 10.1.1.27 ( matches the Netvanta public interface address )

IPSec Configuration

  • PFS = Disabled
  • Encryption / Hash = ESP : AES 256 / MD5
  • Lifetime = 3600 seconds

Adtran-pic-3a.png

An IKE attribute definition needs to be added. This sets the Phase1 policy negotiation parameters. Enter the following parameters and click Add when finished.

IPSec Configuration

  • Encryption / Hash = AES 256bit / MD5
  • Authentication = Preshared Key
  • DH Group = 2
  • Lifetime = 28800 seconds

Adtran-pic-3b.png

A Remote ID definition needs to be added. This specifies the ID parameters used to match a VPN client to this peer definition. Enter the following parameters and press Add when finished.

  • Remote ID Type = Domain Name
  • Domain Name = client.shrew.net ( or an alternate client ID value )
  • Preshared key = mypresharedkey ( replace this with your real psk )
  • Allow XAUTH = Enabled
  • Nat Traversal = Allow V1 / Allow V2

Adtran-pic-3c.png

The Remote Addressing parameters need to be defined. These settings will be negotiated by the client during Mode Config. Enter the following parameters and press Apply when finished.

NOTE : The IP Address Range defines addresses that will be assigned to client virtual network adapters. It is important to use a range that does not overlap any private network that exists behind the Netvanta gateway.

  • IP Address Range = 10.2.27.1 - 10.2.27.254 ( or your preferred range )
  • Primary DNS Server = optional
  • Secondary DNS Server = optional
  • Primary WINS Server = optional
  • Secondary WINS Server = optional

Adtran-pic-3d.png

Define the VPN Peer Policies

VPN Peer Policies need to be defined for each network the VPN Client will need to connect to. For the purposes of this document, we will assume the client need to connect to a single private network defined as 10.1.2.0/24. Click the Add New VPN Selector button.

Adtran-pic-4a.png

Define the VPN Selector Entry. Enter the following parameters and click Apply when finished.

  • Filter Type = Permit
  • Protocol = any

Source DATA

  • Type = IP Address
  • Address = 10.1.2.0
  • Netmask = 255.255.255.0

Destination Data

  • Type = IP Address
  • Address = 10.2.27.0
  • Netmask = 255.255.255.0

Adtran-pic-4b.png

After the new VPN Selector Entry has been added, you will notice that it is placed at the bottom of the list. There is a default policy to Deny all traffic which will be above the entry you just added. We need to move it above the deny policy so it will take precedent. Click the Up Arrow Icon to the left of the Permit policy.

Adtran-pic-4c.png

Now the order should be correct.

Adtran-pic-4d.png


Please keep in mind, that a Policy of <Private Internal Subnet> to <Any> will send all traffic through the VPN-Tunnel hence this will break internet access for the internal clients. The following two options are more common cases:

  • <Private Internal Subnet> to <VPN Client Subnet> this would be 10.1.2.0/24 to 10.2.27.0/24
  • <Any> to <VPN client Subnet> this would be "Any" to 10.2.27.0/24

Client Configuration

The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs.

General Tab

The Remote Host section must be configured. The Host Name or IP Address is defined as 10.1.1.27 to match the Netvanta public interface address. The Auto Configuration mode should be set to ike config pull.

Phase 1 Tab

The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the Netvanta IKE attributes definition.

Authentication Tab

The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth.

Local Identity Tab

The Local Identification Type should be set to Fully Qualified Domain Name using the value "client.shrew.net" to match the Netvanta allowed Remote ID setting.

Remote Identity Tab

The Remote Identification Type should be set to IP Address with the "Use a discovered remote host address" option enabled.

Credentials Tab

The Credentials Pre Shared Key is defined to match the match the Netvanta Gateway Remote ID Preshared Key value.

Policy Tab

The IPsec Policy information must be manually configured when communicating with Adtran gateways. Create an include Topology entry for each private network behind on the gateway. For our example, a single Topology Entry is defined to include the 10.1.2.0/24 network.

Credits

Many thanks to Adtran who donated a Netvanta 3120 appliance for testing and to create this documentation.

Resources

Media:Adtran.vpn.txt

Namespaces

Variants
Actions