Difference between revisions of "Howto Adtran"
(Created page with "== Introduction == This guide provides information that can be used to configure an Adtran Netvanta device to support IPsec VPN client connectivity. The Shrew Soft VPN Client...") |
|||
Line 12: | Line 12: | ||
*WINS Servers | *WINS Servers | ||
− | + | == Gateway Configuration == | |
This example assumes you have knowledge of the Netvanta gateway web configuration interface. For more information, please consult your gateway product documentation. | This example assumes you have knowledge of the Netvanta gateway web configuration interface. For more information, please consult your gateway product documentation. | ||
Line 154: | Line 154: | ||
*<Any> to <VPN client Subnet> this would be "Any" to 10.2.27.0/24 | *<Any> to <VPN client Subnet> this would be "Any" to 10.2.27.0/24 | ||
− | |||
− | |||
=== Client Configuration === | === Client Configuration === |
Revision as of 18:59, 3 September 2012
Contents
- 1 Introduction
- 2 Overview
- 3 Gateway Configuration
Introduction
This guide provides information that can be used to configure an Adtran Netvanta device to support IPsec VPN client connectivity. The Shrew Soft VPN Client has been tested with Adtran products to ensure interoperability. The configuration guild below shows examples from a Netvanta 3120.
Overview
The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the pull configuration method to acquire the following parameters automatically from the gateway.
- IP Address
- IP Netmask
- DNS Servers
- WINS Servers
Gateway Configuration
This example assumes you have knowledge of the Netvanta gateway web configuration interface. For more information, please consult your gateway product documentation.
Interfaces
Two network interfaces are configured. The Internet Primary interface has a static public IP address of 10.1.1.27 which faces the internet. The internal interface has a static private IP address of 10.1.2.27 which faces the internal private network. The default gateway is configured as 10.1.1.1 via the WAN interface.
User Authentication
Before users can authenticate, individual accounts must be created. To configure these accounts, navigate to the System / Passwords page using the left hand menu.
Image(http://www.shrew.net/static/howto/Adtran/nav-1.png)
Add VPN User Accounts
To add user accounts, enter the following information and then type add for each user.
- Username = User account name
- Password = User account password
- Confirm Password = User account password
Image(http://www.shrew.net/static/howto/Adtran/pic-1a.png)
Enable AAA Authentication
Before the user accounts can be used for VPN connections, you will need to enable AAA authentication. Make sure this option is checked and press Apply when finished.
Image(http://www.shrew.net/static/howto/Adtran/pic-1b.png)
VPN Configuration
The VPN settings must be defined before a user can connect to the Netvanta Gateway. To configure these settings, navigate to the Data / VPN / VPN Peer page using the left hand menu.
Image(http://www.shrew.net/static/howto/Adtran/nav-2.png)
Enable VPN Support
Before the users can connect, you will need to enable VPN support. Make sure this option is checked and press Apply when finished.
Image(http://www.shrew.net/static/howto/Adtran/pic-2a.png)
Create a VPN Peer
A VPN Peer needs to be defined. This will specify the parameters used for the remote access VPN connection. To add a VPN peer definition, click the Create New VPN Peer button.
Image(http://www.shrew.net/static/howto/Adtran/pic-2b.png)
Enter the following parameters and click Apply when finished.
- Name = client vpn
- VPN Interface = Public
- Peer Type = Mobile Peer
Image(http://www.shrew.net/static/howto/Adtran/pic-2c.png)
Define the VPN Peer Configuration
The Peer configuration needs to be defined. Enter the following parameters and click Apply when finished.
IKE Configuration
- XAUTH Enabled = Local Userlist
- Respond Mode = Aggressive
- Nat Traversal = Allow V1 / Allow V2
- Local ID = IP Address / 10.1.1.27 ( matches the Netvanta public interface address )
IPSec Configuration
- PFS = Disabled
- Encryption / Hash = ESP : AES 256 / MD5
- Lifetime = 3600 seconds
Image(http://www.shrew.net/static/howto/Adtran/pic-3a.png)
An IKE attribute definition needs to be added. This sets the Phase1 policy negotiation parameters. Enter the following parameters and click Add when finished.
IPSec Configuration
- Encryption / Hash = AES 256bit / MD5
- Authentication = Preshared Key
- DH Group = 2
- Lifetime = 28800 seconds
Image(http://www.shrew.net/static/howto/Adtran/pic-3b.png)
A Remote ID definition needs to be added. This specifies the ID parameters used to match a VPN client to this peer definition. Enter the following parameters and press Add when finished.
- Remote ID Type = Domain Name
- Domain Name = client.shrew.net ( or an alternate client ID value )
- Preshared key = mypresharedkey ( replace this with your real psk )
- Allow XAUTH = Enabled
- Nat Traversal = Allow V1 / Allow V2
Image(http://www.shrew.net/static/howto/Adtran/pic-3c.png)
The Remote Addressing parameters need to be defined. These settings will be negotiated by the client during Mode Config. Enter the following parameters and press Apply when finished.
NOTE : The IP Address Range defines addresses that will be assigned to client virtual network adapters. It is important to use a range that does not overlap any private network that exists behind the Netvanta gateway.
- IP Address Range = 10.2.27.1 - 10.2.27.254 ( or your preferred range )
- Primary DNS Server = optional
- Secondary DNS Server = optional
- Primary WINS Server = optional
- Secondary WINS Server = optional
Image(http://www.shrew.net/static/howto/Adtran/pic-3d.png)
Define the VPN Peer Policies
VPN Peer Policies need to be defined for each network the VPN Client will need to connect to. For the purposes of this document, we will assume the client need to connect to a single private network defined as 10.1.2.0/24. Click the Add New VPN Selector button.
Image(http://www.shrew.net/static/howto/Adtran/pic-4a.png)
Define the VPN Selector Entry. Enter the following parameters and click Apply when finished.
- Filter Type = Permit
- Protocol = any
Source DATA
- Type = IP Address
- Address = 10.1.2.0
- Netmask = 255.255.255.0
Destination Data
- Type = IP Address
- Address = 10.2.27.0
- Netmask = 255.255.255.0
Image(http://www.shrew.net/static/howto/Adtran/pic-4b.png)
After the new VPN Selector Entry has been added, you will notice that it is placed at the bottom of the list. There is a default policy to Deny all traffic which will be above the entry you just added. We need to move it above the deny policy so it will take precedent. Click the Up Arrow Icon to the left of the Permit policy.
Image(http://www.shrew.net/static/howto/Adtran/pic-4c.png)
Now the order should be correct.
Image(http://www.shrew.net/static/howto/Adtran/pic-4d.png)
Please keep in mind, that a Policy of <Private Internal Subnet> to <Any> will send all traffic through the VPN-Tunnel hence this will break internet access for the internal clients. The following two options are more common cases:
- <Private Internal Subnet> to <VPN Client Subnet> this would be 10.1.2.0/24 to 10.2.27.0/24
- <Any> to <VPN client Subnet> this would be "Any" to 10.2.27.0/24
Client Configuration
The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs.
=== General Tab ===
The Remote Host section must be configured. The Host Name or IP Address is defined as 10.1.1.27 to match the Netvanta public interface address. The Auto Configuration mode should be set to ike config pull.
=== Phase 1 Tab ===
The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the Netvanta IKE attributes definition.
=== Authentication Tab ===
The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth.
==== Local Identity Tab ====
The Local Identification Type should be set to Fully Qualified Domain Name using the value "client.shrew.net" to match the Netvanta allowed Remote ID setting.
==== Remote Identity Tab ====
The Remote Identification Type should be set to IP Address with the "Use a discovered remote host address" option enabled.
==== Credentials Tab ====
The Credentials Pre Shared Key is defined to match the match the Netvanta Gateway Remote ID Preshared Key value.
Policy Tab
The IPsec Policy information must be manually configured when communicating with Adtran gateways. Create an include Topology entry for each private network behind on the gateway. For our example, a single Topology Entry is defined to include the 10.1.2.0/24 network.
Credits
Many thanks to Adtran who donated a Netvanta 3120 appliance for testing and to create this documentation.