Popular Posts
-
The MU to MU disallow feature allows the RF Switch to block communications exchanged between clients associated to a WLAN.With the Motorola ... -
Pre-Requisites: Requirements: The following requirements must be met prior to attempting this configuration: One (or more) RF Switc... -
LDAP Server can be used as the database with WS5100 radius server. This document provides the details of configuration need to done for WS5... -
RADIUS Authentication Attributes: The RADIUS protocol follows client-server architecture and uses the User Datagram Protocol (UDP) as de... -
WS5100 login: cli User Access Verification Username: restore Password: restoreDefaultPassword WARNING:This will wipe out the con... -
IPSec VPN offers the security and encryption features necessary to protect enterprise data, voice, and video traffic as it traverses public... -
Use of ARP Cache in a network device Most of the network devices will have anARP cache; the content of the same will be a collection of IP... -
Requirements: The following requirements must be met prior to attempting this configuration: One RFS4000 or RFS6000 WLAN Switch Contr... -
Components Used: The information in this document is based on the following hardware and software versions: · 1 x RFS4000 Swit...
WiNG How-To Guide Microsoft L2TP/IPSec VPN Client-Configuration
Pre-Requisites:
Requirements:
The following requirements must be met prior to
attempting this configuration:
- One (or more) RF Switches are installed and operational on the network.
- One (or more) Access Ports configured and adopted by the RF Switch.
- One (or more) WLAN profiles are configured and assigned to adopted radios.
- A Windows XP workstation is available with Microsoft Internet Explorer or Mozilla Firefox to perform Web UI configuration.
- One or more Windows XP workstations are available to test and verify IPSec communications.
- The reader has read the Motorola RFS Series Wireless LAN Switches - WiNG System Reference Guide.
Components
Used:
The information in this document is based on the
following Motorola hardware and software versions:
1 x RFS6000 Version 3.3.
Configuration:
The following section outlines the configuration
steps required on an RF Switch to support Microsoft
L2TP/IPSec VPN clients:
1) Firewall
Rules [Section 3.1]:
2) IKE
Settings [Section 3.2]:
3) IPSec VPN
Settings [Section 3.3]:
4) Microsoft
VPN Client [Section 3.4]:
Firewall
Rules:
When terminating L2TP/IPSec VPN tunnels on a
Motorola RF Switch, the RF Switch must be told which traffic flows to encrypt
by applying an ACL to each Crypto Map.
For this example an RF Switch has been deployed
providing data, voice, guest and internet services to users at the site. To
support these services the following IP Interfaces have been defined on the RF Switch:
VLAN 10 – Servers, Applications and Management.
VLAN 40 – Wireless and Wired Data Users.
VLAN 80 – VoIP Call Servers, Gateways and Handsets.
VLAN 4094 – Public Internet.
The remote VPN users will be permitted to access all
internal resources at the site. An extended IP list will be created on the RF
Switch and applied to a Crypto Map which will tell the RF Switch to encrypt traffic
between the VPN virtual pool (192.168.41.0/24) and VLANs 10, 40 and 80
Web
UI Configuration Example:
The following configuration example will demonstrate
how to create an extended IP list and rules on the RF Switch to determine which
traffic to inspect and encrypt using the Web UI:
IPSEC VPN Settings:
IPSec configuration on the RF Switch determines which IPSec
protocols clients can use, VPN client
1) Transform Sets [Section 3.3.1]:
2) Network Addressing [Section 3.3.2]:
3) Authentication [Section 3.3.3]:
4) Crypto Maps [Section 3.3.4]:
Transform Sets:
Transform sets represents a
combination of security protocols and algorithms which peers agree to use
schemes:
- Data Encryption Standard – Data Encryption Standard (3DES) provides confidentiality.
- Secure Hash Algorithm – Secure Hash Algorithm 1(SHA1) with a 160-bit key for data integrity.
- Transport Mode – Specifies that only the payload of the message is encrypted.
- Encapsulating
Security Payload – Encapsulating Security Payload (ESP) provides
confidentiality,
To support the Microsoft L2TP/IPSec
VPN client a transform set will be created on the RF Switch to
Web UI Configuration Example:
The following configuration example
will demonstrate how create a transform set using the Web UI:
Network
Addressing:
When VPN clients establish a secure VPN connection
to the RF Switch they are provided with an IP Address so that they can
communicate hosts though the encrypted tunnel. The remote VPN host will have
two IP addresses assigned:
1) An IP
addresses assigned to the physical wired, wireless or dial-up interface that
provides communications to the local network and/or Internet.
2) An IP
address assigned to a virtual VPN adaptor from the RF Switch that provides
secure encrypted remote access into the site. IP Addresses for remote VPN
clients are assigned by the RF Switch from a virtual pool of addresses. The virtual
pool of addresses local within the RF Switch and are not associated to a VLAN
or virtual IP interfaces on the RF Switch.
One or more virtual pool ranges can be defined on
the RF Switch as required based on the number remote VPN clients connecting to
the RF Switch. Additionally pools may be defined as a single contiguous block
of addresses or multiple non-contiguous blocks of addresses as required.
In this example a single contiguous block of
addresses 192.168.10.41 192.168.41.254 will be defined on the RF Switch
providing support for up to 254 VPN clients. Additionally a Windows Server 2003
using 192.168.10.5 will be designated as a DNS server providing domain name
services and seamless Active Directory integration for VPN clients.
Web
UI Configuration Example:
The following configuration example will demonstrate
how to define a DNS Server and create a virtual pool of addresses using the Web
UI:
Subscribe to:
Post Comments (Atom)
Social Icons
Popular Posts
-
Components Used: The information in this document is based on the following Motorola hardware and software versions: 1 x RFS6000 or ... -
Requirements: The following requirements must be met prior to attempting this configuration: One RFS4000 or RFS6000 WLAN Switch Contr... -
RADIUS Authentication Attributes: The RADIUS protocol follows client-server architecture and uses the User Datagram Protocol (UDP) as de... -
The Motorola Hotspot authentication feature offers a simple way to provide secure authenticated access on a WLAN for users and devices usin... -
WS5100 login: cli User Access Verification Username: restore Password: restoreDefaultPassword WARNING:This will wipe out the con... -
Smart ( S elf M onitoring A t R un T ime) RF: • Next generation RF Management feature • Selects the optimal initial c... -
Use of ARP Cache in a network device Most of the network devices will have anARP cache; the content of the same will be a collection of IP... -
LDAP Server can be used as the database with WS5100 radius server. This document provides the details of configuration need to done for WS5... -
The MU to MU disallow feature allows the RF Switch to block communications exchanged between clients associated to a WLAN.With the Motorola ...
0 nhận xét:
Post a Comment