WiNG How-To Guide Microsoft L2TP/IPSec VPN Client-Configuration
Pre-Requisites:
Requirements:
The following requirements must be met prior to
attempting this configuration:
- One (or more) RF Switches are installed and
operational on the network.
- One (or more) Access Ports configured and adopted by
the RF Switch.
- One (or more) WLAN profiles are configured and
assigned to adopted radios.
- A Windows XP workstation is available with Microsoft
Internet Explorer or Mozilla Firefox to perform Web UI configuration.
- One or more Windows XP workstations are available to
test and verify IPSec communications.
- The reader has read the Motorola RFS Series Wireless
LAN Switches - WiNG System Reference Guide.
Components
Used:
The information in this document is based on the
following Motorola hardware and software versions:
1 x RFS6000 Version 3.3.
Configuration:
The following section outlines the configuration
steps required on an RF Switch to support Microsoft
L2TP/IPSec VPN clients:
1) Firewall
Rules [Section 3.1]:
2) IKE
Settings [Section 3.2]:
3) IPSec VPN
Settings [Section 3.3]:
4) Microsoft
VPN Client [Section 3.4]:
Firewall
Rules:
When terminating L2TP/IPSec VPN tunnels on a
Motorola RF Switch, the RF Switch must be told which traffic flows to encrypt
by applying an ACL to each Crypto Map.
For this example an RF Switch has been deployed
providing data, voice, guest and internet services to users at the site. To
support these services the following IP Interfaces have been defined on the RF Switch:
VLAN 10 – Servers, Applications and Management.
VLAN 40 – Wireless and Wired Data Users.
VLAN 80 – VoIP Call Servers, Gateways and Handsets.
VLAN 4094 – Public Internet.
The remote VPN users will be permitted to access all
internal resources at the site. An extended IP list will be created on the RF
Switch and applied to a Crypto Map which will tell the RF Switch to encrypt traffic
between the VPN virtual pool (192.168.41.0/24) and VLANs 10, 40 and 80
Web
UI Configuration Example:
The following configuration example will demonstrate
how to create an extended IP list and rules on the RF Switch to determine which
traffic to inspect and encrypt using the Web UI:
IPSEC VPN Settings:
IPSec configuration on the RF Switch determines which IPSec
protocols clients can use, VPN client addressing, user
authentication, session restrictions and which RF Switch virtual interface(s)
tunnels can be terminated on. IPSec configuration requires the
following configuration steps:
1) Transform Sets [Section 3.3.1]:
2) Network Addressing [Section 3.3.2]:
3) Authentication [Section 3.3.3]:
4) Crypto Maps [Section 3.3.4]:
Transform Sets:
Transform sets represents a
combination of security protocols and algorithms which peers agree to use during IKE
negotiations to protect data flows. The transform set must be configured to
support the capabilities
of the peers connecting to the RF Switch or the security association will fail.
The Microsoft L2TP/IPSec
VPN client is limited in capability and supports the following encryption and
authentication
schemes:
- Data
Encryption Standard – Data Encryption Standard (3DES) provides confidentiality.
- Secure Hash Algorithm – Secure Hash Algorithm
1(SHA1) with a 160-bit key for data integrity.
- Transport
Mode – Specifies that only the payload of the message is encrypted.
- Encapsulating
Security Payload – Encapsulating Security Payload (ESP) provides
confidentiality, authentication,
integrity, and anti-replay for the data.
To support the Microsoft L2TP/IPSec
VPN client a transform set will be created on the RF Switch to support
ESP- 3DES encryption, SHA-HMAC authentication and Transport tunneling schemes.
Web UI Configuration Example:
The following configuration example
will demonstrate how create a transform set using the Web UI:
Network
Addressing:
When VPN clients establish a secure VPN connection
to the RF Switch they are provided with an IP Address so that they can
communicate hosts though the encrypted tunnel. The remote VPN host will have
two IP addresses assigned:
1) An IP
addresses assigned to the physical wired, wireless or dial-up interface that
provides communications to the local network and/or Internet.
2) An IP
address assigned to a virtual VPN adaptor from the RF Switch that provides
secure encrypted remote access into the site. IP Addresses for remote VPN
clients are assigned by the RF Switch from a virtual pool of addresses. The virtual
pool of addresses local within the RF Switch and are not associated to a VLAN
or virtual IP interfaces on the RF Switch.
One or more virtual pool ranges can be defined on
the RF Switch as required based on the number remote VPN clients connecting to
the RF Switch. Additionally pools may be defined as a single contiguous block
of addresses or multiple non-contiguous blocks of addresses as required.
In this example a single contiguous block of
addresses 192.168.10.41 192.168.41.254 will be defined on the RF Switch
providing support for up to 254 VPN clients. Additionally a Windows Server 2003
using 192.168.10.5 will be designated as a DNS server providing domain name
services and seamless Active Directory integration for VPN clients.
Web
UI Configuration Example:
The following configuration example will demonstrate
how to define a DNS Server and create a virtual pool of addresses using the Web
UI:
0 nhận xét:
Post a Comment