Configure the gateway at the branch office

Setting up the Internet connection

The Wizard can be used to set up the branch office gateway's Internet access.

  1. Go to Assistants -> Internet-> Internet Connections -> New.

  2. For Connection Type, select Internal ADSL Modem .

  3. Click on Next to configure a new Internet connection.

  4. Enter the required data for the connection.

Assistants -> Internet-> Internet Connections -> New -> Next

Proceed as follows to configure an Internet access:

  1. Under Description enter e. g. PPPoE1 .

  2. For Type, select User-defined via PPP over Ethernet (PPPoE) .

  3. For User Name, enter the name that your provider has given you, e. g. ADSL-Username .

  4. Enter the Password that your provider has given you, e. g. test12345 .

  5. Enable the Always active option.

  6. Press OK to confirm your entries.

Set up the VPN IPSec connections

The two IPSec peers at the branch office gateway need to be using different local IPSec IDs. Before configuring the actual IPSec peers, create the two phase 1 profiles.

  1. Go to VPN -> IPSec -> Phase 1 Profiles -> New

VPN -> IPSec -> Phase 1 Profiles -> New

Proceed as follows.

  1. For Description, give the phase 1 profile a unique name, e. g. Branch1_Peer1 .

  2. For Proposals, a combination of encryption and authentication algorithm is selected, e. g. AES / SHA1 . This setting must match that of the head office gateway.

  3. Select the DH Group, (Diffie-Hellmann group) which is to be used in key calculation for creating the IPSec phase 1. This setting must match that of the head office gateway, e. g. DH Group 2 (1024 Bit) .

  4. The Lifetime specifies the validity of the calculated key. The default value of 14400 seconds can be adopted here. This setting must match that of the head office gateway.

  5. In our example, the VPN IPSec tunnels are authenticated using the Preshared Keys Authentication Method. A shared password is issued for this purpose when the IPSec peer is being configured.

  6. Because, in this example, Internet accesses with dynamic addresses and preshared keys are used for the IPSec authentication, the Mode must be set to Aggressive . This setting must match that of the head office gateway.

  7. The Local ID Type specifies the type of the local ID value. In our example, a local ID of type E-mail address is used.

  8. The Local ID Value must be unique and match the peer ID option at the head office gateway. In this example, Branch1_Peer1@bintec-elmeg.com is used for the phase 1 profile of the first IPSec connection.

  9. Press OK to confirm your entries.

The second IPSec phase 1 profile can be created in the same way except for the description and the local ID value.

You configure the second IPsec Phase 1 Profile in the same way as you configured the first profile.

  1. Go to VPN -> IPSec -> Phase 1 Profiles -> New

VPN -> IPSec -> Phase 1 Profiles -> New

Proceed as follows.

  1. For Description, give the phase 1 profile a unique name, e. g. Branch1_Peer2 .

  2. For Proposals, a combination of encryption and authentication algorithm is selected, e. g. AES / SHA1 . This setting must match that of the head office gateway.

  3. Select the DH Group, (Diffie-Hellmann group) which is to be used in key calculation for creating the IPSec phase 1. This setting must match that of the head office gateway, e. g. DH Group 2 (1024 Bit) .

  4. The Lifetime specifies the validity of the calculated key. The default value of 14400 seconds can be adopted here. This setting must match that of the head office gateway.

  5. In our example, the VPN IPSec tunnels are authenticated using the Preshared Keys Authentication Method. A shared password is issued for this purpose when the IPSec peer is being configured.

  6. Because, in this example, Internet accesses with dynamic addresses and preshared keys are used for the IPSec authentication, the Mode must be set to Aggressive . This setting must match that of the head office gateway.

  7. The Local ID Type specifies the type of the local ID value. In our example, a local ID of type E-mail address is used.

  8. The Local ID Value must be unique and match the peer ID option at the head office gateway. In this example, Branch1_Peer2@bintec-elmeg.com is used for the phase 1 profile of the first IPSec connection.

  9. Press OK to confirm your entries.

Two entries for the IPSec connections that are to be configured then display in the overview of the IPSec phase 1 profile.

  1. Go to VPN -> IPSec -> Phase 1 Profiles.

VPN -> IPSec -> Phase-1 Profiles

Two IPSec connections are now added to connect the head office.

  1. Go to VPN -> IPSec -> IPSec Peers -> New.

VPN-> IPSec-> IPSec Peers-> New

To add a new connection, proceed as follows:

  1. Set the Administrative Status to Up . The peer is available for setting up a tunnel immediately after saving the configuration.

  2. For Description, enter a description of the peer which identifies it, e. g. Headoffice_Peer-1 .

  3. For Peer Address, enter the static IP address or the host name used to access the first Internet access of the head office gateway. In our example, this is the static IP address 62.146.53.200 .

  4. The Peer ID must match the local ID value of the head office gateway. In this example, the type E-mail address and the ID value central@bintec-elmeg.com are used.

  5. Select the version of the Internet Key Exchange protocol for IKE (Internet Key Exchange). In this scenario, IKEv1 must be used.

  6. For Preshared Key, enter the password for the encrypted connection (e. g. test12345 .

  7. For IPv4 Address Assignment, select the configuration mode Static .

  8. Select whether the route to this IPSec peer is to be defined as the default route. In this scenario, the Default route option is not set.

  9. The Local IP Address is the IP address that is linked to the tunnel interface, here e. g. 1.0.0.2 . An address from a previously unused network is used here. The VPN IPsec tunnel is monitored with this address.

  10. The IP address / netmask of the destination network is defined as the route entry. If additional destination networks are to be routed over the tunnel, these can be added with the Add button.

    Two routing entries are required in our example.

    Enter the IP address that is used as the local IP address of the tunnel interface at the head office gateway, e. g. 1.0.0.1 . A routing entry also needs to be created for the head office network, 192.168.0.0/24 in this example.

  11. As the Phase-1 Profile, you must select the IPSec phase 1 profile that was created previously for the first VPN IPSec tunnel, e. g. Branch1_Peer1 .

  12. As the Phase-2 Profile, the default phase 2 profile that was automatically generated, here the *Multi-Proposal , is used.

  13. The XAUTH profile is not used in this scenario.

  14. Number of Admitted Connections can be left at the default value One user .

  15. As the VPN IPSec connections are always created from the branch office gateway to the head office gateway, the Start Mode here must be set to Always up .

  16. Leave the remaining settings unchanged and confirm them with OK.

After configuring the first VPN IPSec connection to connect the head office, the second VPN IPSec tunnel can now be created.

  1. Go to VPN -> IPSec -> IPSec Peers -> New.

VPN-> IPSec-> IPSec Peers-> New

To add a new connection, proceed as follows:

  1. Set the Administrative Status to Up . The peer is available for setting up a tunnel immediately after saving the configuration.

  2. For Description, enter a description of the peer which identifies it, e. g. Headoffice_Peer-2 .

  3. For Peer Address, enter the static IP address or the host name used to access the first Internet access of the head office gateway. In our example, this is the static IP address 62.146.53.201 .

  4. The Peer ID must be unique and match the remote terminal's local ID value. In our example, the type E-mail address and the ID value central@bintec-elmeg.com are used.

  5. Select the version of the Internet Key Exchange protocol for IKE (Internet Key Exchange). In this scenario, IKEv1 must be used.

  6. For Preshared Key, enter the password for the encrypted connection (e. g. test12345 .

  7. For IPv4 Address Assignment, select the configuration mode Static .

  8. In this scenario, the Default route option is not set.

  9. The Local IP Address is the IP address that is linked to the tunnel interface, here e. g. 2.0.0.2 . An address from a previously unused network is used here. The VPN IPsec tunnel is monitored with this address.

  10. The target IP address / netmask of the destination network is defined as the route entry. If additional destination networks are to be routed over the tunnel, these can be added with the Add button.

    Two routing entries are required in our example.

    Enter the IP address that is used as the local IP address of the tunnel interface at the head office gateway, e. g. 2.0.0.1 . For the head office Network, in this example 192.168.1.0/24 , another routing entry is also required.

  11. As the Phase-1 Profile, you must select the IPSec phase 1 profile that was created previously for the first VPN IPSec tunnel, e. g. Branch1_Peer2 .

  12. As the Phase-2 Profile, the default phase 2 profile that was automatically generated, here the *Multi-Proposal , is used.

  13. The XAUTH profile is not used in this scenario.

  14. Number of Admitted Connections can be left at the default value One user .

  15. As the VPN IPSec connections are always created from the branch office gateway to the head office gateway, the Start Mode here must be set to Always up .

  16. Leave the remaining settings unchanged and confirm them with OK.

Results:

VPN->IPSec->IPSec Peers

Monitor the VPN IPSec connections

Ping requests are periodically sent to the head office gateway via both tunnels in order to monitor the VPN IPSec tunnel connections. If this ping request fails to be answered three times, the branch office gateway permits no new connections via the tunnel concerned. As soon as the head office gateway answers the ping request three times once more, new IP connections are permitted. While one VPN tunnel is down, all the data is routed via the remaining VPN tunnel.

When the IPSec peers were being created, unique IP addresses (1.0.0.1 and 2.0.0.1 in this example) were issued for the VPN IPSec tunnel's ping monitoring. These addresses are used to periodically check that the branch office gateway can be accessed.

In the Hosts menu, you can configure an automatic availability check for hosts or interfaces and automatic ping tests.

  1. Go to Local Services->Surveillance->Hosts->New.

Local Services->Surveillance->Hosts->New

Proceed as follows:

  1. The host surveillance can be linked to groups using the group ID. In this scenario, each instance of host surveillance must use a unique group ID.

  2. For Monitored IP Address, enter the IP address of the host that is to be monitored. For the monitoring of the first VPN IPSec tunnel, in our example the monitoring of the branch office gateway is done with the address 1.0.0.1 .

  3. By setting the Source IP Address for host surveillance, you ensure that the ping packet with the local IP address of the VPN tunnel interface has been sent so that the branch office gateway can, in turn, reply via this same route. Select Specific and enter the local IP address of the first VPN IPSec interface, e. g. 1.0.0.2 .

  4. For Interval, enter the time interval (in seconds) which is to be used for checking that the host is available, here e. g. 3 seconds.

  5. For Successful Trials, enter the number of pings that must remain unanswered for the host to be regarded as unavailable. Here, e. g., after 3 failed attempts.

  6. For Unsuccessful Trials, enter the number of pings that must be answered for the host to be regarded as available once more. In our example, a host is regarded as available again after 3 successful ping requests/replies. This function is aimed at preventing frequent jitters in the connections.

  7. Under Actions to be performed, select the Monitor option, because the status of interfaces is not to be changed.

  8. Confirm with OK.

To monitor the second VPN IPSec tunnel, after saving a second entry for host surveillance must be created. Create the second host surveillance entry in the same way as the first entry except for the IP addresses. In the second entry for host surveillance, the local IP addresses of the second VPN IPSec interface are used. In our example, the address 2.0.0.1 is used as the Monitored IP address, and 2.0.0.2 is used for the Source IP address.

When the configuration is complete, the list of monitored hosts shows two entries that monitor the availability of the branch office gateway's IP addresses.

Results:

Local Services -> Surveillance -> Hosts

Configure the IP load distribution for the VPN IPSec connections

A load balancing group is created to distribute the IP sessions to the two VPN IPSec connections.

  1. Go to Network -> Load Balancing -> Load Balancing Groups -> New.

Network ->Load Balancing->Load Balancing Groups->New

To create a load balancing group, proceed as follows:

  1. Under Group Description, enter a name for the load balancing group, e. g. IPSec_headoffice .

  2. For Distribution Policy, select the method that will be used to distribute the data, here Session-Round-Robin (for load distribution based on IP sessions).

The two ADSL Internet accesses can then be added to this load balancing group.

To do this, click Add.

Network ->Load Balancing->Load Balancing Groups->Add

Proceed as follows:

  1. For Interface, select the first VPN IPSec interface for connecting the head office, here IPSEC_HEADOFFICE_PEER-1 .

  2. Enter 50 % for Distribution Ratio. This option specifies the ratio in which new IP sessions are distributed to the interfaces in the IP load balancing group.

  3. In this example, the Route selector is left at None , since no interfaces have been assigned more than once in different load balancing groups.

  4. The Tracing IP Address option is used to select an IP address from the configured host monitoring, e. g. 1.0.0.1 . When the host surveillance detects that the connection has been broken, no more IP sessions are set up via this VPN IPSec tunnel.

  5. Click Apply.

  6. Add the second VPN IPSec interface with Add.

  7. For Interface, select IPSEC_HEADOFFICE_PEER-2 .

  8. Enter 50 % for Distribution Ratio.

  9. Select the Tracing IP Address, e. g. 2.0.0.1 .

  10. Click Apply.

Results:

Network -> Load Balancing -> Load Balancing Groups

Copyright© Version 08/2020 bintec elmeg GmbH