• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

How to config VPN

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to config VPN

    Hi Bro

    Em có mô hình kết nối như sau thì làm sao cấu hình VPN để các vị trí khác kết nối về vị trí này.

    - 2 đường internet -- 2 modem adsl --- load balancing --- firewall ----LAN


    Mong các Bro chỉ giáo.


    Tks a lot

  • #2
    chào !!!
    Ở đây có 3 cái bạn cần làm :
    1) cấu hình VPN site to site : VPN server -- VPn client hoặc server -- server
    2) bạn cần NAT inbound port 1701 hoặc 1723 trên Router ADSL và cả ISA

    Cách cấu hình trên ISA
    The figure below shows the typical remote access VPN scenario. A user is located at a hotel or home office and needs to create a secure L2TP/IPSec connection to the corporate network. This VPN user as two choices: PPTP or NAT-T L2TP/IPSec. While normal IPSec packets are stopped by NAT devices (such as NAT routers and "Internet gateways"), the NAT-T L2TP/IPSec packets are wrapped or "encapsulated" by UDP headers. These UDP headers protect the IPSec protected portion of the packet and allow the VPN connection to pass through the NAT device without harm. Note that in the figure below that the UDP 1701 header is encapsulated in the UDP 4500 header. The NAT device only needs to be able to pass UDP 500 and UDP 4500.


    The advantage of using the Windows VPN client software to connect to the Windows Server 2003-based ISA Server firewall/VPN server is that both the client and server are RFC compliant. Unlike other major VPN server vendors that use non-RFC, proprietary and incompatible methods of NAT Traversal, the Microsoft NAT-T solution is compliant with IETF Internet draft standards.
    Packet Filters Required to Allow Inbound NAT-T VPN Calls

    You need to do the following on the ISA Server firewall/VPN server to support inbound VPN calls from NAT-T RFC compliant L2TP/IPSec clients that are situated behind a NAT device:
    Create a packet filter for inbound UDP 500 (receive/send)
    Create a packet filter for inbound UDP 4500 (receive/send)
    Create a packet filter for inbound UDP 1701 (receive/send)
    The UDP 500 receive/send packet filter allows for Internet Key Exchange Protocol (IKE) packets to be received by the ISA Server firewall/VPN server. This packet filter is required for both NAT-T VPN clients and non-NAT-T VPN clients.
    The UDP 4500 receive/send packet filter is specific for NAT-T VPN clients. The IPSec ESP header is encapsulated in the UDP port 4500 header. When the Windows Server 2003 ISA Server/VPN server receives the packet, it removes the UDP header and exposes the ESP header. This is how the server determines that the VPN client is a NAT-T client.
    The UDP 1701 receive/send packet filter allows the L2TP control channel to be established and maintained. The are a number of different control messages that are sent through the L2TP control channel. The purpose of the control messages is to establish the VPN tunnel, maintain the VPN tunnel, and tear down (close) the tunnel in an orderly fashion when the connection is no longer needed.
    The figure below shows the structure of an L2TP/IPSec packet. Notice that the IPSec ESP header is located in front of the L2TP UDP header. The IPSec ESP header does not require an open port. However, it does require that the firewall listen and accept incoming connections to IP Protocol 50. Only the tunnel IP header containing the tunnel endpoint information and the datalink layer header encapsulate the IPSec ESP header.

    <B>
    Note:
    </B>You do not need to create a packet filter to allow incoming IP Protocol 50. The reason for this is unknown.

    Create the three packet filters at the ISA Server firewall/VPN server accepting the L2TP/IPSec connections from L2TP/IPSec clients located behind a NAT device. If you do not want to support NAT-T L2TP/IPSec clients, then you can use the ISA Server VPN Wizard and all the required packet filters are created for you.
    Creating the Packet Filter for UDP Port 500

    Perform the following steps to create the packet filter for UDP Port 500:
    1. In the ISA Management console, expand the Server and Arrays node, then expand your server name. Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.

    1. Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. I recommend you name it UDP 500 (receive/send). Click Next.

    1. Select the Allow packet transmission option on the Filter Mode page. Click Next.

    1. Select the Custom option on the Filter Type page. Click Next.

    1. Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select the Fixed port option in the Local Port drop down list box. Set the local Port number to 500. Select the All ports option in the Remote port drop down list box. Click Next.

    1. Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. The default IP address is the primary IP address bound to the interface. The primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box. Click Next.

    1. Select the All remote computers option on the Remote Computers page. Click Next.

    1. Review the settings on the Completing the New IP Packet Filter Wizard page, then click Finish.



    Creating the Packet Filter for UDP 4500

    Perform the following steps to create the packet filter for UDP 4500:
    1. In the ISA Management console, expand the Server and Arrays node, then expand your server name. Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.
    2. Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. I recommend you name it UDP 4500 (receive/send). Click Next.
    3. Select the Allow packet transmission option on the Filter Mode page. Click Next.
    4. Select Custom on the Filter Type page. Click Next.
    5. Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select the Fixed port option in the Local Port drop down list box. Set the local Port number to 4500. Select the All ports option in the Remote port drop down list box. Click Next.

    1. Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. The default IP address is the primary IP address bound to the interface. The primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box. Click Next.
    2. Select the All remote computers option on the Remote Computers page. Click Next.
    3. Review the settings on the Completing the New IP Packet Filter Wizard page, then click Finish.

    Neither the Windows 2000/Windows Server 2003 server, nor the ISA Server services, need to be restarted. The packet filters will start working automatically. If you have a very busy machine and you need the packet filters to start working immediately, you should restart the Firewall service.

    Note:
    You can restart the firewall service by navigating to the Servers and Arrays/Server Name/Monitoring/Services node in the ISA Management console. Then right click on the Firewall service entry in the right pane. Click the Stop command. After the service is stopped, right click the Firewall service entry again and click the Start command. You can also stop the Firewall service from the command prompt. Open a command prompt and type "net stop Microsoft firewall" (without the quotes). After the Firewall service stops, restart the Firewall service by typing "net start Microsoft firewall" (without the quotes).

    Creating the Packet Filter for UDP 1701

    Perform the following steps to create the packet filter for UDP 1701:
    1. In the ISA Management console, expand the Server and Arrays node, then expand your server name. Expand the Access Policy node. Right click the Packet Filters node, point to New and click Filter.
    2. Type a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. I recommend you name it UDP 1701 (receive/send). Click Next.

    1. Select the Allow packet transmission option on the Filter Mode page. Click Next.
    2. Select the Custom option on the Filter Type page. Click Next.
    3. Configure the details of the packet filter on the Filter Settings page. Select the UDP option from the IP protocol drop down list box. Select the Receive send option in the Direction drop down list box. Select the Fixed port option in the Local Port drop down list box. Set the local Port number to 1701. Select the All ports option in the Remote port drop down list box. Click Next.

    1. Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. The default IP address is the primary IP address bound to the interface. The primary address is the IP address at the top of the list in the Advanced TCP/IP Properties dialog box. Click Next.
    2. On the Remote Computers page, select the All remote computers option and click Next.
    3. Review the settings on the Completing the New IP Packet Filter Wizard page and click Finish.

    The L2TP/IPSec NAT-T VPN clients are able to connect after you create all three packet filters. Note that while the ISA Server VPN Wizard creates L2TP/IPSec packet filters, you should recreate the packet filters as noted in this article. These NAT-T L2TP/IPSec filters differ slightly from those created by the Wizard.


    Summary
    In this article we discussed the issue of passing IPSec based protocols through a NAT device. NAT-T (NAT Traversal) protocols allow VPN clients to pass IPSec protected packets through a NAT device. The Windows L2TP/IPSec NAT-T VPN clients software works together with the Windows Server 2003-based ISA Server firewall/VPN server to allow VPN clients located behind a NAT device to pass IPSec protected through the NAT. We also went through detailed step by step procedures required to create the packet filters on the ISA Server firewall/VPN server that allow it to accept the inbound ISA Server firewall/VPN server calls
    chúc bạn vui !!!
    Trần Mỹ Phúc
    tranmyphuc@hotmail.com
    Hãy add nick để có thông tin đề thi mới nhất :tranmyphuc (Hỗ trợ tối đa cho các bạn tự học)

    Cisco Certs : CCNP (Passed TSHOOT 1000/1000)

    Juniper Certs :
    JNCIP-ENT & JNCIP-SEC
    INSTRUCTORS (No Fee) : CISCO (Professional) , JUNIPER (Professional) , Microsoft ...

    [version 4.0] Ôn tập CCNA


    Comment


    • #3
      Chào 1!!
      Thêm một tài liệu hoàn chỉnh để cấu hình VPN <tiếng anh>(chi tiết)
      Tải file đính kèm

      Chúc bạn vui!!!
      Attached Files
      Trần Mỹ Phúc
      tranmyphuc@hotmail.com
      Hãy add nick để có thông tin đề thi mới nhất :tranmyphuc (Hỗ trợ tối đa cho các bạn tự học)

      Cisco Certs : CCNP (Passed TSHOOT 1000/1000)

      Juniper Certs :
      JNCIP-ENT & JNCIP-SEC
      INSTRUCTORS (No Fee) : CISCO (Professional) , JUNIPER (Professional) , Microsoft ...

      [version 4.0] Ôn tập CCNA


      Comment


      • #4
        Hi tranmyphuc1988

        Minh nghi van de mau chot ma mynhung muon hoi o cau hoi nay la 2 duong internet ADSL ??

        Comment


        • #5
          Thanks Tranmyphuc1988

          Chính xác là em muốn hỏi về kết nối IPsec site-to-site giữa 2 điểm trên 1 con firewall cứng (Astarto - 220) thông qua 1 thiết bị load balancing.
          2 interface Wan của Modem là 2 IP
          Nối giữa 2 modem và load balancing là 2 dải mạng.
          Nối giữa Load balancing và FW lại là 1 dải mạng nữa

          Em sẽ phải lấy Local Public IP là IP nào ?

          tks.

          Comment


          • #6
            trên thiết bị thực hiện load balancing của bạn đã có cấu hình NAT tĩnh cho địa chỉ outside của firewall chưa? Địa chỉ local public nên là địa chỉ của cổng outside của FW.
            Đặng Quang Minh, CCIEx2#11897 (Enterprise Infrastructure, Wireless), DEVNET, CCSI#31417

            Email : dangquangminh@vnpro.org
            https://www.facebook.com/groups/vietprofessional/

            Comment


            • #7
              Originally posted by dangquangminh View Post
              trên thiết bị thực hiện load balancing của bạn đã có cấu hình NAT tĩnh cho địa chỉ outside của firewall chưa? Địa chỉ local public nên là địa chỉ của cổng outside của FW.
              Hi A Minh

              Ý của anh là phải nat 2 lần

              1 lân trên con loadbalancing
              1 lần trên 1 trong 2 con modem

              Giả sử em có sơ đồ như sau:


              http://dovangiang.t35.com/Sharefiles..._balancing.jpg

              Em sẽ phải nat địa chỉ 192.168.2.2 của firewall ra 1 địa chỉ IP bên ngoài con loadbalancing (giả sử là 192.168.4.3)
              Tiếp tục em sẽ phải nat địa chỉ 192.168.4.3 ra địa chỉ Y.Y.Y.Y ? (Cái này nếu có nat thì cũng đã nat từ trước rồi: để cho cả dải mạng 4.x ra ngoài internet ấy mà)

              Em hiểu như vậy có đúng ko anh.

              Mong A chỉ giáo

              Cám ơn anh.
              Last edited by Guest; 24-06-2008, 09:16 PM.

              Comment


              • #8
                Originally posted by mynhung View Post

                Ý của anh là phải nat 2 lần

                1 lân trên con loadbalancing
                1 lần trên 1 trong 2 con modem
                Đúng rồi đó bạn, nhưng nat trên con modem thì bạn chú ý là dùng ip của con nào để làm vnp thì nat con đó

                Hướng dẫn cài đặt cấu hình Data Loss Prevention - MyQLP Appliance (Open Source)


                Hướng dẫn cài đặt và cấu hình Mdeamon 12.x

                Hướng dẫn cài đặt cấu hình ISA 2006 và Exchange 2003 - Mô hình Front-End Back-End

                Cài đặt và cấu hình Cacti - Giám Sát và Quản Lý Hệ Thống Mạng

                Hướng dẫn cài đặt cấu hình Retrospect Backup Server

                Cài đặt và cấu hình phần mềm FSA Audit Files Server

                CAMAPTRANG
                http://www.asterisk.vn

                Comment

                Working...
                X