HP Sa3110 HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat
HP Sa3110 - VPN Server Appliance Manual
View all HP Sa3110 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP Sa3110 manual content summary:
- HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 1
hewlett-packard company virtual private networking concepts guide Hewlett-Packard Company HP: 5971-3009 P/N: A55310-001 March 2001 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 2
ii - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 3
This Hewlett-Packard Company Virtual Private Networking Concepts Guide, as well as the software described in it is furnished under license and may only be used or copied in accordance with the terms of the license. The information in this manual - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 4
iv - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 5
Contents HP VPN Concepts Guide Overview HP VPN Concepts Guide Overview 1-1 HP VPN Suite Overview 1-2 Operational Overview 1-5 TCP/IP Basics Overview 1-6 Cryptographic Systems and Encryption Terminology Cryptographic Systems and Encryption Terminology Overview 2-1 Symmetric Cryptographic - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 6
Proxy 5-26 Inbound Proxy 5-28 Tunnel Termination and Firewall Rules 5-31 Load Balancing and Redundancy Load Balancing 6-1 Redundancy 6-2 Hewlett-Packard Company Virtual Private Networking Concepts Guide ii - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 7
HP VPN Concepts Guide Overview HP VPN Concepts Guide Overview HP VPN Concepts Guide Overview 1-1 HP VPN Suite Overview 1-2 Operational Overview 1-5 TCP/IP Basics Overview 1-6 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 8
HP VPN Concepts Guide Overview Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 9
secure communications across any network. The term VPN device is used in this document to refer to the HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 devices. In addition, the Hewlett-Packard Company Virtual Private Networking Concepts Guide provides background information and theory on topics - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 10
VPN Concepts Guide Overview HP VPN Suite Overview The HP virtual private networking (VPN) suite consists of three modular components that work together to provide secure communications across any network: • VPN device • HP SA3000 Series VPN Manager • HP SA3000 Series VPN Client VPN Device The VPN - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 11
can dial in to any Internet service provider (ISP) and create a secure channel back to your network, which eliminates the need for expensive dial-in equipment and toll-charges. HP VPN Server Appliance SA3110/SA3150/ SA3400/SA3450 Product Suite The VPN suite supports the use of secure tokens. These - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 12
HP VPN Concepts Guide Overview Related Information Branch or Supplier's Office Office PCs Server Servers (Mail, Web) VPN Manager Office PCs VPN Client VPN Device Router Router Branch or Supplier's Office Office PCs VPN Device Existing Firewall Router Internet VPN Client Laptop - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 13
into and out of a protected LAN passes through the VPN device for processing. The VPN Client software package runs on PCs either directly connected to a LAN or through a Telnet session from a computer on the VPN's trusted network. HP VPN Concepts Guide Overview (page1-1) TCP/IP Basics Overview (page - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 14
HP VPN Concepts Guide Overview TCP/IP Basics Overview The VPN devices operate on Transmission Control Protocol/ Internet Protocol (TCP/IP) networks. TCP/IP is the foundation of the Internet. To fully appreciate how the VPN For example, "Test Company's" Web server has the following IP address: 205. - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 15
(1110-0000) Number of Subnets 254 128 64 32 16 8 Number of Addresses in Each Subnet 1 0 2 6 14 30 Hewlett-Packard Company Virtual Private Networking Concepts Guide 1-7 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 16
HP VPN Concepts Guide Overview 192 (1100-0000) 4 62 128 (1000-0000) 2 126 0 (0000-0000) 1 254 Note: If you divide your class C into more and gateway being set to be able to communicate outside their local subnet. This 1-8 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 17
for requests to come in. Note that a Web server can be configured to listen on another port, but most follow the standard. Packets with the source and destination application ports set to 2233 are encrypted with a HP VPN device. Hewlett-Packard Company Virtual Private Networking Concepts Guide 1-9 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 18
HP VPN Concepts Guide Overview Related Information HP VPN Concepts Guide Overview (page1-1) Operational Overview (page 1-5) The Template Concept 1-10 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 19
2-9 Symmetric Vs. Asymmetric Cryptography 2-10 Diffie-Hellman Session Key Exchange 2-11 Key Space and Brute Force Attacks 2-13 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 20
Cryptographic Systems and Encryption Terminology Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 21
clear text. Decryption usually requires a key and can be expressed as the formula: Clear Text = g ( Cipher Text , Kd ) Hewlett-Packard Company Virtual Private Networking Concepts Guide 2-1 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 22
represents a key. Related Information Symmetric Cryptographic Systems (page 2-3) Asymmetric Cryptographic Systems (page 2-9) Symmetric Vs. Asymmetric Cryptography (page 2-10) 2-2 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 23
open the box and retrieve the object. Data Encryption Standard (DES) (page 2-4) Triple Pass DES (page 2-5) 3DES (page 2-7) Hewlett-Packard Company Virtual Private Networking Concepts Guide 2-3 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 24
advances in computing power. Related Information Triple Pass DES (page 2-5) 3DES (page 2-7) Outer Cipher Block Chaining (CBC) (page 2-8) 2-4 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 25
DES technique and the 3DES technique are illustrated with the simple symmetric cryptographic system in the following table. Hewlett-Packard Company Virtual Private Networking Concepts Guide 2-5 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 26
= 4 DW YR CV Related Information 3DES (page 2-7) Data Encryption Standard (DES) (page 2-4) Outer Cipher Block Chaining (CBC) (page 2-8) 2-6 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 27
= 3 K2 = 5 K3 = 4 DW YR CV Related Information Data Encryption Standard (DES) (page 2-4) Outer Cipher Block Chaining (CBC) (page 2-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide 2-7 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 28
protocols use identical header information. Related Information Data Encryption Standard (DES) (page 2-4) Triple Pass DES (page 2-5) 3DES (page 2-7) 2-8 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 29
. Symmetric Cryptographic Systems (page 2-3) Symmetric Vs. Asymmetric Cryptography (page 2-10) Key Space and Brute Force Attacks (page 2-13) Hewlett-Packard Company Virtual Private Networking Concepts Guide 2-9 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 30
Information Asymmetric Cryptographic Systems (page 2-9) Symmetric Cryptographic Systems (page 2-3) Key Space and Brute Force Attacks (page 2-13) 2-10 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 31
public and private keys can be 512 bits, 1024 bits, or 2048 bits. The problem of key exchange between VPN devices is solved using a protocol known as the Diffie-Hellman key exchange protocol. This protocol public key exchange. Hewlett-Packard Company Virtual Private Networking Concepts Guide 2-11 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 32
access to significantly more valuable data. Related Information Triple Pass DES (page 2-5) 3DES (page 2-7) Packet Keys (page 3-8) 2-12 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 33
key space, the more difficult the encryption is to break. Symmetric Cryptographic Systems (page 2-3) Asymmetric Cryptographic Systems (page 2-9) Hewlett-Packard Company Virtual Private Networking Concepts Guide 2-13 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 34
Cryptographic Systems and Encryption Terminology Symmetric Vs. Asymmetric Cryptography (page 2-10) 2-14 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 35
Encapsulation and Packet Handling Encapsulation and Packet Handling Encapsulation Overview 3-1 Secure Profiles 3-2 ESP Encapsulation 3-4 SST Encapsulation 3-6 Packet Handling 3-7 Packet Keys 3-8 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 36
Encapsulation and Packet Handling Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 37
. ESP (both 32- or 64-bit versions) should be used when you communicate with another non-HP VPN device (such as a firewall or router) that has implemented the ESP portion of the IPSec standard. 3-4) SST Encapsulation (page 3-6) Hewlett-Packard Company Virtual Private Networking Concepts Guide 3-1 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 38
a packet from an opposing VPN device before declaring the session terminated and attempting to renegotiate the tunnel. If you specify a timeout on one end of a tunnel, you must specify a keepalive on the other end of the tunnel. 3-2 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 39
) that has implemented the ESP portion of the IPSec standard. The ESP implementation in all HP VPN devices is tunnel mode. However, you can use transport mode by selecting ESP (either version Encapsulation Overview (page 3-1) Hewlett-Packard Company Virtual Private Networking Concepts Guide 3-3 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 40
(the firewall or router) conforms to the IPSec standards to ensure its interoperability with a VPN device. AH Key Length If you select either keyed MD5 or keyed SHA1 for your authentication the more time-consuming to manually enter. 3-4 Hewlett-Packard Company Virtual Private Networking Concepts - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 41
Related Information SST Encapsulation (page 3-6) Packet Handling (page 3-7) Packet Keys (page 3-8) ESP Encapsulation Hewlett-Packard Company Virtual Private Networking Concepts Guide 3-5 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 42
RADIUS. Challenge phrases are often referred to as authentication keys. Sometimes challenge phrases are called passwords, but this is not a good synonym. Public Key Length The public key length must be Packet Keys (page 3-8) 3-6 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 43
packet (the IP address of the mail server) • The application port on the destination computer (for example, port 25 indicates that a SMTP mail server should be the application listening at the Encapsulation Overview (page 3-1) Hewlett-Packard Company Virtual Private Networking Concepts Guide 3-7 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 44
IP addresses set to the WAN side IP addresses of the VPN devices at the gateways to these networks. The IP address of the Web server and the PC are hidden from anyone intercepting the packet and packet, has its protocol set to 3-8 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 45
frequency with which session keys are changed is called the crypto period. Packet Handling (page 3-7) The Template Concept Hewlett-Packard Company Virtual Private Networking Concepts Guide 3-9 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 46
Encapsulation and Packet Handling 3-10 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 47
Methods Authentication Methods Authentication Methods Overview 4-1 Certificate Authentication 4-2 Challenge Phrase Authentication 4-3 SecurID Authentication 4-4 RADIUS Authentication 4-5 Entrust Authentication 4-6 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 48
Authentication Methods Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 49
Information Authentication Methods Authentication Methods Overview An authentication method defines how an HP VPN device validates the identity of another device. The identity of a device 4-4) Entrust Authentication (page 4-5) Hewlett-Packard Company Virtual Private Networking Concepts Guide 4-1 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 50
Authentication Methods Related Information Certificate Authentication The first thing that two VPN devices do when they enter into a communication is to exchange their Authentication (page 4-3) Entrust Authentication (page 4-6) 4-2 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 51
a certificate authority is not present to create and certify a certificate. Therefore, the VPN devices must create a certificate for themselves. This type of certificate is essentially the 4-5) Entrust Authentication (page 4-6) Hewlett-Packard Company Virtual Private Networking Concepts Guide 4-3 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 52
HP VPN Suite supports. SecurID is used only between a VPN Client and a VPN device. As with certificates, SecurID enlists a trusted third party to positively identify a device. Here, the third party is an ACE/Server. Unlike a certificate authority server, however, the ACE/Server Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 53
its RADIUS user name and password. The VPN device then uses its own secret key to contact the RADIUS Authentication Server to verify the VPN Client's identity. There is a second type of RADIUS server supported by the HP VPN suite: a RADIUS Accounting Server. This server keeps track of those remote - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 54
is an authentication method licensed from Entrust Technologies that the HP VPN suite supports. Entrust authentication is supported for tunnels made between two VPN devices (including IPSec tunnels) and between a VPN Client and a VPN device using the Shiva Smart Tunneling (SST) protocol. Entrust - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 55
One-Way Out Firewall Rules 5-24 Outbound Proxy 5-26 Inbound Proxy 5-28 Tunnel Termination and Firewall Rules 5-31 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 56
Firewalls and Tunnels Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 57
and a black (untrusted) network. The black (untrusted) network is often the Internet. A VPN device can act like a firewall that can be configured to contain rules. Firewall rules determine and Firewall Rules (page 5-31) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-1 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 58
firewall to move to the other interface. Red Network Private/Trusted) VPN Device Black Network (Public/Untrusted) Red Interface Black Interface Firewall Figure: VPN Device as a Firewall The VPN device is instructed to allow or disallow all packets traveling between the red (trusted) and - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 59
10.1.1.193 are allowed through the firewall. The application port used to make the HTTP (www) request is usually unknown. The Web Server's IP address. Access Web Server only. Web servers usually listen on this port. The group comes from the black (untrusted) and crosses to the red (trusted). HTTP is - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 60
allowed back into the network. The VPN device is also configured to allow ) network. In this case, the VPN device stores the IP address of the and tries to reestablish, the VPN device remembers the IP address of IP address of the VPN device, not the real rules configured in the VPN device. Only if the - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 61
LAN One-Way Out Firewall Rules (page 5-24) One-Way In Firewall Rules (page 5-22) Tunnel Types (page 5-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-5 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 62
permit or deny) the flow of packets through the VPN device. The source device initiating the session can yy;;yy;;yy;;yy IP=198.53.144.1 Mail Server Primary IP= Secondary IP= 205.250.128.240 205.250. of a Filter If you want a public domain name server (DNS) to execute on a machine on a red - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 63
access. Related Information Firewall and Tunnels Overview (page 5-1) Tunnel Types (page 5-8) Tunnel Termination and Firewall Rules (page 5-31) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-7 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 64
encryption techniques. Since the traffic passing between two VPN devices is encrypted, it is as if the data is traveling in a tunnel. Site-to-Site Tunnels (page 5-9) Single-User Tunnels (page 5-12) Multiuser Tunnels (page 5-16) 5-8 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 65
with fixed IP addresses. A fixed IP address implies that the device is always present and the VPN device on the other end of the tunnel can initiate communication with the fixed device. This behavior between two networks. Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-9 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 66
;;yy;;yy;;yy Red IP=10.1.1.1 Server Server Red IP=192.168.10.1 Black IP= Black IP= 205.250.128.240 205.250.128.240 Internet Figure: A Secure Tunnel Tunnel Definition Parameters VPN 255.255.255.0 198.53.144.120 VPN Device B 205.250.128.240 Very - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 67
mode, however, can be different on each VPN device. Finally, the route statements tell the VPN devices which packets should enter the tunnel. Single-User Tunnels (page 5-12) Multiuser Tunnels (page 5-16) Tunnel Types (page 5-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-11 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 68
on a VPN device when the other end of the tunnel is an HP VPN Client. You • User name of the opposing HP VPN Client • Secure profile to be NAT is being used Identify the opposing HP VPN device by a user name instead of VPN device A, while not allowing access to the network available through VPN - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 69
IP route Client IP Red Not required 0.0.0.0 (not required) HP VPN Client (the VPN's name) Accept peer proposal or same parameters as dialup profile to allow a remote user (called leslie) access to the Web server available through VPN device A while not allowing access to the rest of that network - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 70
is needed in order to identify the remote user in the firewall rule. Tunnel Definition Parameters VPN Device A Remote user name leslie Secure profile (must dialup be previously defined) Tunnel mode Black usually unknown. 5-14 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 71
Stateful Inbound NAT No Protocol TCP Single-User Tunnels Comments The Web Server's IP address. Access Web Server only. Web servers usually listen on this port. The group comes from the black 5-16) Tunnel Types (page 5-8) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-15 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 72
Secure profile to be applied to the communication • Color (mode) of the tunnel The group of opposing VPN devices is now identified by a group name. The secure profile defines how the establishment of the tunnel not recommended. 5-16 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 73
VPN device A, while not allowing access to the network available through VPN Tunnel Definition Parameters VPN Device A Group name Not required VPN Device B Web server available through VPN device A while not VPN device B, a tunnel is defined for the group to the black side of the VPN - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 74
addresses starting from 10.1.1.193 are allowed through the firewall. The application port used to make the HTTP (www) request is usually unknown. The Web Server's IP address. Access Web Server only. Comments 5-18 Hewlett-Packard Company Virtual Private Networking Concepts - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 75
NAT No Protocol TCP Related Information Site-to-Site Tunnels (page 5-9) Single-User Tunnels (page 5-12) Tunnel Types (page 5-8) Multiuser Tunnels Web servers usually listen on this port. The group comes from the black (untrusted) network and crosses to the red (trusted) network. HTTP is - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 76
Firewalls and Tunnels Tunnel Modes VPN tunnels are assigned a mode of either red or black. The color of the tunnel indicates whether the device on the this case, one network trusts the other while the trust is not reciprocated. 5-20 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 77
Tunnel Modes Black Red Tunnel Red - Red Tunnel Related Information Black Black Tunnel Figure: Firewalled LANs With Encrypted Tunnels Tunnel Types (page 5-8) Tunnel Termination and Firewall Rules (page 5-31) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-21 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 78
rule. One-way in firewall rules can grant access to services executing on devices on a red (trusted) subnet having routed on the Internet to be sent into the mail server, define a one-way in rule as described in server listens on this port. 5-22 Hewlett-Packard Company Virtual Private - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 79
Protocol TCP One-Way In Firewall Rules SMTP is transported by means of TCP, not UDP. Related Information Inbound Proxy (page 5-28) Outbound Proxy (page 5-26) One-Way Out Firewall Rules (page 5-24) Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-23 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 80
network. One-way out firewall rules allow users on routed red (trusted) subnets to have access to services on a black (untrusted) subnet. No network address translation (NAT) is performed when a session is on the Internet. 5-24 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 81
One-Way Out Firewall Rules To subnet mask Parameter Description To application port 0.0.0.0 Parameter Value 80 Protocol TCP Comments Web servers usually listen on this port. HTTP is transported by means of TCP, not UDP. Related Information Inbound Proxy (page 5-28) Outbound Proxy (page 5-26) - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 82
proxy. Outbound proxies are, therefore, often used to allow users on unrouted red subnets to have access to services on a black subnet. If you want to allow people on the red network to browse the World Wide on the Internet. 5-26 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 83
To subnet mask Parameter Description To application port 0.0.0.0 Parameter Value 80 Protocol TCP Outbound Proxy Comments Web servers usually listen on this port. HTTP is transported by means of TCP, not UDP. Related Information Inbound Proxy (page 5-28) One-Way Out Firewall Rules ( - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 84
to services executing VPN device. The VPN device then looks at where the packet originated, what the destination address is, what the destination port is, and decides to which address on the red (trusted) network to send the packet. Other Network Devices on 10.1.1.xxx IP=10.1.1.2 Mail Server - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 85
the mail record associated with your domain name points to this address. The mail must arrive at this IP address only. The SMTP mail server listens on this port. SMTP is transported by means of TCP, not UDP. Related Information Outbound Proxy (page 5-26) Hewlett-Packard Company Virtual Private - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 86
Firewalls and Tunnels One-Way Out Firewall Rules (page 5-24) One-Way In Firewall Rules (page 5-22) 5-30 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 87
can be used together to specify what traffic passes through the VPN device. Four basic permutations of tunnel termination and traffic destinations giving a remote device complete access to the trusted side of the VPN device. Because the tunnel bypasses the firewall, the destination addresses of - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 88
untrusted) network but where the traffic is destined for the red (trusted) network gets the traffic to the VPN Gateway safely and then blocks it at the firewall. A firewall rule must be in place to allow (Untrusted) Network 5-32 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 89
destined for the black (untrusted) network. In this case the packets do not need to cross the firewall. Hewlett-Packard Company Virtual Private Networking Concepts Guide 5-33 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 90
) One-Way Out Firewall Rules (page 5-24) One-Way In Firewall Rules (page 5-22) The Template Concept 5-34 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 91
Load Balancing and Redundancy Load Balancing and Redundancy Load Balancing 6-1 Redundancy 6-2 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 92
Load Balancing and Redundancy Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 93
VPN device in parallel, it makes sense that each VPN device with the VPN device that answers first and that the VPN device that the VPN device devices. As shown in the with each VPN device. Tunnel Definition Parameters VPN Device A Group IP route Not required VPN Device B sales 10.1.1.225 - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 94
VPN), you should have more than one VPN device supporting the network. By placing more than one VPN device in parallel, the network can continue functioning even if one of the VPN VPN device in parallel is to handle more than 1024 active sessions, which is the maximum for a single VPN which VPN device - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 95
VPN device, when the mail server uses the Client IP as the destination address on its replies, only the VPN VPN device devices appear as shown in the following table. Tunnel Definition Parameters VPN defined) Tunnel mode Red IP route Not required VPN Device B sales 10.1.1.225 30 dialup Red Not - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 96
Load Balancing and Redundancy 6-4 Hewlett-Packard Company Virtual Private Networking Concepts Guide - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 97
5-4 stateless 5-2 firewalls 5-1 full access multiuser tunnels 5-17 single-user tunnels 5-12 functions of HP SA3000 Series VPN Client........... 1-3 HP SA3000 Series VPN Manager....... 1-2 VPN device 1-2 I inbound proxies 5-28 IP addresses 1-6 network address translation (NAT) . 5-12 iv - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 98
5-18 full access 5-17 limited access 5-17 N names 3-2 See also secure profiles network address translation (NAT) ....... 5-12 network configurations of VPN components . 1-5 networks 5-20 O one-way in firewall rules 5-22 one-way out firewall rules 5-24 outbound proxies 5-26 outer cipher block - HP Sa3110 | HP VPN Server Appliance sa3110/sa3150/sa3400/sa3450 - Virtual Privat - Page 99
5-20 multiuser 5-16-5-19 single-user 5-12-5-15 site-to-site 5-9 trusted 5-20 untrusted 5-20 U untrusted networks 5-20 untrusted tunnels 5-20 V virtual private networking suite 1-1 VPN Client functions of 1-3 VPN device firewall functions 5-2 VPN Manager functions of 1-2 Index-3
hewlett-packard company
virtual private networking
concepts guide
Hewlett-Packard Company
HP: 5971-3009
P/N: A55310-001
March 2001