- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: VPN configuration for locally managed 1400 app...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN configuration for locally managed 1400 appliance with LTE USB modem
Hi everyone,
I'm in the middle of a test and my final objective is creating a VPN connection between my Central office and a branch office that has a 1400 series applaince that's using a USB LTE modem.
Currently I'm using a Huawei E3372 LTE USB stick modem.
According to sk92809, I've upgraded my appliance to R77.20.80 version.
I'm able to have internet connection, but have no idea how to configure a VPN via DAIP.
Is there anything I should change from the modem (NAT, ports) ?
Is there documentation?
Has anyone experience in this kind of setup?
Thanks in advance for your help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to use a certificate, since it is a DAIP device...
The certificate need to be generated by the CP Management server in your Central office.... or by 3rd party CA.
This is a good starting point...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Sal,
Thank you for the hint.
it's clear that I have to use certificates because of the DAIP in order to setup a VPN.
What if I would like to manage this appliance with my Central office MGMT? Is there any way I can manage this DAIP device?
Should I first setup a VPN connection and then SIC connection?
If this doesn't work, should I make public the MGMT ports (via NAT rules) that manage SIC connections?
Thanks in advance for your reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Davide,
Managing via SMS is the best and simple. Create your gateway as DAIP gateway in your SMS, create your rules and VPN rules as with normal gateways and add your DAIP gateway to the relevant VPN community.
Your SMS should be accessible directly from the internet or via NAT. The control connections are excluded from VPN by default. So you can establish SIC and install policy without having VPN running.
On your 14xx appliance you must configure these appliance as central managed and connect to the external IP of you SMS.
Wolfgang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition to the tips provided, e.g.:
If the gateway is not managed by the same SMS as your 1400 (e.g. if the 1400 is locally managed):
a) You will need to create CSR on the 1400 and sign it from the ICA of the SMS. You will also need a static NAT on the SMS so that the 1400 can fetch cerificate revocation list from the SMS ICA, or disable CRL retreival on the 1400.
b) In SmartConsole define certificate matching criteria on the object representing the 1400 series gateway, so that the 1400 can be identified by it's certificate.
c) On the 1400 series gateway you must define the tunnel as a permanent tunnel so that it will always initiate the tunnel. otherwise you sometimes will be unable to bring up the tunnel from the central gateway (gateway will not know which IP to connect to).
If the 1400 series gateway is centrally managed, certificate will be used automatically, and you just need to define the VPN community for permanent tunnels, otherwise you sometimes will be unable to bring up the tunnel from the central gateway side (gateway will not know which IP to connect to).
And of course, VPN encyption domains need to be created for local/remote. The VPN encryption domain should be what networks exist behind the local gateway in question, which should be allowed to talk to the subnets configured on the remote side. You can easily base it on network topology if both peers are centrally managed and network topology is defined, otherwise you can use a network object or create group of networks.
Standard firewall rules to allow connections over the tunnel, on central side populating VPN community column of the rulebase is not necessary unless using traditional mode VPN (most likely you are not).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to sk105380, in centrally managed Small Office Appliances, VPN Traditional Mode is not supported.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to sk105380, in centrally managed Small Office Appliances, VPN Traditional Mode is not supported.
