Documente Academic
Documente Profesional
Documente Cultură
AF5000
Series VPNA
Handbook
About This Handbook
Notices
Tachyon, Inc. and the Tachyon logo are tra demarks of Tachyon, Inc. All other
trademarks are properties of their respective owners.
PREFACE ........................................................................................................................ 5
SAFETY............................................................................................................................ 8
VPNA PRIMER..........................................................................................................................................................18
QUICK START..........................................................................................................................................................24
CONNECT THE TACHYON VPNA:...........................................................................................................................25
GETTING ACCESS TO THE VPNA CONFIGURATION MENUS................................................................................25
Initial access via an Ethernet Port .....................................................................................................................26
Initial access via the Serial Port .........................................................................................................................26
SHUTDOWN.................................................................................................................................................................45
TROUBLESHOOTING.................................................................................................55
TECHNICAL SPECIFICATIONS................................................................................60
4
1 PREFACE
Warranty
The Tachyon VPNA equipment is warranted to be free from defects in material
and workmanship for a period of one (1) year for parts and ninety (90) days
for labor from the date of installation. If a product proves defective during
this warranty period, Tachyon will repair the defective product without charge
for parts or labor, or will provide a replacement for the defective product.
In order to obtain service under this warranty, the subscriber must notify
Tachyon of the defect before the expiration of the warranty period and make
suitable arrangement for the performance of service.
This warranty does not apply to any defect, failure or damage caused by
imp roper use or inadequate or improper maintenance and care.
Do not attempt to service the VPNA equipment yourself, as there are no user-
serviceable parts.
Safety Tip: Opening or removing the cover on the Tachyon VPNA may
expose you to dangerous voltages or other hazards as well as void your
warranty.
6
TACHYON VPNA HANDBOOK
Notice
For the proper operation of this equipment and/or all parts thereof, the
instructions in this guide must be strictly and explicitly followed. All of the
contents of this guide must be fully read and understood prior to operating
any of the equipment or parts thereof.
Failure to completely read and fully understand and follow all of the contents
of this guide prior to operating this equipment, or parts thereof, may result in
damage to the equipment or parts, and to any persons operating the same.
Tachyon does not assume any liability arising out of the application or use of
any products, component parts, circuits, software, or firmware described
herein. Tachyon further does not convey any license under its patent,
trademark, copyright, or common-law rights nor the similar rights of others.
Tachyon further reserves the right to make any changes in any products, or
parts thereof, described herein without notice.
This equipment has been tested and found to comply with the limits for a
Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are
designed to provide reasonable protection against harmful interference when
the equipment is operated in a commercial environment.
7
2 SAFETY
Safety Precautions
Use safety precautions when working at or near the Tachyon VPNA as described in
these sections.
9
TACHYON VPNA HANDBOOK
10
TACHYON VPNA HANDBOOK
11
TACHYON VPNA HANDBOOK
Use the Correct Power Source The Tachyon VPNA Input AC line
voltage is switch-selectable to
operate either at 115 VAC (90 to
130 VAC range) or 230 VAC (180 to
265 VAC range) grounded power
system with line frequencies from
47 to 63 Hz. The Tachyon VPNA
must be connected to an earthed
main socket outlet.
12
TACHYON VPNA HANDBOOK
Route Power Cords Safely Route power cords so that they are
not walked on or pinched. Pay
particular attention to cords and
connections at the plugs,
receptacles (such as power strips),
and the point where they exit from
the Tachyon VPNA and attach to
other equipment. Do not place any
items on or against power cords.
13
TACHYON VPNA HANDBOOK
14
3 THEORY OF OPERATION
A direct and dedicated digital link between each subscriber network and the Internet
backbone network is made possible using standard IP interfaces and protocols,
ensuring end-to-end transparency and compatibility.
Figure 3-1 shows an overview of the Tachyon network components. Each regional
satellite network includes a hub site called the Tachyon Satellite Gateway and many
subscriber sites using Tachyon Customer Premise Equipment (CPE).
TACHYON VPNA HANDBOOK
SATELLITES
The CPE is the terminal that connects to a subscriber network and routes IP
traffic via the satellite link to the Gateway and the terrestrial network. The
CPE consists of a Tachyon Network Server, an Outdoor Unit (ODU) including a
small satellite antenna with a radio, and a coaxial cable assembly that
connects the Tachyon Network Server with the ODU.
16
TACHYON VPNA HANDBOOK
Data traverses the high-speed satellite link in both directions, providing two-
way high-performance communications for each user on each subscriber LAN.
IPSEC PRIMER
For many years encryption technologies have been evolving. Until recently
encryption was supported for private networks using proprietary algorithms and
single-vendor solutions. With the rapid growth of the Internet it was imperative for
the security industry to develop a standard for encrypting packets for transfer over
the public network providing general interoperability. IPSec has become the de-
facto standard for encrypting traffic on the Internet and has also become the
standard for encryption in private networks including most federal and many
military networks.
17
TACHYON VPNA HANDBOOK
IPSec currently has two basic modes: transport and tunnel. For the purposes of this
primer the differences are not important. The important point to know is that IPSec
in either mode encapsulates IP packets into a new IP packet. The contents of the
original IP packet are encrypted and no longer visible to the outside until they pass
the decryption process at the destination.
The Tachyon Gateway and Tachyon Customer Premise Equipment cannot accelerate
TCP/IP traffic after the traffic has been encrypted with IPSec because the TCP
header is also encrypted. If encrypted the packets are passed as IP packets, but the
TCP acceleration is not applied. Therefore performance will be reduced.
By placing VPN Accelerators into the network just before the IPSec encryption
devices, TCP/IP traffic reaches the VPNA in the clear and is accelerated; restoring
TCP/IP performance.
SSL
A quick word about SSL. SSL, or Secure Socket Layer, is a very popular encryption
method used with IP applications. Because SSL performs its encryption on the data
payload prior to passing the packet on to the transport layer (TCP), SSL does not
interfere with Tachyon’s TCP/IP acceleration. However, when using HTTPS all HTML
data is encrypted before the HTTP proxy can perform pre-fetch so web sites using
HTTPS (thus SSL) do load slower than regular HTTP sites. The VPNA cannot mitigate
this slowdown.
VPNA PRIMER
In order to allow customers to use IPSec and still retain the benefits of Tachyon's
technology we developed the VPNA (short for VPN Accelerator). The VPNA performs
Tachyon's TCP acceleration prior to the IPSec encryption/encapsulation process.
High performance is maintained and user data is fully secured via IPSec encryption.
The VPNA is a simple appliance to connect to your network. You simply insert the
VPNA between your LAN and your IPSec device. The following diagrams depict a
network before and after installation of a VPNA.
WAN LAN
18
TACHYON VPNA HANDBOOK
WAN LAN
The VPNA comes with two 10/100 BaseTX Ethernet interfaces providing quick
compatibility with most networks.
The VPNA has two basic modes of operation to support most LAN configurations:
Bridge Mode and Routed Mode. In Bridge Mode the VPNA gets a single IP address on
the sub-network and bridges traffic between its two interfaces both on the same
sub-network. In Routed Mode, the WAN and LAN sides of the VPNA get different IP
addresses corresponding to two separate sub-networks and the VPNA routes
packets between the two networks.
Bridge and Route modes are described in further detail in the Configuration Section.
VPNA TOPOLOGIES
For networks using IPSec, a VPNA is required at each site where there is an IPSec
device. In general the routing aspects of the VPNA are similar to those of the IPSec
devices.
The VPNA-100 is designed for placement at remote sites with a CPE and the AF5000
Series VPNA is designed for the Headquarter sites. This document applies only to
the AF5000 Series VPNA.
19
TACHYON VPNA HANDBOOK
In this section we present the concepts associated with the basic topologies. In the
next section we walk through example networks and provide worksheets for each of
the different topologies to simplify organizing IP addresses and routes.
Most networks involve more than one site so this topology is primarily provided to
introduce the basic principles; although all networks must have their first site to
come online.
The following diagram identifies the key network components and how they are
interconnected:
LAN
LAN
Server
Satellite
(WAN)
Client
Internet
Client
Tachyon
Client
CPE Gateway WAN IPSec Tachyon
Tachyon IPSec
Router VPNA 5000
VPNA 100
Client
Client
Remote Site
Client
Headquarters
The CPE-side VPNA can be configured in Bridge Mode or Routed Mode depending
upon the desired LAN topology. As mentioned earlier one advantage of Bridge mode
is ease of configuration.
NOTE: If Routed Mode is implemented on the CPE-side VPNA and Network Address
Translation (NAT) is not being used, then the Tachyon Network Operations Center
(NOC) must be notified of the additional sub-network so they can make the
appropriate entries to allow the CPE to route to the sub-network behind the VPNA.
You will need to provide the NOC with the IP address of the VPNA as it is the default
gateway to reach the internal sub-network.
20
TACHYON VPNA HANDBOOK
At the Headquarters side the VPNA can also be configured in Bridge or Routed Mode.
Again, the selection of Bridge Mode in this case is preferred to simplify network
reconfiguration.
In this scenario all traffic from the remote site is destined for Headquarters. The
CPE-side VPNA is configured with a route to the VPNA at headquarters and similarly
the VPNA at Headquarters is configured with a route to the VPNA at the remote site.
This topology is just an extension of the Single Site case. Each remote site VPNA
has a route to the Headquarters VPNA and the Headquarters VPNA has a route entry
for each of the VPNAs at the remote sites. Communication between remote sites
requires packets to go through Headquarters.
LAN
LAN
LAN
LAN
Satellite Server
(WAN)
Client
Client
Client Internet
Client
Tachyon
Gateway WAN IPSec Tachyon
Client Router
CPE VPNA 5000
Tachyon IPSEC
VPNA
Client
CPE
Tachyon IPSEC
Client VPNA
CPE Client
Tachyon IPSec
VPNA 100
Client
Client
Remote Site N
Client
Remote Site 2 Client
Remote Site 1
Headquarters
Multiple Remote Sites with a Single Headquarters
21
TACHYON VPNA HANDBOOK
Each CPE-side VPNA gets a route for each of the Headquarters sites. Similarly, each
Headquarters VPNA has a route for each remote VPNA it needs to communicate
with.
LAN LAN
LAN
LAN Server
Client Client
Client Headquarters 1
Client Internet
Tachyon
Gateway
Client
CPE
Tachyon IPSEC
VPNA
Client
Tachyon IPSEC
CPE LAN
Client VPNA
CPE
Tachyon IPSec
VPNA 100
Client
Client
Remote Site N Server
Headquarters N
The previous examples described completely private networks with only encrypted
packets transiting the Internet. It may be desirable to offer clients at the remote
sites access to the general Internet unencrypted.
22
TACHYON VPNA HANDBOOK
Some corporations may want to provide general Internet access to remote sites but
prefer to have all traffic transit Headquarters where packets can be filtered and
inspected.
In this configuration packets are encrypted between the remote site and
Headquarters creating a VPN tunnel. At Headquarters packets are routed to/from
the general Internet. Because the routing happens outside the Tachyon network
there are no configuration changes to the VPNA.
Many networks require a high level of security to keep their data completely private.
For these networks, end-to-end encryption is the only solution. Some networks,
however, transfer data that is sensitive but may not warrant the additional expense
of a full IPSec solution.
23
TACHYON VPNA HANDBOOK
QUICK START
The experienced network professional may find that the VPNA configuration menus
provide enough context -sensitive help that they can proceed through the menus and
configure their network. However, we strongly suggest a quick read of this section
and the Theory of Operation section in order to fully understand the features and
benefits of the VPNA to provide optimum performance.
A common symptom for this kind of configuration problem is that pinging between
sites works yet connecting with ftp fails. If this occurs review your TSP acceleration
routes and make sure that the CPE-side is correctly configured to point at the
Headquarters-side and vice versa. Use the "TCP Test" tool to diagnose TCP
problems. See the troubleshooting section for more causes and solutions.
24
TACHYON VPNA HANDBOOK
The VPNA goes just in front of your IPSec device on the LAN side. Assuming you
have a working network, to add a VPNA device you simply disconnect the Ethernet
cable from the LAN-side of your IPSec device and connect it to the LAN-side port on
the VPNA. You then connect a cable from the WAN-side port on the VPNA to the now
open port on the IPSec device.
The VPNA has 10/100BaseTX interfaces. Normally the Ethernet cables to/from the
VPNA will be straight-through cables.
For optimum performance the IPSec device and LAN should support 100 Mbps
transfers and full duplex operation.
Safety Tip A cable is provided with the VPNA to interconnect it to your IPSec
device. If you choose not to use this cable make sure to select a good quality,
shielded (recommended) CAT -5 category LAN cable for interconnecting the
Tachyon VPNA.
WAN LAN
WAN LAN
Once you have connected the VPNA to the local network you are ready to
configure it.
25
TACHYON VPNA HANDBOOK
The VPNA has two control interfaces: a serial interface and its Ethernet
interfaces. Using these control interfaces is described in more detail below.
When accessing the VPNA you will need to log in. Use the following factory
default username and password:
Login: admin
Password: vpna
Once you access the VPNA menus you can change the password.
NOTE: Remember your password. If you forget your password you can
only access the VPNA by connecting to the serial port and logging in as admin
with a password of eraseconfig. Using this login will reset the VPNA to its
factory default values and all configuration information previously
entered will be lost.
Once you get your terminal emulation program configured and the serial cable
hooked up to the VPNA hit "Enter" a couple of times. You should see the prompt
"Login:”. If you do not, then the terminal emulation program is not configured
properly, you are on the wrong serial port on your PC/workstation, or the cable is
not appropriate for your PC/Workstation. You also need to make sure the VPNA is
powered on.
26
TACHYON VPNA HANDBOOK
There are two logins for the serial interface. The first login enters the graphical user
interface and the second login is the actual VPNA login. The login ID and password
are the same for both. Once you have logged on to the VPNA using the serial
interface, you will be connected to the VPNA’s web interface using a character based
web browser. The most convenient way to proceed with the configuration is to
navigate (using the instructions provided at the bottom of your screen) to the Basic
Configuration link, change the VPNA’s LAN IP Address to an address compatible with
your network, and proceed with the configuration from a client based web browser
as described in CONFIGURING THE AF5000 Series VPNA.
The recommended method for accessing the VPNA menus is using a web browser on
a LAN client. The menus are also available via the serial port. These menus are very
similar to the web-based menus. Only the web-based menus are described in this
document.
Refer to the previous section to get to the point where you are at the Main Menu.
The Main Menu of the VPNA is the starting place to enter, view and modify all VPNA
parameters. You can return to the Main Menu by clicking the top link labeled
"Tachyon VPNA". If you are accessing the VPNA from the terminal interface you can
access the Main Menu by pressing the M or H keys. A handy link to Tachyon's web
site is just below. The following figure shows the Main Menu.
27
TACHYON VPNA HANDBOOK
Use the Setup Wizard to walk through configuration items for a new device.
If you are changing a device between Bridge Mode and Route Mode you will need to
run the Setup Wizard again.
If you are changing IP addresses on a VPNA device you can edit the parameters
under the Basic Configuration link.
NOTE: If you are using a device that was previously configured and want to start
from the default values you must access the login prompt via the serial port and
login as 'admin' with a password of 'eraseconfig'.
28
TACHYON VPNA HANDBOOK
Select "Bridge" or "Route" and then press the "Next =>" button.
29
TACHYON VPNA HANDBOOK
30
TACHYON VPNA HANDBOOK
In the Basic Configuration menu, enter a Hostname if you wish to identify this VPNA
in SNMP messages and HTTP error messages.
Enter the LAN IP Address you have reserved for the VPNA and the corresponding
LAN Netmask. Press the "Next =>" button.
31
TACHYON VPNA HANDBOOK
NOTE: You have the option of entering the netmask in the form /n where n
designates a netmask with the first n bits set to 1. For example 255.255.255.0 is
the same as /24.
Enter the IP address of the WAN Router. This will typically be the IPSec device and
the device that the machines on the LAN use as their Default Gateway. With this
entry you are instructing the VPNA to use this device as its Default Gateway.
32
TACHYON VPNA HANDBOOK
If you know the Ethernet address of the WAN Router you can enter it. Ethernet
addresses consist of six octets separated by colons; for example
00:0a:b4:e0:01:02. Enter the colons. If you are unsure of the Ethernet address
leave the entry blank and the VPNA will auto-discover it. The VPNA will check for
the Ethernet address once every minute.
NOTE: If you change the WAN Router in the future, you will need to update these
entries and reboot the VPNA. Again, make sure the WAN Router (IPSec device) is
powered on before you reboot the VPNA if you want the VPNA to auto-discover the
Ethernet address. The auto-discover mechanism will retry the WAN Router once
every minute.
Press the "Next =>" button to advance to the Prefetch Configuration menu.
33
TACHYON VPNA HANDBOOK
You may add multiple DNS servers for the AF5000 Series VPNA. The DNS servers
will be searched in the order in which you add them.
Press the "Next =>" button to advance to the Configuration Review menu.
Review the entries. Use the "<= Back" button to go back and correct any entries.
When the entries are correct press the "Reboot =>" button. Changes will then be
committed and the VPNA will reboot. Your browser will display the following page:
34
TACHYON VPNA HANDBOOK
This page will update to show the current status of the VPNA, unless you have given
the VPNA a new IP address. In the case the VPNA has been assigned a new IP
address this page will continually show the “Rebooting” state because the browser
cannot connect to the VPNA.
If you have given the VPNA a new IP address, you may also have to reconfigure the
networking on your local machine to be on the same network as the VPNA. After
making any necessary networking changes on your local machine, you will have to
browse to the new IP address of the VPNA.
Before the AF5000 Series VPNA will accelerate TCP traffic, IP and TSP routes need to
be added. See the discussion of routes following the section on “Route Mode
Configuration”.
35
TACHYON VPNA HANDBOOK
Enter a Hostname if you wish to identify this VPNA in SNMP messages and HTTP
error messages.
Enter the LAN IP Address you have reserved for the VPNA and the corresponding
LAN Netmask. Enter the WAN IP Address you have reserved for the VPNA and the
corresponding WAN Netmask.
Press the "Next =>" button to advance to the Prefetch Configuration menu.
36
TACHYON VPNA HANDBOOK
You may add multiple DNS servers for the AF5000 Series VPNA. The DNS servers
will be searched in the order in which you add them.
Press the "Next =>" button to advance to the Configuration Review menu.
37
TACHYON VPNA HANDBOOK
Review the entries. Use the "<= Back" button to go back and correct any entries.
When the entries are correct press the "Reboot =>" button. Changes will then be
committed and the VPNA will reboot. Your browser will display the following page:
38
TACHYON VPNA HANDBOOK
This page will update to show the current status of the VPNA, unless you have given
the VPNA a new IP address. In the case the VPNA has been assigned a new IP
address this page will continually show the “Rebooting” state because the browser
cannot connect to the VPNA.
If you have given the VPNA a new IP address, you may also have to reconfigure the
networking on your local machine to be on the same network as the VPNA. After
making any necessary networking changes on your local machine, you will have to
browse to the new IP address of the VPNA.
Before the AF5000 Series VPNA will accelerate TCP traffic, IP and TSP routes need to
be added. See the following discussion of routes.
ROUTES
Select the "Routes" link from the Main Menu.
39
TACHYON VPNA HANDBOOK
40
TACHYON VPNA HANDBOOK
IP routes are needed for both “Route Mode” and “Bridge Mode.” In “Bridge Mode”
the VPNA only needs IP routes to accelerate TCP traffic; non-TCP traffic is simply
bridged from one interface to the other.
In a typical deployment, you will add the default IP route to the gateway router on
the LAN Network (e.g. destination 0.0.0.0, netmask 0.0.0.0, and gateway
172.30.2.101). However, your network may vary. Press the "Add" button when you
have made the entries.
Next, you will enter two routes for each VPNA-100 that is to be connected to this
AF5000 Series VPNA. The first route is a general IP Route for all traffic. The
second route is a TSP Route used for TCP acceleration. The following picture shows
the Routes configuration page with the required routes for a single VPNA-100. Note
that the routes that do not have “Delete” buttons next to them are routes resulting
from the AF5000 Series VPNA’s network interfaces.
For the IP Route enter the Destination network address (e.g. 172.20.2.0) and the
corresponding Netmask (for this example it would be 255.255.255.0) and the IP
address of the local IPSec device (e.g. 172.30.2.1) or the next hop router for the
destination network). Press the "Add" button when you have made the entries.
For the TSP Route enter the Destination address (172.20.2.0) and the
corresponding Netmask (for this example it would be 255.255.255.0) and the IP
address of the VPNA-100 at the remote site. Select "Remote" since this route is for
a 'remote' network. Press the "Add" button when you have made the entries.
For each new TSP Gateway that is added, an entry is created in the “Rate To TSP
Gateway” table. The default is the maximum rate of 2.045 Mbps. However, if the
actual link is slower than this rate, then tuning the AF5000 Series VPNA to the
actual rate will yield better link utilization.
Repeat the above steps for each remote VPNA-100 site you want to have
connectivity to this Headquarters site.
If you need to target any device that is between a AF5000 Series VPNA and a VPNA-
100 (the IPSec router for example); you must create a non-accelerated TSP route to
the device by specifying a TSP Mode of “none.” For example, to access the IPSec at
172.20.2.1 from the VPNA at 172.30.2.2 you must enter the following TSP Route:
destination 172.20.2.1, netmask 255.255.255.255, TSP Gateway 0.0.0.0, TSP Mode
“none.”
If you have a default “remote” TSP route, you will need to specify “local” TSP routes
for each subnetwork that is not to be accelerated. Additionally, you will need to
specify “local” for any subnets that are not to be accelerated within a “remote”
network.
41
TACHYON VPNA HANDBOOK
Specifically, a TSP Mode of “local” means, “do not accelerate if the destination IP
address matches the TSP route destination.” A TSP Mode of “none” means, “do not
accelerate if the source or destination IP address matches the TSP route
destination.”
Press the “Done” button when you are finished adding routes.
On each client machine configure the web browser (most likely Internet Explorer or
Netscape) to use the VPNA-100 as its web proxy. Enter the IP address of the VPNA-
100 and the port number of 3128. The CPE Handbook has example screens that
describe how to modify the proxy settings for Internet Explorer and Netscape.
NOTE: If you want to access any local machines with web interfaces (such as the
VPNA or the IPSec device) from a specific client then make sure to configure that
client to exclude local addresses from using the proxy.
The AF5000 Series VPNA is the default HTTP Proxy Parent for VPNA-100 Prefetching
HTTP Proxies. Therefore, the AF5000 Series VPNA needs to resolve URL's via one or
more Domain Name System (DNS) servers. Configure the DNS server search from
the Prefetch Configuration Menu. The DNS servers will be searched in the order in
which you add them.
42
TACHYON VPNA HANDBOOK
STATUS
This menu provides current status on the VPNA-100 including the Version number of
the software.
LINK TEST
Follow these steps to verify your VPNA has been set up correctly. Do not proceed to
the next step if the current test is not successful. This test assumes you have a
client VPNA-100, which is being brought online with the AF5000 Series VPNA.
43
TACHYON VPNA HANDBOOK
1. Ping the VPNA-100 and AF5000 Series VPNA from a client on your LAN. This
should succeed if you have been using the LAN Ethernet port to configure the
VPNA. If the ping does not work check that the LAN and WAN Ethernet ports are
cabled up correctly and the interface's link lights are on. Verify the IP address
and Netmask is correct on both the client and VPNA.
2. From the same client on the LAN, ping the WAN Router (IPSec device) on the
other side of the VPNA. This will test the VPNAs local routes. If this fails check
the Routes page on the VPNA and make sure there is an entry for the local
network(s). If pings from the client fail try a ping of the WAN Router from the
VPNA. There is a link to the Ping Menu from the VPNA's Main Menu. If this fails
reboot the VPNA and the WAN Router. It is possible that the ARP cache on these
machines is incorrect.
3. From a client on the LAN that has access permission to a remote network behind
a VPNA-100, do a ping of the VPNA-100 at a remote site. If the VPNA-100 at the
remote site is in Route Mode, Ping the WAN interface. If this fails make sure the
Headquarters’ VPNA has a route to the remote site. Also make sure your IPSec
equipment is configured correctly. Since the IPSec equipment sits 'inside' the
VPNAs, connectivity between IPSec devices on the WAN is not affected by the
VPNAs.
4. From this client Ping a machine on the remote network. If this fails it is possible
that the VPNA-100 needs to be updated with the route information to reach the
remote subnet.
TCP TEST
Before performing the TCP Test use the Ping utility to verify basic IP connectivity
between the AF5000 Series VPNA and the VPNA-100.
Once you have verified basic IP connectivity using Ping, go to the TCP Test menu.
The only entry in the TCP Test menu is the IP address of the VPNA-100 with which
you wish to test TCP acceleration.
44
TACHYON VPNA HANDBOOK
If the test fails, verify both machines have TCP acceleration enabled. You can find
the TCP acceleration menu in the Services Menu, which is accessed from the
Advanced Functions menu. If you find one or both of the machines have TCP
acceleration disabled, enable TCP acceleration and retry the tests beginning with the
Ping.
If the test still fails, review your exact steps and make sure the IP address you are
using for the Ping and for the TCP Test are the same and are the IP address of the
AF5000 Series VPNA.
SHUTDOWN
Use this menu to reboot or halt the VPNA before powering down.
45
TACHYON VPNA HANDBOOK
ADVANCED TOPICS
The VPNA has several menus that you probably will not need to access for normal
operation. To lessen security concerns, Telnet and SNMP are not permitted in the
default configuration of the VPNA. If you have relocated a VPNA from another site
be sure to review these menus to make sure the state of these protocols meets your
security guidelines.
The menus for these features are located under the Advanced Functions link in the
Main Menu. If you select Advanced Functions you will see the following menu.
SERVICES
By disabling certain types of access to the AF5000 Series VPNA, you can increase
the security of your network. From this screen you can enable or disable telnet and
http access. You can also disable or enable TSP accleration.
If you disable both telnet and http access, the only way to access your AF5000
Series VPNA is by connecting to the serial port at the back of the AF5000 Series
VPNA.
46
TACHYON VPNA HANDBOOK
Generally, you will only need to disable TSP acceleration to aid in debugging the
network. Both your remote VPNA-100 and the corporate AF5000 Series VPNA must
have TSP acceleration disabled or enabled to pass traffic. Note that an alternate way
of disabling TSP acceleration on the AF5000 Series VPNA is to change the TSP Route
type from remote to none.
SNMP C ONFIGURATION
From the SNMP menu you can enable LAN and/or WAN SNMP access, as well as add
community strings.
47
TACHYON VPNA HANDBOOK
INTERFACE ALIASES
MTU C ONFIGURATION
Some IPSec devices expand the size of TCP packets. If this is done and the VPNA
MTU size is not large enough to fit the encrypted packet then the packet is
fragmented. In some cases these fragmented packets will be rejected when
received at the other end.
Setting the MTU size should be done carefully and with full knowledge of the IPSec
equipment connected to the VPNA. Incorrect MTU size entries will adversely affect
performance.
48
TACHYON VPNA HANDBOOK
RADIUS C ONFIGURATION
This menu allows you to configure the VPNA to use one or more RADIUS
authentication servers to control who has administration access to the VPNA. When
RADIUS authentication is not enabled, the built-in username admin is the only
username allowed access into the VPNA. The admin password can be changed on
the Password Menu, which is reachable from the Main Menu. This is the default
configuration when you receive your VPNA.
Once RADIUS authentication is enabled, remote access via telnet must authenticate
against a username/password configured in a RADIUS server. Starting at the first
server on the page and working down each server is checked for authentication.
Only if the server does not respond is the next server in the list checked. Therefore,
users configured to access the VPNA should be configured identically in each
RADIUS server.
49
TACHYON VPNA HANDBOOK
Serial port access works like telnet access when RADIUS authentication is activated
with an additional check of the built-in username. This additional check allows you
to still access the VPNA if your network connecting to the RADIUS authentication
server(s) is down.
HTTP access never checks the RADIUS servers. It is therefore suggested that HTTP
access be disabled after RADIUS authentication is enabled.
In order for RADIUS authentication to be enabled you must enter at least one
RADIUS Server IP into the page. The Port is optional and may be left blank to reach
the server at the default authentication port of 1812 and accounting port of 1813. If
you specify a Port, p, then the accounting port will be p + 1. The Time field is the
number of seconds to wait for a response from the server before moving onto the
next server. The Key is the shared secret key that needs to be the same on the
RADIUS server.
This menu allows you to configure the VPNA to act as a backup for other 5000
Series VPNAs in your network.
50
TACHYON VPNA HANDBOOK
Selecting the example link will bring up a new window with the following
detailed description:
51
TACHYON VPNA HANDBOOK
The Auto Fail-Over feature of the 5000 Series VPNA (VPNA 5000) allows multiple
VPNA 5000s to provide backup capacity for each other. The following diagram shows
a generic network with a Primary VPNA 5000 and a single Backup VPNA 5000. When
the backup VPNA 5000 is properly configured, it will accelerate traffic not only for its
own network, but for the primary VPNA 5000's network as well.
1000 series VPNA accelerators (VPNA 1000) typically have a default TSP route to a
VPNA 5000 acting as the TSP Gateway. When Auto Fail-Over is disabled, a VPNA
5000 will pass-through accelerated traffic, that has a TSP Gateway that is different
from its own IP address. When Virtual IP Address mode is enabled a VPNA 5000 will
accept accelerated traffic whose TSP Gateway matches its Virtual IP Address, and
mark accelerated packets as being sourced from the Virtual IP Address.
When Network Address Translation (NAT) is enabled a VPNA 5000 will accept
accelerated traffic when the pair of (source IP, TSG Gateway IP) match an entry in
the NAT Table. Also, the VPNA 5000 will mark accelerated packets to one of the NAT
sources as originating from the TSP Gateway IP in the matched pair.
Auto Fail-Over may be configured to use a single Virtual IP Address, or a NAT Table
containing source/destination IP address pairs. Both the Virtual IP Address and the
NAT Table entries may be specified. However, only one mode may be Enabled at
any given time. Virtual IP Address and NAT Table modes may both be Disabled at
the same time.
A TSP route must be entered in the Basic Functions | Routes page for each VPNA
1000 for which this VPNA 5000 is serving as a backup gateway.
• In the Routes page, add a TSP route with a Destination of 172.20.2.0, and a
TSP Gateway of 172.20.2.2
If the NAT Table is enabled, only traffic bound to/from the source/destination
address entries will be processed (in addition to traffic normally targeted to this
VPNA 5000.)
In the NAT Table, the Source IP is the IP Address of a VPNA 1000 for which this
VPNA 5000 is serving as a backup gateway. The Destination IP is the IP Address of a
VPNA 5000 for which this VPNA 5000 is serving as a backup gateway. To configure
the Backup VPNA 5000 in the example diagram:
• In the Routes page, add a TSP route with a Destination of 172.20.2.0, and a
TSP Gateway of 172.20.2.2
52
TACHYON VPNA HANDBOOK
LOAD CONFIGURATION
This menu allows the current operating configuration to be loaded from the
computer that is being used to configure the AF5000 Series VPNA. You are
prompted to locate the configuration file you want to load.
NOTE: When you commit the change all operating parameters will be replaced with
the ones in the configuration file. You may want to save your current configuration
to a temporary file before loading a new configuration.
53
TACHYON VPNA HANDBOOK
SAVE CONFIGURATION
This menu allows the current operating configuration to be stored to the computer
that is being used to configure the AF5000 Series VPNA. You are prompted to enter
a file name (which will be appended with a .conf extension) and select a location to
save the configuration file.
54
TACHYON VPNA HANDBOOK
5 TROUBLESHOOTING
55
TACHYON VPNA HANDBOOK
1 Verify that both VPNAs have Go to the service menu on each VPNA
TSP acceleration enabled. and verify that TSP acceleration is
marked as enabled.
56
TACHYON VPNA HANDBOOK
1 Verify that the power to the If the Power indicator is not lit, check
Tachyon VPNA is on - the that the power cord is securely
green LED on the front panel connected to the Tachyon VPNA and
is lit to the AC power source. If the power
is connected, and the Power LED is
not lit, follow the troubleshooting
procedure in this section for Loss of
Power to the Tachyon Network Server.
2 Verify Link Integrity - the Both the WAN and LAN ports should
Link LED on the Network be lit.
Interface Cards (NIC) at the
If the Link indicator is not lit check
rear of the VPNA are lit
that the cable is properly seated and
make sure the device on the other
end is powered up.
57
TACHYON VPNA HANDBOOK
5 Verify the CPE is up and In order to perform this step you will
connected to the Tachyon need direct access to the CPE
network. bypassing the IPSec device. If this is
not possible the skip this step. Note:
when connecting directly to the CPE
with PC or workstation use a
crossover cable.
58
TACHYON VPNA HANDBOOK
6 Verify the IPSec devices are Refer to the User Manual for your
functioning properly IPSec devices for diagnostic utilities.
59
6 TECHNICAL SPECIFICATIONS
System Specifications
Nominally support for up to 500 VPNA-100s
4 N/C No connect
5 N/C No connect
7 N/C No connect
8 N/C No connect
Environmental Specifications
Warm-up ≤ 15 minutes
Mechanical Specifications
61
TACHYON VPNA HANDBOOK
Power Specifications
110/220 Volts
Frequency 50/60 Hz
62
INDEX
Advanced Topics, 47 Software Version Number, 44
Aliases, 48 Specifications
Configuration Mechanical, 58
Load, 51 Power, 59
CPE, 17 SSL, 18
IPSec, 18 Status, 44
Password, 27 TCP/IP, 17