638-stac manual 1405a

63
Tachyon, Inc. AF5000 Series VPNA Handbook

Upload: charles-bush

Post on 26-Mar-2015

147 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: 638-STAC Manual 1405a

Tachyon, Inc.

AF5000

Series VPNA

Handbook

Page 2: 638-STAC Manual 1405a

About This Handbook

This document describes Tachyon, Inc. (Tachyon) AF5000 Series VPNA software version 1.3.0.0.

The AF5000 Series consists of the AF5100 and AF5200 VPNAs.

This Handbook covers installation and configuration of the AF5000 Series VPNA devices only. Separate manuals cover other VPNA devices.

Notices

Tachyon document 021-12539-0001 Rev. B.

Copyright © 2001, Tachyon, Inc. All rights reserved.

Tachyon, Inc. and the Tachyon logo are trademarks of Tachyon, Inc. All other trademarks are properties of their respective owners.

The information provided in this handbook is being provided by Tachyon, Inc. as a service to our customers. Although every effort has been made to verify

the completeness and accuracy of the information contained in this handbook, due to the highly technical nature of the material, and the dynamic nature of

the satellite communications network, Tachyon cannot be responsible for any errors and omissions.

Page 3: 638-STAC Manual 1405a

CONTENTS

PREFACE ........................................................................................................................ 5

SAFETY............................................................................................................................ 8

THEORY OF OPERATION .........................................................................................15

TACHYON BROADBAND SATELLITE SERVICE PRIMER ..................................................................15 TACHYON SATELLITE GATEWAY............................................................................................................................16 SATELLITES ................................................................................................................................................................16 TACHYON CUSTOMER PREMISE EQUIPMENT (CPE) ............................................................................................16 TACHYON’S EXTENDED ENTERPRISE NETWORK ACCESS SERVICE ...................................................................17

IPSEC PRIMER .........................................................................................................................................................17 SSL..............................................................................................................................................................................18

VPNA PRIMER..........................................................................................................................................................18

VPNA TOPOLOGIES ..............................................................................................................................................19 SINGLE REMOTE SITE TOPOLOGY.............................................................................................................................20 MULTIPLE REMOTE SITE - SINGLE HEADQUARTERS TOPOLOGY..........................................................................21 MULTIPLE REMOTE SITE - MULTIPLE HEADQUARTERS TOPOLOGY.....................................................................21 ADDING CLEAR TEXT INTERNET ACCESS AT THE TACHYON GATEWAY.............................................................22 ADDING CLEAR TEXT INTERNET ACCESS AT HEADQUARTERS............................................................................23 AN ALTERNATE METHOD - ENCRYPTING AT THE TACHYON SATELLITE GATEWAY..........................................23

CONNECTING AND CONFIGURING THE VPNA..................................................24

QUICK START..........................................................................................................................................................24 CONNECT THE TACHYON VPNA:...........................................................................................................................25 GETTING ACCESS TO THE VPNA CONFIGURATION MENUS................................................................................25

Initial access via an Ethernet Port .....................................................................................................................26 Initial access via the Serial Port .........................................................................................................................26

CONFIGURING THE AF5000 SERIES VPNA................................................................................................27 AF5000 SERIES VPNA CONFIGURATION ....................................................................................................28

Bridge Mode Configuration ...............................................................................................................................29 Route Mode Configuration.................................................................................................................................36 Routes.....................................................................................................................................................................39 Pre-fetch Configuration.......................................................................................................................................42

STATUS .....................................................................................................................................................................43 LINK TEST...................................................................................................................................................................43 TCP TEST ...................................................................................................................................................................44

Page 4: 638-STAC Manual 1405a

4

TACHYON VPNA HANDBOOK

SHUTDOWN.................................................................................................................................................................45

ADVANCED TOPICS ..............................................................................................................................................46 SERVICES ....................................................................................................................................................................46 SNMP CONFIGURATION...........................................................................................................................................47 INTERFACE ALIASES ...............................................................................................................................................48 MTU CONFIGURATION.............................................................................................................................................48 RADIUS CONFIGURATION......................................................................................................................................49 AUTO FAIL-OVER CONFIGURATION .......................................................................................................................50 LOAD CONFIGURATION....................................................................................................................................53 SAVE CONFIGURATION ....................................................................................................................................54

TROUBLESHOOTING.................................................................................................55

PING WORKS BUT TCP/IP FAILS....................................................................................................................56

LOSS OF WAN COMMUNICATION ................................................................................................................57

LOSS OF WAN PERFORMANCE......................................................................................................................59

TECHNICAL SPECIFICATIONS................................................................................60

Page 5: 638-STAC Manual 1405a

PREFACE

This VPNA Handbook provides information and instructions for

operation and use of Tachyon service and equipment.

This VPNA Handbook is intended for use by the system administrator or IT manager responsible for

maintaining the VPNA.

This section includes:

• Warranty information on the Tachyon VPNA equipment.

• Instructions and tips for getting

technical support for Tachyon services and equipment.

Warranty

The Tachyon VPNA equipment is warranted to be free from defects in material and workmanship for a period of one (1) year for parts and ninety (90) days

for labor from the date of installation. If a product proves defective during this warranty period, Tachyon will repair the defective product without charge

for parts or labor, or will provide a replacement for the defective product.

In order to obtain service under this warranty, the subscriber must notify Tachyon of the defect before the expiration of the warranty period and make suitable arrangement for the performance of service.

This warranty does not apply to any defect, failure or damage caused by

improper use or inadequate or improper maintenance and care.

The reseller is not obliged to furnish service under this warranty:

• to repair damage resulting from attempts by personnel other than

Tachyon.net-certified installation and maintenance professionals to install, repair, or service the product.

1

Page 6: 638-STAC Manual 1405a

6

TACHYON VPNA HANDBOOK

• to repair any damage or malfunction caused by the use of non-Tachyon supplies.

• to service a product that has been modified or integrated with other

products when the effect of such modification or integration increases the time or difficulty of servicing the product.

VPNA Technical Support

In the event you need technical information or support for VPNA operation beyond the scope of this Handbook, contact the Service Provider from whom you purchase your monthly Tachyon Network Service.

If necessary, the Service Provider will contact any appropriate resources required to support operation of your Tachyon Network Service, including installation and maintenance professionals or Tachyon call center personnel.

VPNA Equipment Service

Under all circumstances, contact the reseller for service.

Do not attempt to service the VPNA equipment yourself, as there are no user-

serviceable parts.

Safety Tip: Opening or removing the cover on the Tachyon VPNA may expose you to dangerous voltages or other hazards as well as void your warranty.

Contact your Tachyon reseller to obtain service assistance from a certified Tachyon maintenance professional.

Page 7: 638-STAC Manual 1405a

7

TACHYON VPNA HANDBOOK

Notice

For the proper operation of this equipment and/or all parts thereof, the instructions in this guide must be strictly and explicitly followed. All of the contents of this guide must be fully read and understood prior to operating

any of the equipment or parts thereof.

Failure to completely read and fully understand and follow all of the contents of this guide prior to operating this equipment, or parts thereof, may result in

damage to the equipment or parts, and to any persons operating the same.

Tachyon does not assume any liability arising out of the application or use of any products, component parts, circuits, software, or firmware described herein. Tachyon further does not convey any license under its patent,

trademark, copyright, or common-law rights nor the similar rights of others. Tachyon further reserves the right to make any changes in any products, or

parts thereof, described herein without notice.

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when

the equipment is operated in a commercial environment.

This equipment generates, uses, and radiates radio frequency energy.

Page 8: 638-STAC Manual 1405a

SAFETY

The VPNA equipment contains delicate electronics and electrical components. Follow all safety

precautions in this section when the VPNA equipment is in

operation.

Carefully read and follow all safety, use, and operating instructions before operating the

VPNA equipment. Retain these instructions for future reference.

Carefully read and follow all safety, use, and operating

instructions for the Tachyon Customer Premise Equipment

(CPE) contained in the CPE Handbook

This section includes:

• Safety considerations for use of the Tachyon VPNA equipment.

Safety Precautions

Use safety precautions when working at or near the Tachyon VPNA as described in these sections.

Tachyon VPNA Safety Precautions

Follow all instructions and advisories in this section when working with the Tachyon VPNA.

2

Page 9: 638-STAC Manual 1405a

9

TACHYON VPNA HANDBOOK

Warning: Shock Hazard

Do not open the equipment. Service is only to be performed by

Tachyon or by a Tachyon-certified maintenance professional.

The Tachyon VPNA contains no user serviceable parts. Do not attempt to service this product yourself. Any attempt to do so negates any and all warranties.

When operating the Tachyon VPNA, observe these precautions:

Follow the Connection procedure described in this manual

Do not plug in the Tachyon VPNA power cord until the Tachyon VPNA is connected to a LAN or computer.

Provide a Safe Location Place the Tachyon VPNA in a rack or on a stable surface of sufficient size and strength, where it cannot be jarred, hit, or pushed off its surface. Ensure that all cables and cords are out of the way and cannot be tripped over, as this could cause personal injury or serious damage to the Tachyon VPNA.

Avoid Water and Moisture Do not expose the Tachyon VPNA to any liquid or moisture.

Page 10: 638-STAC Manual 1405a

10

TACHYON VPNA HANDBOOK

Avoid Heat, Humidity, and Dust

To avoid internal damage, the Tachyon VPNA should be placed away from all heat sources, including radiators, heater ducts, exhausts, and like emissions: out of direct sunlight and away from high humidity, excessive dust, or mechanical vibrations that can cause damage to internal parts.

Page 11: 638-STAC Manual 1405a

11

TACHYON VPNA HANDBOOK

Provide Adequate Ventilation Slots and openings on the front and back of the Tachyon VPNA are provided for ventilation that is needed to ensure reliable operation. The Tachyon VPNA uses forced air convection that draws air in from the front and exhausts air to the back of the unit.

To avoid overheating and ensure that the ventilation slots are not blocked, place the Tachyon VPNA on a smooth, hard surface that has at least two inches of clearance around the front and rear of the unit, and adequate air circulation.

If the Tachyon VPNA is placed in a closed area, such as a bookcase or rack, ensure that proper ventilation is provided and that the internal rack operating temperature does not exceed the maximum rated temperature at the position of the Tachyon VPNA.

Never place the Tachyon VPNA on a soft surface that would obstruct the required airflow into the unit's ventilation slots.

Page 12: 638-STAC Manual 1405a

12

TACHYON VPNA HANDBOOK

Use the Correct Power Source The Tachyon VPNA Input AC line voltage is switch-selectable to operate either at 115 VAC (90 to 130 VAC range) or 230 VAC (180 to 265 VAC range) grounded power system with line frequencies from 47 to 63 Hz. The Tachyon VPNA must be connected to an earthed main socket outlet.

To prevent damage to the Tachyon VPNA, ensure that the proper voltage range is selected prior to application of input power.

For Tachyon VPNA units equipped with a North American power cord, the cord has an IEC 320 female plug on one end and a NEMA 5-15P male plug on the other end. This cord is UL and CSA approved up to 125 VAC at 10A and is ready to use with no user wiring required.

Tachyon VPNA units for International distribution are equipped with an International cord that has an IEC 320 female on one end, and the specific National Regulatory Agency approved male plug on the other end. The power cord is HAR and IEC approved with International color coded wiring.

Page 13: 638-STAC Manual 1405a

13

TACHYON VPNA HANDBOOK

Route Power Cords Safely Route power cords so that they are not walked on or pinched. Pay particular attention to cords and connections at the plugs, receptacles (such as power strips), and the point where they exit from the Tachyon VPNA and attach to other equipment. Do not place any items on or against power cords.

Protect Against Lightning and Power Surges

To protect against voltage surges and built-up static charges, the VPNA has been installed with appropriate grounding methods in compliance with grounding standards for electrical and radio equipment according to the electrical codes in the country of installation. Do not remove or modify the grounding and protection mechanism that has been installed with your Tachyon VPNA

To ensure continuous and undisturbed unit operation from primary power line anomalies, use an Uninterruptible Power Source (UPS) with your Tachyon VPNA.

Page 14: 638-STAC Manual 1405a

14

TACHYON VPNA HANDBOOK

Do not penetrate the Tachyon VPNA

Touching internal Tachyon VPNA parts is dangerous to both you and the unit. Never put any object, including your fingers, through Tachyon VPNA slots or openings, as this could result in touching dangerous voltage points, short-circuiting parts, electric shock, or fire. If an object falls into the Tachyon VPNA, unplug the unit and contact your Service Provider, as serious damage could occur to the unit.

Page 15: 638-STAC Manual 1405a

THEORY OF OPERATION

The Tachyon Satellite IP Network provides two-way Internet Protocol

service over a high-performance satellite link. Using advanced technology invented and patented by

Tachyon provides reliable, high-performance Internet communications

everywhere within the Tachyon satellite footprint.

The Tachyon VPNA allows deployment of IPSec security with Tachyon's

network.

This section includes:

• A Tachyon Broadband Satellite Service primer summarizing

key features and functionality from the CPE Handbook.

• An IPSec primer introducing

key subjects

• An overview of the most common network topologies

TACHYON BROADBAND SATELLITE SERVICE PRIMER

Tachyon’s broadband satellite service is a two-way IP carrier service providing high-speed links via satellite to subscribers.

A direct and dedicated digital link between each subscriber network and the Internet

backbone network is made possible using standard IP interfaces and protocols, ensuring end-to-end transparency and compatibility.

Figure 3-1 shows an overview of the Tachyon network components. Each regional satellite network includes a hub site called the Tachyon Satellite Gateway and many

subscriber sites using Tachyon Customer Premise Equipment (CPE).

3

Page 16: 638-STAC Manual 1405a

16

TACHYON VPNA HANDBOOK

Figure 3-1 Tachyon, Inc. -The Network

TACHYON SATELLITE GATEWAY

The Gateway connects to backbone networks, providing a high-speed bridge between subscriber CPEs and the Internet, Intranets, and/or Extranets. The Gateway includes a large satellite antenna.

SATELLITES

Tachyon utilizes geostationary satellites. Geostationary satellites are positioned over the equator at an altitude of about 22,000 miles, such that they appear to be stationary in the sky. The CPE and Gateway antennas

remain pointed at one satellite at all times.

TACHYON CUSTOMER PREMISE EQUIPMENT (CPE)

The CPE is the terminal that connects to a subscriber network and routes IP traffic via the satellite link to the Gateway and the terrestrial network. The

CPE consists of a Tachyon Network Server, an Outdoor Unit (ODU) including a small satellite antenna with a radio, and a coaxial cable assembly that

connects the Tachyon Network Server with the ODU.

Page 17: 638-STAC Manual 1405a

17

TACHYON VPNA HANDBOOK

TACHYON’S EXTENDED ENTERPRISE NETWORK ACCESS SERVICE

Data traverses the high-speed satellite link in both directions, providing two-way high-performance communications for each user on each subscriber LAN.

Tachyon has developed many innovative technologies to make high-speed communications over satellite a reality. Among these patented innovations is

the ability to carry TCP/IP traffic at full speed. Tachyon optimizes the TCP/IP protocol to achieve full performance when transmitted over satellite. The

following diagram briefly describes the protocol flow.

The Tachyon Proxy Server Technology Logical Implementation.

IPSEC PRIMER

For many years encryption technologies have been evolving. Until recently

encryption was supported for private networks using proprietary algorithms and single-vendor solutions. With the rapid growth of the Internet it was imperative for the security industry to develop a standard for encrypting packets for transfer over

the public network providing general interoperability. IPSec has become the de-facto standard for encrypting traffic on the Internet and has also become the

standard for encryption in private networks including most federal and many military networks.

Page 18: 638-STAC Manual 1405a

18

TACHYON VPNA HANDBOOK

IPSec currently has two basic modes: transport and tunnel. For the purposes of this primer the differences are not important. The important point to know is that IPSec in either mode encapsulates IP packets into a new IP packet. The contents of the

original IP packet are encrypted and no longer visible to the outside until they pass the decryption process at the destination.

The Tachyon Gateway and Tachyon Customer Premise Equipment cannot accelerate TCP/IP traffic after the traffic has been encrypted with IPSec because the TCP

header is also encrypted. If encrypted the packets are passed as IP packets, but the TCP acceleration is not applied. Therefore performance will be reduced.

By placing VPN Accelerators into the network just before the IPSec encryption

devices, TCP/IP traffic reaches the VPNA in the clear and is accelerated; restoring TCP/IP performance.

SSL

A quick word about SSL. SSL, or Secure Socket Layer, is a very popular encryption method used with IP applications. Because SSL performs its encryption on the data payload prior to passing the packet on to the transport layer (TCP), SSL does not

interfere with Tachyon’s TCP/IP acceleration. However, when using HTTPS all HTML data is encrypted before the HTTP proxy can perform pre-fetch so web sites using HTTPS (thus SSL) do load slower than regular HTTP sites. The VPNA cannot mitigate

this slowdown.

VPNA PRIMER

In order to allow customers to use IPSec and still retain the benefits of Tachyon's

technology we developed the VPNA (short for VPN Accelerator). The VPNA performs Tachyon's TCP acceleration prior to the IPSec encryption/encapsulation process. High performance is maintained and user data is fully secured via IPSec encryption.

The VPNA is a simple appliance to connect to your network. You simply insert the VPNA between your LAN and your IPSec device. The following diagrams depict a network before and after installation of a VPNA.

WAN LAN

WAN Router /CPE

IPSec Device

Page 19: 638-STAC Manual 1405a

19

TACHYON VPNA HANDBOOK

Site before Installing the VPNA

LAN

WAN Router /CPE

IPSec Device Tachyon VPNA

WAN

Site after Installing VPNA

The VPNA comes with two 10/100 BaseTX Ethernet interfaces providing quick compatibility with most networks.

The VPNA has two basic modes of operation to support most LAN configurations: Bridge Mode and Routed Mode. In Bridge Mode the VPNA gets a single IP address on

the sub-network and bridges traffic between its two interfaces both on the same sub-network. In Routed Mode, the WAN and LAN sides of the VPNA get different IP addresses corresponding to two separate sub-networks and the VPNA routes

packets between the two networks.

The VPNA supports IP aliases on its interfaces to provide additional flexibility in supporting your network architectures.

Bridge and Route modes are described in further detail in the Configuration Section.

VPNA TOPOLOGIES

For networks using IPSec, a VPNA is required at each site where there is an IPSec

device. In general the routing aspects of the VPNA are similar to those of the IPSec devices. The VPNA-100 is designed for placement at remote sites with a CPE and the AF5000

Series VPNA is designed for the Headquarter sites. This document applies only to the AF5000 Series VPNA.

In this handbook we describe these basic topologies:

• Single Remote Site

• Multiple Remote Sites with a Single Headquarters

• Multiple Remote Sites with Multiple Headquarters

• Adding clear text access to the Internet at the Gateway

• Adding clear text access to the Internet at Headquarters

• An alternate method - Encrypting at the Tachyon Satellite Gateway

Page 20: 638-STAC Manual 1405a

20

TACHYON VPNA HANDBOOK

In this section we present the concepts associated with the basic topologies. In the next section we walk through example networks and provide worksheets for each of the different topologies to simplify organizing IP addresses and routes.

SINGLE REMOTE SITE TOPOLOGY

Most networks involve more than one site so this topology is primarily provided to introduce the basic principles; although all networks must have their first site to come online.

The following diagram identifies the key network components and how they are interconnected:

Internet

TachyonVPNA 100

IPSec

LAN

TachyonVPNA 5000

IPSec

Remote Site

Headquarters

LAN

Server

CPE

Satellite(WAN)

Client

TachyonGateway

Client

Client

Client

Client

Client

WANRouter

Single Remote Site Configuration

The CPE-side VPNA can be configured in Bridge Mode or Routed Mode depending upon the desired LAN topology. As mentioned earlier one advantage of Bridge mode

is ease of configuration.

NOTE: If Routed Mode is implemented on the CPE-side VPNA and Network Address

Translation (NAT) is not being used, then the Tachyon Network Operations Center (NOC) must be notified of the additional sub-network so they can make the

appropriate entries to allow the CPE to route to the sub-network behind the VPNA. You will need to provide the NOC with the IP address of the VPNA as it is the default gateway to reach the internal sub-network.

Page 21: 638-STAC Manual 1405a

21

TACHYON VPNA HANDBOOK

At the Headquarters side the VPNA can also be configured in Bridge or Routed Mode. Again, the selection of Bridge Mode in this case is preferred to simplify network reconfiguration.

In this scenario all traffic from the remote site is destined for Headquarters. The

CPE-side VPNA is configured with a route to the VPNA at headquarters and similarly the VPNA at Headquarters is configured with a route to the VPNA at the remote site.

MULTIPLE REMOTE SITE - SINGLE HEADQUARTERS TOPOLOGY

This topology is just an extension of the Single Site case. Each remote site VPNA has a route to the Headquarters VPNA and the Headquarters VPNA has a route entry for each of the VPNAs at the remote sites. Communication between remote sites

requires packets to go through Headquarters.

TachyonVPNA

IPSEC

LAN

Remote Site N

CPE

Client

Client

Client

Internet

Headquarters

LAN

ServerSatellite(WAN)

TachyonGateway

Client

Client

Client

TachyonVPNA

IPSEC

LAN

Remote Site 2

CPE

Client

Client

Client

TachyonVPNA 100

IPSec

LAN

Remote Site 1

CPE

Client

Client

Client

TachyonVPNA 5000

IPSecWANRouter

Multiple Remote Sites with a Single Headquarters

MULTIPLE REMOTE SITE - MULTIPLE HEADQUARTERS TOPOLOGY

Many corporations or extranets require that remote sites be able to communicate with a number of Headquarters locations. For example a remote bank may have to exchange certain data with Corporate Headquarters as well as with regional banks.

In these cases the IPSec equipment may be configured to allow direct communication between the remote sites and the corporate or regional sites. The

VPNA can be configured to support this topology.

Page 22: 638-STAC Manual 1405a

22

TACHYON VPNA HANDBOOK

Each CPE-side VPNA gets a route for each of the Headquarters sites. Similarly, each Headquarters VPNA has a route for each remote VPNA it needs to communicate with.

The following diagram depicts the topology:

TachyonVPNA

IPSEC

LAN

Remote Site N

CPE

Client

Client

Client

Internet

Satellite(WAN)

TachyonGateway

TachyonVPNA

IPSEC

LAN

Remote Site 2

CPE

Client

Client

Client

TachyonVPNA 100

IPSec

LAN

Remote Site 1

CPE

Client

Client

Client

LAN

Server

Client

LAN

Server

Client

Headquarters 1

Headquarters N

TachyonVPNA 5000

IPSecWANRouter

TachyonVPNA 5000

IPSecWANRouter

Multiple Sites with a Multiple Headquarters

ADDING CLEAR TEXT INTERNET ACCESS AT THE TACHYON GATEWAY

The previous examples described completely private networks with only encrypted packets transiting the Internet. It may be desirable to offer clients at the remote sites access to the general Internet unencrypted.

One method to accomplish this is to configure Internet browsers on the CPE-side LAN to use the CPE as their default gateway and configure the IPSec devices to allow packets destined to the general Internet to pass through the IPSec device

unencrypted.

If remote sites access a web-enabled application that is hosted at Headquarters they will need to change their proxy settings to switch between accessing the Internet and Headquarters.

Page 23: 638-STAC Manual 1405a

23

TACHYON VPNA HANDBOOK

ADDING CLEAR TEXT INTERNET ACCESS AT HEADQUARTERS

Some corporations may want to provide general Internet access to remote sites but prefer to have all traffic transit Headquarters where packets can be filtered and inspected.

In this configuration packets are encrypted between the remote site and Headquarters creating a VPN tunnel. At Headquarters packets are routed to/from the general Internet. Because the routing happens outside the Tachyon network

there are no configuration changes to the VPNA.

AN ALTERNATE METHOD - ENCRYPTING AT THE TACHYON SATELLITE GATEWAY

Many networks require a high level of security to keep their data completely private. For these networks, end-to-end encryption is the only solution. Some networks,

however, transfer data that is sensitive but may not warrant the additional expense of a full IPSec solution.

CIO or IT managers putting together a network should consider a topology where an IPSec tunnel over the public Internet is set up between the Tachyon Gateway and

the corporate Headquarters. This architecture does not require an IPSec device at each site. This significantly lessens the cost of ownership, as these devices do not

need to be procured or managed. In this configuration VPNA devices are also not required.

Consideration for this architecture requires a careful review of security requirements. Packets will transit the satellite link without IPSec encryption.

Tachyon's combination of network partitioning along with unique modulation and error correction schemes makes it difficult to intercept a transmission. However,

malicious interception is indeed possible with some effort.

Page 24: 638-STAC Manual 1405a

24

TACHYON VPNA HANDBOOK

CONNECTING AND CONFIGURING THE VPNA

This document assumes you

already have a working Tachyon network and are adding the VPNA to integrate IPSec technology into

the network.

This section includes:

• A quick start section to get you

into the configuration pages.

• Instructions on configuring the VPNA for different network

topologies.

QUICK START

The experienced network professional may find that the VPNA configuration menus provide enough context -sensitive help that they can proceed through the menus and configure their network. However, we strongly suggest a quick read of this section

and the Theory of Operation section in order to fully understand the features and benefits of the VPNA to provide optimum performance.

When configuring the VPNA it is important to remember that TCP acceleration is separate from IP delivery. Therefore the VPNA must first be configured correctly for

delivery of IP traffic, only then can TCP acceleration be configured. If the CPE-side VPNA can not find a route to deliver IP traffic to the Headquarters-side VPNA then

TCP acceleration will fail also. However, if IP traffic is correctly delivered from the CPE-side VPNA to the Headquarters-side VPNA (e.g. ping works), any problems can now be isolated to the TCP configuration.

A common symptom for this kind of configuration problem is that pinging between sites works yet connecting with ftp fails. If this occurs review your TSP acceleration routes and make sure that the CPE-side is correctly configured to point at the

Headquarters-side and vice versa. Use the "TCP Test" tool to diagnose TCP problems. See the troubleshooting section for more causes and solutions.

4

Page 25: 638-STAC Manual 1405a

25

TACHYON VPNA HANDBOOK

CONNECT THE TACHYON VPNA:

The VPNA goes just in front of your IPSec device on the LAN side. Assuming you have a working network, to add a VPNA device you simply disconnect the Ethernet cable from the LAN-side of your IPSec device and connect it to the LAN-side port on

the VPNA. You then connect a cable from the WAN-side port on the VPNA to the now open port on the IPSec device.

The VPNA has 10/100BaseTX interfaces. Normally the Ethernet cables to/from the

VPNA will be straight-through cables.

For optimum performance the IPSec device and LAN should support 100 Mbps transfers and full duplex operation.

Safety Tip A cable is provided with the VPNA to interconnect it to your IPSec device. If you choose not to use this cable make sure to select a good quality, shielded (recommended) CAT-5 category LAN cable for interconnecting the

Tachyon VPNA.

The following diagram depicts a typical installation:

WAN LAN

WAN Router /CEP

IPSec Device

Site before Installing the VPNA

LAN

WAN Router /CPE

IPSEec Device Tachyon VPNA

WAN

Site after Installing VPNA

GETTING ACCESS TO THE VPNA CONFIGURATION MENUS

Once you have connected the VPNA to the local network you are ready to configure it.

Page 26: 638-STAC Manual 1405a

26

TACHYON VPNA HANDBOOK

The VPNA has two control interfaces: a serial interface and its Ethernet interfaces. Using these control interfaces is described in more detail below.

When accessing the VPNA you will need to log in. Use the following factory default username and password:

Login: admin Password: vpna

Once you access the VPNA menus you can change the password.

NOTE: Remember your password. If you forget your password you can

only access the VPNA by connecting to the serial port and logging in as admin with a password of eraseconfig. Using this login will reset the VPNA to its

factory default values and all configuration information previously entered will be lost.

INITIAL ACCESS VIA AN ETHERNET PORT

The VPNA ships from the factory with the default address of 192.168.1.1. with a netmask of 255.255.255.0. You can gain initial access to the configuration menus

by connecting a PC or workstation to the LAN port that is configured for this sub-network. Once you have connected the PC or Workstation with the proper IP

configuration, simply point your browser to the IP address of the VPNA (192.168.1.1). You should see the prompt "Login:”. If you do not, then make sure you can ping the VPNA from your PC or workstation. You may need to restart your

computer if you changed IP addresses. You also need to make sure the VPNA is powered on. Once you have set the initial IP parameters of the VPNA you can

reconnect it to your network and access it from any client on the LAN (depending on firewalls and other security).

INITIAL ACCESS VIA THE SERIAL PORT

You can also configure the VPNA via the serial port. To do this you need a terminal emulation program running on your PC or Workstation and have it configured for 9600-N-8-1 (that is 9600 baud, no parity bits, eight bits per character, and 1 stop

bit). If you have an option, select VT-100 emulation. The VPNA is supplied with a serial cable that should work with most PCs and laptops.

Once you get your terminal emulation program configured and the serial cable hooked up to the VPNA hit "Enter" a couple of times. You should see the prompt

"Login:”. If you do not, then the terminal emulation program is not configured properly, you are on the wrong serial port on your PC/workstation, or the cable is

not appropriate for your PC/Workstation. You also need to make sure the VPNA is powered on.

Page 27: 638-STAC Manual 1405a

27

TACHYON VPNA HANDBOOK

There are two logins for the serial interface. The first login enters the graphical user interface and the second login is the actual VPNA login. The login ID and password are the same for both. Once you have logged on to the VPNA using the serial

interface, you will be connected to the VPNA’s web interface using a character based web browser. The most convenient way to proceed with the configuration is to

navigate (using the instructions provided at the bottom of your screen) to the Basic Configuration link, change the VPNA’s LAN IP Address to an address compatible with

your network, and proceed with the configuration from a client based web browser as described in CONFIGURING THE AF5000 Series VPNA.

CONFIGURING THE AF5000 SERIES VPNA

The configuration of the VPNA depends on your network topology. Please read the Theory of Operation section to become familiar with the various network topologies.

The recommended method for accessing the VPNA menus is using a web browser on a LAN client. The menus are also available via the serial port. These menus are very similar to the web-based menus. Only the web-based menus are described in this

document.

Refer to the previous section to get to the point where you are at the Main Menu.

The Main Menu of the VPNA is the starting place to enter, view and modify all VPNA parameters. You can return to the Main Menu by clicking the top link labeled "Tachyon VPNA". If you are accessing the VPNA from the terminal interface you can

access the Main Menu by pressing the M or H keys. A handy link to Tachyon's web site is just below. The following figure shows the Main Menu.

Page 28: 638-STAC Manual 1405a

28

TACHYON VPNA HANDBOOK

Use the Setup Wizard to walk through configuration items for a new device.

If you are changing a device between Bridge Mode and Route Mode you will need to run the Setup Wizard again.

If you are changing IP addresses on a VPNA device you can edit the parameters under the Basic Configuration link.

NOTE: If you are using a device that was previously configured and want to start from the default values you must access the login prompt via the serial port and login as 'admin' with a password of 'eraseconfig'.

AF5000 SERIES VPNA CONFIGURATION

Select the Setup Wizard from the Main Menu.

You will see the following screen:

Page 29: 638-STAC Manual 1405a

29

TACHYON VPNA HANDBOOK

Select "Bridge" or "Route" and then press the "Next =>" button.

BRIDGE MODE CONFIGURATION

Selecting Bridge Mode will bring up the next Setup Wizard Menu:

Page 30: 638-STAC Manual 1405a

30

TACHYON VPNA HANDBOOK

Clicking on “example configuration” will display the following:

Page 31: 638-STAC Manual 1405a

31

TACHYON VPNA HANDBOOK

In the Basic Configuration menu, enter a Hostname if you wish to identify this VPNA in SNMP messages and HTTP error messages.

NOTE: You cannot use underscores or spaces in the Hostname.

Enter the LAN IP Address you have reserved for the VPNA and the corresponding LAN Netmask. Press the "Next =>" button.

Page 32: 638-STAC Manual 1405a

32

TACHYON VPNA HANDBOOK

NOTE: You have the option of entering the netmask in the form /n where n

designates a netmask with the first n bits set to 1. For example 255.255.255.0 is the same as /24.

You will now see the following menu:

Enter the IP address of the WAN Router. This will typically be the IPSec device and the device that the machines on the LAN use as their Default Gateway. With this

entry you are instructing the VPNA to use this device as its Default Gateway.

Page 33: 638-STAC Manual 1405a

33

TACHYON VPNA HANDBOOK

If you know the Ethernet address of the WAN Router you can enter it. Ethernet addresses consist of six octets separated by colons; for example 00:0a:b4:e0:01:02. Enter the colons. If you are unsure of the Ethernet address

leave the entry blank and the VPNA will auto-discover it. The VPNA will check for the Ethernet address once every minute.

NOTE: If you change the WAN Router in the future, you will need to update these

entries and reboot the VPNA. Again, make sure the WAN Router (IPSec device) is

powered on before you reboot the VPNA if you want the VPNA to auto-discover the Ethernet address. The auto-discover mechanism will retry the WAN Router once every minute.

Press the "Next =>" button to advance to the Prefetch Configuration menu.

Page 34: 638-STAC Manual 1405a

34

TACHYON VPNA HANDBOOK

You may add multiple DNS servers for the AF5000 Series VPNA. The DNS servers will be searched in the order in which you add them.

Press the "Next =>" button to advance to the Configuration Review menu.

Review the entries. Use the "<= Back" button to go back and correct any entries. When the entries are correct press the "Reboot =>" button. Changes will then be

committed and the VPNA will reboot. Your browser will display the following page:

Page 35: 638-STAC Manual 1405a

35

TACHYON VPNA HANDBOOK

This page will update to show the current status of the VPNA, unless you have given the VPNA a new IP address. In the case the VPNA has been assigned a new IP

address this page will continually show the “Rebooting” state because the browser cannot connect to the VPNA.

If you have given the VPNA a new IP address, you may also have to reconfigure the

networking on your local machine to be on the same network as the VPNA. After making any necessary networking changes on your local machine, you will have to browse to the new IP address of the VPNA.

Your VPNA is now configured in “Bridge Mode”.

Before the AF5000 Series VPNA will accelerate TCP traffic, IP and TSP routes need to be added. See the discussion of routes following the section on “Route Mode

Configuration”.

Page 36: 638-STAC Manual 1405a

36

TACHYON VPNA HANDBOOK

ROUTE MODE CONFIGURATION

Selecting Route Mode will bring up the next Setup Wizard Menu:

Enter a Hostname if you wish to identify this VPNA in SNMP messages and HTTP error messages.

NOTE: You cannot use underscores or spaces in the Hostname.

Enter the LAN IP Address you have reserved for the VPNA and the corresponding LAN Netmask. Enter the WAN IP Address you have reserved for the VPNA and the

corresponding WAN Netmask.

Press the "Next =>" button to advance to the Prefetch Configuration menu.

Page 37: 638-STAC Manual 1405a

37

TACHYON VPNA HANDBOOK

You may add multiple DNS servers for the AF5000 Series VPNA. The DNS servers will be searched in the order in which you add them.

Press the "Next =>" button to advance to the Configuration Review menu.

Page 38: 638-STAC Manual 1405a

38

TACHYON VPNA HANDBOOK

Review the entries. Use the "<= Back" button to go back and correct any entries. When the entries are correct press the "Reboot =>" button. Changes will then be

committed and the VPNA will reboot. Your browser will display the following page:

Page 39: 638-STAC Manual 1405a

39

TACHYON VPNA HANDBOOK

This page will update to show the current status of the VPNA, unless you have given the VPNA a new IP address. In the case the VPNA has been assigned a new IP address this page will continually show the “Rebooting” state because the browser

cannot connect to the VPNA.

If you have given the VPNA a new IP address, you may also have to reconfigure the networking on your local machine to be on the same network as the VPNA. After making any necessary networking changes on your local machine, you will have to

browse to the new IP address of the VPNA.

Your VPNA is now configured in “Route Mode”.

Before the AF5000 Series VPNA will accelerate TCP traffic, IP and TSP routes need to be added. See the following discussion of routes.

ROUTES

Select the "Routes" link from the Main Menu.

Page 40: 638-STAC Manual 1405a

40

TACHYON VPNA HANDBOOK

Page 41: 638-STAC Manual 1405a

41

TACHYON VPNA HANDBOOK

IP routes are needed for both “Route Mode” and “Bridge Mode.” In “Bridge Mode” the VPNA only needs IP routes to accelerate TCP traffic; non-TCP traffic is simply bridged from one interface to the other.

In a typical deployment, you will add the default IP route to the gateway router on

the LAN Network (e.g. destination 0.0.0.0, netmask 0.0.0.0, and gateway 172.30.2.101). However, your network may vary. Press the "Add" button when you have made the entries.

Next, you will enter two routes for each VPNA-100 that is to be connected to this AF5000 Series VPNA. The first route is a general IP Route for all traffic. The second route is a TSP Route used for TCP acceleration. The following picture shows

the Routes configuration page with the required routes for a single VPNA-100. Note that the routes that do not have “Delete” buttons next to them are routes resulting from the AF5000 Series VPNA’s network interfaces.

For the IP Route enter the Destination network address (e.g. 172.20.2.0) and the corresponding Netmask (for this example it would be 255.255.255.0) and the IP address of the local IPSec device (e.g. 172.30.2.1) or the next hop router for the

destination network). Press the "Add" button when you have made the entries.

For the TSP Route enter the Destination address (172.20.2.0) and the corresponding Netmask (for this example it would be 255.255.255.0) and the IP address of the VPNA-100 at the remote site. Select "Remote" since this route is for

a 'remote' network. Press the "Add" button when you have made the entries.

For each new TSP Gateway that is added, an entry is created in the “Rate To TSP Gateway” table. The default is the maximum rate of 2.045 Mbps. However, if the actual link is slower than this rate, then tuning the AF5000 Series VPNA to the

actual rate will yield better link utilization.

Repeat the above steps for each remote VPNA-100 site you want to have connectivity to this Headquarters site.

If you need to target any device that is between a AF5000 Series VPNA and a VPNA-100 (the IPSec router for example); you must create a non-accelerated TSP route to

the device by specifying a TSP Mode of “none.” For example, to access the IPSec at 172.20.2.1 from the VPNA at 172.30.2.2 you must enter the following TSP Route:

destination 172.20.2.1, netmask 255.255.255.255, TSP Gateway 0.0.0.0, TSP Mode “none.”

If you have a default “remote” TSP route, you will need to specify “local” TSP routes for each subnetwork that is not to be accelerated. Additionally, you will need to

specify “local” for any subnets that are not to be accelerated within a “remote” network.

Page 42: 638-STAC Manual 1405a

42

TACHYON VPNA HANDBOOK

Specifically, a TSP Mode of “local” means, “do not accelerate if the destination IP address matches the TSP route destination.” A TSP Mode of “none” means, “do not accelerate if the source or destination IP address matches the TSP route

destination.”

Press the “Done” button when you are finished adding routes.

PRE-FETCH CONFIGURATION

If you are adding VPNAs to an existing Tachyon connection you are already familiar with the benefits of our patented pre-fetch technology. By configuring your web

browsers to use the VPNA as your web proxy you will retain your improved performance for HTTP-based applications.

On each client machine configure the web browser (most likely Internet Explorer or Netscape) to use the VPNA-100 as its web proxy. Enter the IP address of the VPNA-

100 and the port number of 3128. The CPE Handbook has example screens that describe how to modify the proxy settings for Internet Explorer and Netscape.

NOTE: If you want to access any local machines with web interfaces (such as the

VPNA or the IPSec device) from a specific client then make sure to configure that client to exclude local addresses from using the proxy.

The AF5000 Series VPNA is the default HTTP Proxy Parent for VPNA-100 Prefetching HTTP Proxies. Therefore, the AF5000 Series VPNA needs to resolve URL's via one or

more Domain Name System (DNS) servers. Configure the DNS server search from the Prefetch Configuration Menu. The DNS servers will be searched in the order in

which you add them.

Page 43: 638-STAC Manual 1405a

43

TACHYON VPNA HANDBOOK

STATUS

This menu provides current status on the VPNA-100 including the Version number of the software.

LINK TEST

Follow these steps to verify your VPNA has been set up correctly. Do not proceed to

the next step if the current test is not successful. This test assumes you have a client VPNA-100, which is being brought online with the AF5000 Series VPNA.

Page 44: 638-STAC Manual 1405a

44

TACHYON VPNA HANDBOOK

1. Ping the VPNA-100 and AF5000 Series VPNA from a client on your LAN. This should succeed if you have been using the LAN Ethernet port to configure the VPNA. If the ping does not work check that the LAN and WAN Ethernet ports are

cabled up correctly and the interface's link lights are on. Verify the IP address and Netmask is correct on both the client and VPNA.

2. From the same client on the LAN, ping the WAN Router (IPSec device) on the other side of the VPNA. This will test the VPNAs local routes. If this fails check

the Routes page on the VPNA and make sure there is an entry for the local network(s). If pings from the client fail try a ping of the WAN Router from the

VPNA. There is a link to the Ping Menu from the VPNA's Main Menu. If this fails reboot the VPNA and the WAN Router. It is possible that the ARP cache on these

machines is incorrect.

3. From a client on the LAN that has access permission to a remote network behind a VPNA-100, do a ping of the VPNA-100 at a remote site. If the VPNA-100 at the remote site is in Route Mode, Ping the WAN interface. If this fails make sure the

Headquarters’ VPNA has a route to the remote site. Also make sure your IPSec equipment is configured correctly. Since the IPSec equipment sits 'inside' the

VPNAs, connectivity between IPSec devices on the WAN is not affected by the VPNAs.

4. From this client Ping a machine on the remote network. If this fails it is possible that the VPNA-100 needs to be updated with the route information to reach the

remote subnet.

TCP TEST

When commissioning a new AF5000 Series VPNA it is suggested TCP acceleration be verified. The TCP Test conducts a TCP connection test directly between the AF5000

Series VPNA and the designated VPNA-100. This simplified test can help isolate IPSec, IP Route, and TSP Route problems.

Before performing the TCP Test use the Ping utility to verify basic IP connectivity

between the AF5000 Series VPNA and the VPNA-100.

Once you have verified basic IP connectivity using Ping, go to the TCP Test menu.

The only entry in the TCP Test menu is the IP address of the VPNA-100 with which

you wish to test TCP acceleration.

Page 45: 638-STAC Manual 1405a

45

TACHYON VPNA HANDBOOK

The following figure shows the TCP Test menu screen:

If the test fails, verify both machines have TCP acceleration enabled. You can find the TCP acceleration menu in the Services Menu, which is accessed from the

Advanced Functions menu. If you find one or both of the machines have TCP acceleration disabled, enable TCP acceleration and retry the tests beginning with the

Ping.

If the test still fails, review your exact steps and make sure the IP address you are using for the Ping and for the TCP Test are the same and are the IP address of the AF5000 Series VPNA.

If the test still fails contact your service provider.

SHUTDOWN

Use this menu to reboot or halt the VPNA before powering down.

Page 46: 638-STAC Manual 1405a

46

TACHYON VPNA HANDBOOK

ADVANCED TOPICS

The VPNA has several menus that you probably will not need to access for normal operation. To lessen security concerns, Telnet and SNMP are not permitted in the default configuration of the VPNA. If you have relocated a VPNA from another site

be sure to review these menus to make sure the state of these protocols meets your security guidelines.

The menus for these features are located under the Advanced Functions link in the

Main Menu. If you select Advanced Functions you will see the following menu.

SERVICES

By disabling certain types of access to the AF5000 Series VPNA, you can increase

the security of your network. From this screen you can enable or disable telnet and http access. You can also disable or enable TSP accleration.

If you disable both telnet and http access, the only way to access your AF5000 Series VPNA is by connecting to the serial port at the back of the AF5000 Series

VPNA.

Page 47: 638-STAC Manual 1405a

47

TACHYON VPNA HANDBOOK

Generally, you will only need to disable TSP acceleration to aid in debugging the network. Both your remote VPNA-100 and the corporate AF5000 Series VPNA must have TSP acceleration disabled or enabled to pass traffic. Note that an alternate way

of disabling TSP acceleration on the AF5000 Series VPNA is to change the TSP Route type from remote to none.

SNMP CONFIGURATION

From the SNMP menu you can enable LAN and/or WAN SNMP access, as well as add community strings.

Page 48: 638-STAC Manual 1405a

48

TACHYON VPNA HANDBOOK

INTERFACE ALIASES

Aliases provide additional integration and management flexibility. An alias adds an IP address to the VPNA's physical Ethernet port (LAN or WAN). IP addresses configured before adding an alias remain functional.

MTU CONFIGURATION

Some IPSec devices expand the size of TCP packets. If this is done and the VPNA MTU size is not large enough to fit the encrypted packet then the packet is

fragmented. In some cases these fragmented packets will be rejected when received at the other end.

Setting the MTU size should be done carefully and with full knowledge of the IPSec equipment connected to the VPNA. Incorrect MTU size entries will adversely affect

performance.

The default value for the MTU size is 1400 bytes.

Page 49: 638-STAC Manual 1405a

49

TACHYON VPNA HANDBOOK

RADIUS CONFIGURATION

This menu allows you to configure the VPNA to use one or more RADIUS authentication servers to control who has administration access to the VPNA. When

RADIUS authentication is not enabled, the built-in username admin is the only username allowed access into the VPNA. The admin password can be changed on

the Password Menu, which is reachable from the Main Menu. This is the default configuration when you receive your VPNA.

Once RADIUS authentication is enabled, remote access via telnet must authenticate against a username/password configured in a RADIUS server. Starting at the first server on the page and working down each server is checked for authentication.

Only if the server does not respond is the next server in the list checked. Therefore, users configured to access the VPNA should be configured identically in each

RADIUS server.

Page 50: 638-STAC Manual 1405a

50

TACHYON VPNA HANDBOOK

Serial port access works like telnet access when RADIUS authentication is activated with an additional check of the built-in username. This additional check allows you to still access the VPNA if your network connecting to the RADIUS authentication

server(s) is down.

HTTP access never checks the RADIUS servers. It is therefore suggested that HTTP access be disabled after RADIUS authentication is enabled.

In order for RADIUS authentication to be enabled you must enter at least one RADIUS Server IP into the page. The Port is optional and may be left blank to reach

the server at the default authentication port of 1812 and accounting port of 1813. If you specify a Port, p, then the accounting port will be p + 1. The Time field is the

number of seconds to wait for a response from the server before moving onto the next server. The Key is the shared secret key that needs to be the same on the RADIUS server.

AUTO FAIL-OVER CONFIGURATION

This menu allows you to configure the VPNA to act as a backup for other 5000 Series VPNAs in your network.

Page 51: 638-STAC Manual 1405a

51

TACHYON VPNA HANDBOOK

Selecting the example link will bring up a new window with the following detailed description:

Page 52: 638-STAC Manual 1405a

52

TACHYON VPNA HANDBOOK

The Auto Fail-Over feature of the 5000 Series VPNA (VPNA 5000) allows multiple VPNA 5000s to provide backup capacity for each other. The following diagram shows a generic network with a Primary VPNA 5000 and a single Backup VPNA 5000. When the backup VPNA 5000 is properly configured, it will accelerate traffic not only for its own network, but for the primary VPNA 5000's network as well.

Network redundancy may be implemented using protocols such as RIP, EIGRP, OSPF, manual switch-over, etc. The implementation of network redundancy is irrelevant to the VPNA 5000 functionality, as long as symmetric routing is guaranteed.

1000 series VPNA accelerators (VPNA 1000) typically have a default TSP route to a VPNA 5000 acting as the TSP Gateway. When Auto Fail-Over is disabled, a VPNA 5000 will pass-through accelerated traffic, that has a TSP Gateway that is different from its own IP address. When Virtual IP Address mode is enabled a VPNA 5000 will accept accelerated traffic whose TSP Gateway matches its Virtual IP Address, and mark accelerated packets as being sourced from the Virtual IP Address.

When Network Address Translation (NAT) is enabled a VPNA 5000 will accept accelerated traffic when the pair of (source IP, TSG Gateway IP) match an entry in the NAT Table. Also, the VPNA 5000 will mark accelerated packets to one of the NAT sources as originating from the TSP Gateway IP in the matched pair.

Auto Fail-Over may be configured to use a single Virtual IP Address, or a NAT Table containing source/destination IP address pairs. Both the Virtual IP Address and the NAT Table entries may be specified. However, only one mode may be Enabled at any given time. Virtual IP Address and NAT Table modes may both be Disabled at the same time.

A TSP route must be entered in the Basic Functions | Routes page for each VPNA 1000 for which this VPNA 5000 is serving as a backup gateway.

If a Virtual IP Address is specified, all traffic accelerated to the Virtual IP Address that is routed to the VPNA 5000 will be processed. To configure the Backup VPNA 5000 in the example diagram:

• In the Routes page, add a TSP route with a Destination of 172.20.2.0, and a TSP Gateway of 172.20.2.2

• Set the Virtual IP Address to 172.20.3.2

• Enable Virtual IP Address Mode

If the NAT Table is enabled, only traffic bound to/from the source/destination address entries will be processed (in addition to traffic normally targeted to this VPNA 5000.) In the NAT Table, the Source IP is the IP Address of a VPNA 1000 for which this VPNA 5000 is serving as a backup gateway. The Destination IP is the IP Address of a VPNA 5000 for which this VPNA 5000 is serving as a backup gateway. To configure the Backup VPNA 5000 in the example diagram:

• In the Routes page, add a TSP route with a Destination of 172.20.2.0, and a TSP Gateway of 172.20.2.2

Page 53: 638-STAC Manual 1405a

53

TACHYON VPNA HANDBOOK

• Add an entry in the NAT Table with a Source IP of 172.20.2.2, and a Destination IP of 172.20.3.2

• Enable NAT Table Mode

LOAD CONFIGURATION

This menu allows the current operating configuration to be loaded from the computer that is being used to configure the AF5000 Series VPNA. You are prompted to locate the configuration file you want to load.

NOTE: When you commit the change all operating parameters will be replaced with

the ones in the configuration file. You may want to save your current configuration to a temporary file before loading a new configuration.

Page 54: 638-STAC Manual 1405a

54

TACHYON VPNA HANDBOOK

SAVE CONFIGURATION

This menu allows the current operating configuration to be stored to the computer that is being used to configure the AF5000 Series VPNA. You are prompted to enter a file name (which will be appended with a .conf extension) and select a location to

save the configuration file.

Page 55: 638-STAC Manual 1405a

55

TACHYON VPNA HANDBOOK

TROUBLESHOOTING

IPSec networks are often difficult to

troubleshoot because end-to-end encryption prevents visibility between the ends.

This section identifies key problems and suggests methods for identifying the source of the

problems. In some cases, network security policy may disqualify the proposed method.

For problems that are not corrected by the troubleshooting techniques described in this section, contact

the Service Provider for technical support.

This section includes:

• Troubleshooting procedures for

partial connectivity.

• Troubleshooting procedures for interrupted connectivity

• Troubleshooting procedures for

degraded performance

Before performing any of the troubleshooting procedures in this chapter, it is important to read Chapter 2 - VPNA Safety Information. Follow all safety

procedures when performing any troubleshooting operations.

5

Page 56: 638-STAC Manual 1405a

56

TACHYON VPNA HANDBOOK

PING WORKS BUT TCP/IP FAILS

It is sometimes the case that using ping to check connectivity between two sites will succeed, but a TCP connection between the same two sites will fail. This symptom usually indicates that TSP acceleration routing is incorrect. But

it may also indicate an error in IP routing for the VPNAs that are in Bridge Mode, or one of the VPNAs has TSP acceleration disabled. When the VPNA

intercepts TCP packets, it originates accelerated IP packets to move the TCP data. The VPNA’s IP routes are used to determine where to send these

accelerated IP packets.

1 Verify that both VPNAs have TSP acceleration enabled.

Go to the service menu on each VPNA and verify that TSP acceleration is

marked as enabled.

2 Verify that the CPE-side VPNA has a TSP acceleration route marked as remote to

the Headquarters-side VPNA address.

If the Headquarters VPNA is in Route Mode then, use the Headquarters-side VPNA’s WAN address

3 Verify that the Headquarters-side VPNA has a TSP acceleration route

marked as remote to the CPE-side VPNA address.

If the CPE-side VPNA is in Route Mode use the CPE-side VPNA’s WAN address.

4 Verify IP routes for CPE-side VPNAs in Bridge Mode.

IP routing is not used in Bridge Mode when a packet can simply be bridged.

Since ping packets are simply bridged an error in IP routing will not be

revealed by ping. However, TSP acceleration does not simply bridge packets, so IP routes must be correct.

Page 57: 638-STAC Manual 1405a

57

TACHYON VPNA HANDBOOK

LOSS OF WAN COMMUNICATION

Follow the systematic troubleshooting procedure described here if there is no communication between a remote site and Headquarters.

1 Verify that the power to the Tachyon VPNA is on - the green LED on the front panel

is lit

If the Power indicator is not lit, check that the power cord is securely connected to the Tachyon VPNA and

to the AC power source. If the power is connected, and the Power LED is

not lit, follow the troubleshooting procedure in this section for Loss of

Power to the Tachyon Network Server.

If the Power indicator is lit, proceed to the next step.

2 Verify Link Integrity - the

Link LED on the Network Interface Cards (NIC) at the rear of the VPNA are lit

Both the WAN and LAN ports should

be lit.

If the Link indicator is not lit check that the cable is properly seated and make sure the device on the other

end is powered up.

If the Link indicator is lit, proceed to the next step.

3 Verify the connection between your Workstation and the VPNA device

Using the Ping utility on your workstation, ping the VPNA device. If the VPNA does not respond:

1. Go to the VPNA configuration menus and check the "status"

menu for error messages.

• If you cannot reach the VPNA configuration menus either by

the Ethernet address or the serial port then reboot the VPNA manually by cycling

power to the unit.

2. If the configuration looks correct and there are no error messages

Page 58: 638-STAC Manual 1405a

58

TACHYON VPNA HANDBOOK

to act on, reboot the unit from the

Shutdown menu. It will take a few minutes for the unit to reboot.

3. If you are still unable to unable to

access the VPNA unit via the Ethernet port or serial port after a power cycle then contact your

service provider for assistance.

4 Verify the connection between your Workstation and the IPSec device

Using the Ping utility on your workstation, ping the IPSec device. If the IPSec device does not respond:

1. Make sure the IPSec device is power up.

2. Check the Link light on the VPNA again. If it is out make sure the cables are seated properly. You

may want to change cables.

3. Refer to the documentation for the IPSec device for troubleshooting ideas.

Reboot the IPSec device and try again.

If you cannot ping the IPSec device you may have a faulty device.

5 Verify the CPE is up and

connected to the Tachyon network.

In order to perform this step you will

need direct access to the CPE bypassing the IPSec device. If this is not possible the skip this step. Note:

when connecting directly to the CPE with PC or workstation use a

crossover cable.

If direct access to the CPE is possible follow the Internet Connectivity procedures in the Troubleshooting

section of the CPE Handbook.

Page 59: 638-STAC Manual 1405a

59

TACHYON VPNA HANDBOOK

6 Verify the IPSec devices are functioning properly

Refer to the User Manual for your IPSec devices for diagnostic utilities.

7 If there is still no connectivity after verifying

the above items, contact your Service Provider for

technical support

The ISP providing Tachyon service will provide technical support for CPE

connectivity issues.

LOSS OF WAN PERFORMANCE

1 Verify Clear Text performance

If your network allows IP packets destined for the public Internet to

pass the IPSec device without encryption then test the link on a few

well known sites. Try to download a few files from our demo web server at 63.103.96.229. If performance is not

close to your Tachyon service level, point your web browser to the CPE

and access its Web Admin page. View the Faults page and look for any

errors. If errors are found reboot the CPE and try again. If the errors persist

contact your service provider.

Page 60: 638-STAC Manual 1405a

TECHNICAL SPECIFICATIONS

This section provides detailed technical specifications for the

Tachyon VPNA device.

.

This section includes:

• Specifications for the VPNA.

Tachyon AF 5000 SERIES VPNA Specifications

System Specifications

Nominally support for up to 500 VPNA-100s

Rear Panel Port Specifications

WAN Interface Ethernet, 10/100 BaseTX, RJ-45, full duplex operation

LAN Interface Ethernet, 10/100 BaseTX, RJ-45, full duplex operation

Serial Interface RS-232, 9-pin Male. DCE

Ethernet Port Pinout:

6

Page 61: 638-STAC Manual 1405a

61

TACHYON VPNA HANDBOOK

RJ-45

Pin#

Signal

Name

Pin

Description

1 TD+ Transmit Data

2 TD- Transmit Data

3 RD+ Receive Data

4 N/C No connect

5 N/C No connect

6 RD- Receive Data

7 N/C No connect

8 N/C No connect

Environmental Specifications

Temperature 10 to +35oC ambient air temperature (operating)

Warm-up ≤ 15 minutes

Humidity 5 to 95% non-condensing

Mechanical Specifications

Size 8.4 cm (h) x 42.5 cm (w) x 66.7 cm (d)

Weight 22.6 kg (50 lbs.)

Shipping Weight 24.9 kg (55 lbs.)

Page 62: 638-STAC Manual 1405a

62

TACHYON VPNA HANDBOOK

Power Specifications

Input Voltage Switch selectable voltage range:

110/220 Volts

Frequency 50/60 Hz

Power 330 Watts

Page 63: 638-STAC Manual 1405a

INDEX

Advanced Topics, 47

Aliases, 48

Bridge Mode, 19, 21, 30

Configuration

Load, 51

Save, 51

CPE, 17

IPSec, 18

WAN Router, 33

Login, 27

Main Menu, 29

MTU Configuration, 49

Password, 27

Forgotten, 27

Prefetch, 43

Local Machines, 43

Quick Start, 25

Restore Default Configuration, 29

Route Mode, 37

Safety, 8

Serial Port, 27

Setup Wizard, 29

SNMP, 48

Software Version Number, 44

Specifications

Environmental, 58

Mechanical, 58

Power, 59

Rear Panel, 57

SSL, 18

Status, 44

Tachyon Access Point, 17

Tachyon Satellite Gateway, 16

Tachyon, Inc. 15

TCP Test, 45

TCP/IP, 17

Techinal Support, 6

Theory of Operation, 15

Toplogies

Multiple Remote Sites with Multiple Headquarters, 22

Multiple Remote Sites with Single Headquarters, 22

Single Remote Site, 20

Version Number, 44

Warranty, 5