3com OfficeConnect 3C855 Setting Up

Type
Setting Up
Setting up VPN’s with the
OfficeConnect Cable/DSL Gateway (3C855) and
OfficeConnect Wireless Cable/DSL Gateway
(3CRWE51196)
1 Introduction
The OfficeConnect Cable/DSL Gateway and OfficeConnect Wireless Cable/DSL
Gateway do not provide any Virtual Private Network (VPN) initiation or termination
functionality. However, they do have a “pass-through” feature, which allows certain
types of VPN traffic through. Table 1 below shows a summary of the VPN traffic
types that the Gateway can pass.
Note that different conditions will apply depending on whether the VPN was initiated
from the LAN (Intranet) side of your Gateway, or whether it was initiated from the
Internet side. From here on, a direction of “From the LAN to the Internet” refers to a
VPN connection initiated from your LAN. “From the Internet to the LAN” refers to a
VPN connection initiated from the Internet.
Table 1 - A Summary of the VPN traffic types supported by the OfficeConnect Cable/DSL
Gateway and OfficeConnect Wireless Cable/DSL Gateway
Direction VPN Type
From the LAN to the Internet From the Internet to the LAN
IPSec
see section 2.1
see section 2.2
PPTP
see section 3.1
see section 3.2
L2TP (Windows
2000)
see section 4.1
see section 4.2
The configuration notes that follow all assume that the Gateway is correctly
configured for Internet access.
2 IPSec
2.1 From the LAN to the Internet
In this case, the Gateway will be transparent to the VPN traffic. You need make no
changes to the settings on your Gateway, provided you have not explicitly blocked the
PC initiating the VPN connection from accessing any services on the Internet via the
“PC Privileges” page in the GUI.
3Com recommends that the PC initiating the VPN connection has no restrictions
imposed on it.
As the Gateway will appear transparent, you can set up your VPN client in the normal
manner, as will be described in the user guide for your VPN client.
Note that only one IPSec VPN connection can be supported by the Gateway at a time.
2.2 From the Internet to the LAN
At present, it is not possible to set up an IPSec VPN server on your LAN, and have
users access it from the Internet.
If this configuration is attempted with the “Virtual DMZ” feature of the Gateway, it
may be noticed that the VPN client manages to negotiate a tunnel, but that no traffic
can be passed. This is because the protocols used to negotiate the VPN tunnel are
different to those used for data transmission. It is not currently possible to configure
the Gateway to pass the secure traffic from the Internet to the LAN.
3 PPTP
3.1 From the LAN to the Internet
In this case, the Gateway will be transparent to the VPN traffic. You need make no
changes to the settings on your Gateway, provided you have not explicitly blocked the
PC initiating the VPN connection from accessing any services on the Internet via the
“PC Privileges” page in the GUI.
3Com recommends that the PC initiating the VPN connection has no restrictions
imposed on it.
As the Gateway will appear transparent, you can set up your VPN client in the normal
manner, as will be described in the user guide for your VPN client.
.
3.2 From the Internet to the LAN
It is also possible to set up a PPTP VPN Server on the LAN side of your Gateway, for
remote users on the Internet to access. In this case, the firewall and Network Address
Translation (NAT) features of your Gateway mean that it will not appear transparent
to the VPN traffic.
On the Gateway, it will be necessary to allow the VPN traffic through from the
Internet. This can be done by setting up a Virtual Server to allow traffic on port 1723
to the PPTP server on the LAN.
Note that setting up the Virtual DMZ feature to direct all inbound traffic to the PPTP
server will also work, although this will be less secure than a Virtual Server.
It addition to setting up a Virtual Server or DMZ, 3Com recommends that the PC
Privileges feature of the Gateway should be configured so that the PPTP server has no
restrictions imposed on it.
As the Gateway always performs Network Address Translation, it will not be possible
to see the IP address of the VPN server from the Internet. Thus, if the VPN client is
told to use the actual IP address of the PPTP server, the connection attempt will fail.
The Virtual Server and DMZ features of the Gateway route traffic sent to the Internet
IP address of the Gateway to the appropriate PC on the LAN. As a result, the PPTP
client must be configured with the Gateway Internet IP address. If your ISP provided
you with a static IP address, this will be the address that they assigned to you. If,
however, they provide your Internet Settings automatically, you will need to look up
your IP address on the “Status” page in the Web management interface.
Note that if your settings are provided automatically, your Internet IP address may
change from time to time. Your ISP will set the frequency of this change.
Also note that if you use PPPoE to connect to the Internet, the “Connection Timeout”
should be set to “forever”. If your connection times out, it will only be possible to
reconnect from the LAN side of the Gateway, and so all VPN connection attempts
will fail.
4 L2TP (Windows 2000)
4.1 From the LAN to the Internet
Microsoft Windows 2000 includes support for both PPTP and L2TP VPN’s. The
L2TP VPN implementation in Windows 2000 is not compatible with devices that
perform Network Address Translation, and hence L2TP VPN’s are not supported by
the Gateway in either direction.
Further information can be found in the Microsoft Windows 2000 Server Resource
Kit “Internetworking Guide”, chapter 9. This can be found on the Web at:
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/intwork/inbe_vpn_lhzc.asp
4.2 From the Internet to the LAN
See section 4.1
3Com Corporation, Corporate Headquarters, 5400 Bayfront Plaza, Santa Clara, CA 95052-8145
To learn more about 3Com solutions, visit www.3com.com. 3Com Corporation is publicly traded on Nasdaq under the
symbol COMS.
The information contained in this document represents the current view of 3Com Corporation on the issues discussed as
of the date of publication. Because 3Com must respond to changing market conditions, this paper should not be
interpreted to be a commitment on the part of 3Com, and 3Com cannot guarantee the accuracy of any information
presented after the date of publication. This document is for informational purposes only; 3Com makes no warranties,
express or implied, in this document.
Copyright © 2001 3Com Corporation. All rights reserved. 3Com is a registered trademark and the 3Com logo is a
trademark of 3Com Corporation
DMA5119-6CAA01
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4

3com OfficeConnect 3C855 Setting Up

Type
Setting Up

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI