680938

Lancom 8011 VPN Handleiding

3
Verklein
Vergroot
Pagina terug
1/78
Pagina verder
LANCOM 7011 VPN –
LANCOM 8011 VPN
LANCOM 7011 VPN – LANCOM 8011 VPN
Preface
3
EN
Preface
Thank you for placing your trust in this
LANCOM
product.
The top models of the LANCOM VPN series serve as extremely powerful
Dynamic VPN gateways for medium-sized and large locations.
Due to the Fast Ethernet uplink, LANCOM devices are ideal partners for all
connection variants.
Integrated LANCOM High Security Firewall
With 200 up to 1000 VPN channels the LANCOM VPN series offers
enough capacity for high-bandwidth couplings (LANCOM 8011 VPN with
hardware accelerator).
With the IPSec extension LANCOM dynamic VPN it is possible to connect
branch offices with dynamic IP addresses (standard broadband connec-
tion) at any time—even if the receiving station is not online.
DMZ ports and separate internet address ranges (without NAT) support
the operation of your own web servers.
The IP quality of service functions provide dynamic bandwidth manage-
ment, in particular for Voice over IP telephone systems, for critical appli-
cations or for certain user groups.
Due to its N:N IP address mapping also existing networks can be inte-
grated seamlessly into VPNs.
The provided management tools LANconfig and LANmonitor support a
complete real time monitoring apart from comfortable remote mainte-
nance of the branch offices.
Further highlights are the extensive Firewall features, for example the
Stateful Inspection, Intrusion Detection and protection from Denial-of-
Service attacks.
Regular free software updates of the LANCOM operating system LCOS are
available at any time.
Security settings
For a carefree use of your device, we recommend to carry out all security set-
tings (e.g. Firewall, encryption, access protection, charge lock), which are not
already activated at the time of purchase of your device. The LANconfig wizard
’Check Security Settings’ will support you accomplishing this. Further informa-
tion regarding this topic can be found in chapter ’Security settings’
page 61.
LANCOM 7011 VPN – LANCOM 8011 VPN
Preface
4
EN
We ask you additionally to inform you about technical developments and
actual hints to your product on our Web page www.lancom.de
, and to down-
load new software versions if necessary.
User manual and reference manual
The documentation of your device consists of two parts: the user manual and
the reference manual.
You are now reading the user manual. It contains all information you need to
start your LANCOM VPN. It also contains the most important technical speci-
fication for the device.
The reference manual can be found on the CD as an Acrobat (PDF) document.
It is designed as a supplement to the user manual and goes into detail on top-
ics that apply to a variety of devices. These include for example:
Systems design of the LCOS operating system
Configuration
Management
Diagnosis
Security
Routing and WAN functions
Firewall
Quality of Service (QoS)
Virtual Private Networks (VPN)
Virtual Local Networks (VLAN)
Wireless networks (WLAN)
LANCAPI
Further server services (DHCP, DNS, charge management)
Model variants
This user manual applies to the following models of the LANCOM VPN series:
LANCOM 7011 VPN
LANCOM 8011 VPN
Model
restriction
The sections of the documentation that refer only to a range of models are
marked either in the corresponding text itself or with appropriate comments
placed beside the text.
In the other parts of the documentation, all described models have been clas-
sified under the general term LANCOM VPN.
LANCOM 7011 VPN – LANCOM 8011 VPN
Preface
5
EN
This documentation was compiled …
...by several members of our staff from a variety of departments in order to
ensure you the best possible support when using your LANCOM product.
In case you encounter any errors, or just want to issue critics or enhance-
ments, please do not hesitate to send an email directly to:
info@lancom.de
Our online services ( www.lancom.de) are available to you around the
clock should you have any queries regarding the topics discussed in
this manual or require any further support. In addition support from
LANCOM Systems is also available to you. Telephone numbers and
contact information for LANCOM Systems support can be found on a
separate insert, or at the LANCOM Systems website.
Notes symbols
Very important instructions. If not followed, damage may result.
Important instruction that should be followed.
Additional instructions which can be helpful, but are not
required.
LANCOM 7011 VPN – LANCOM 8011 VPN
Contents
6
EN
Contents
1 Introduction 9
1.1 Which use does VPN offer? 9
1.2 Firewall 12
1.3 What does a router do? 13
1.3.1 Bridgehead to the WAN 14
1.3.2 Areas of deployment for routers 14
1.4 What can your LANCOM VPN do? 15
2 Installation 17
2.1 Package contents 17
2.2 System preconditions 17
2.3 Introducing LANCOM VPN 18
2.3.1 Status displays 18
2.3.2 The back of the unit 24
2.4 Hardware installation 25
2.5 Software installation 27
2.5.1 Starting LANCOM setup 27
2.5.2 Which software should you install? 28
3 Basic configuration 29
3.1 Which information is necessary? 29
3.1.1 TCP/IP settings 29
3.1.2 Configuration protection 31
3.1.3 Settings for the WAN connection 31
3.1.4 Settings for the ISDN connection 31
3.1.5 Connect charge protection 32
3.2 Instructions for LANconfig 32
3.3 Instructions for WEBconfig 34
4 Setting up Internet access 39
4.1 Instructions for LANconfig 41
4.2 Instructions for WEBconfig 41
LANCOM 7011 VPN – LANCOM 8011 VPN
Contents
7
EN
5 Linking two networks 42
5.1 What information is necessary? 43
5.1.1 General information 43
5.1.2 Settings for the TCP/IP router 45
5.1.3 Settings for the IPX router 46
5.1.4 Settings for NetBIOS routing 47
5.2 Instructions for LANconfig 48
5.3 Instructions for WEBconfig 48
6 Providing dial-up access 50
6.1 Which information is required? 50
6.1.1 General information 51
6.1.2 Settings for TCP/IP 52
6.1.3 Settings for IPX 52
6.1.4 Settings for NetBIOS routing 53
6.2 Settings for the dial-in computer 54
6.2.1 Dial-up via VPN 54
6.2.2 Dial-up via ISDN 55
6.3 Instructions for LANconfig 55
6.4 Instructions for WEBconfig 56
7 Sending faxes with LANCAPI 57
7.1 Installation of the LANCOM CAPI fax modem 57
7.2 Installation of the MS Windows fax service 58
7.3 Sending a fax 59
7.3.1 Send a fax with any given office application 59
7.3.2 Send a fax with the MS Windows fax service 59
8 Security settings 61
8.1 The security settings wizard 61
8.1.1 Wizard for LANconfig 61
8.1.2 Wizard for WEBconfig 62
8.2 The firewall wizard 62
8.2.1 Wizard for LANconfig 62
8.2.2 Configuration under WEBconfig 63
8.3 The security checklist 63
LANCOM 7011 VPN – LANCOM 8011 VPN
Contents
8
EN
9 Troubleshooting 66
9.1 No WAN connection is established 66
9.2 DSL data transfer is slow 66
9.3 Unwanted connections under Windows XP 67
9.4 Cable testing 67
10 Appendix 69
10.1 Performance data and specifications 69
10.2 Contact assignment 71
10.2.1 DSL interface 71
10.2.2 ISDN-S0 interface 71
10.2.3 Ethernet interfaces 10/100Base-T 72
10.2.4 Configuration interface (Outband) 72
10.3 CE declaration of conformity 72
11 Index 74
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 1: Introduction
9
EN
1Introduction
The models of the LANCOM VPN series operate as powerful Dynamic VPN
gateways with 200, 500 or 1000 VPN channels for remote sites or mobile
users.
Due to the Fast Ethernet uplink, the devices are the ideal partner for almost
all WAN connection variants. The integrated multi protocol router and the
integrated firewall enable a secure internet access for the local network. The
ISDN interface is mainly used to establish Dynamic VPN connections to remote
sites with dynamic IP addresses.
1.1 Which use does VPN offer?
A VPN (Virtual Private Network) can be used to set up cost-effective, public
IP networks, for example via the ultimate network: the Internet.
The models LANCOM 7011 VPN and LANCOM 8011 VPN are
equipped with 200 VPN channels by default. With the additional
LANCOM VPN Option the LANCOM 8011 VPN can be upgraded to
500 or 1000 channels.
While this may sound unspectacular at first, in practice it has profound effects.
To illustrate this, let's first look at a typical corporate network without VPN
technology. In the second step, we will see how this network can be optimized
by the deployment of VPN.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 1: Introduction
13
EN
Denial-of-Service Protection
Attacks from the Internet can be break-in attempts as well as attacks with
the aim of blocking the accessibility and functionality of individual
services. Therefore a LANCOM Wireless DSL is equipped with appropriate
protective mechanisms, which recognize well-known hacker attacks and
which guarantee the functionality.
Quality-of-Service / Traffic management
The generic term Quality-of-Service (brief: QoS) summarizes the functions
of the LANCOM which guarantee certain service qualities. The advantage
is that the QoS functions can take place by means of the existing powerful
classification methods of the Firewall (e.g. limitation of subnetworks,
single workstations or certain services).
Guaranteed minimum bandwidths give priority to enterprise critical appli-
cations, VoIP PBX installations or certain user groups.
More details about the function of the Stateful Inspection Firewall of
your LANCOM VPN can be found in the reference manual on the LAN-
COM CD.
1.3 What does a router do?
The following sections describe the functionality of routers in general.
The functions supported by your device are listed in the table ’What
can your LANCOM VPN do?’ page 15.
Routers connect LANs at different locations and individual PCs to form a Wide
Area Network (WAN). With the appropriate rights, any computer in this WAN
can access other computers and services of the complete WAN (as with 'PC 1'
accessing 'Server A' in the remote LAN in the diagram).
router
LAN 1
PC 1
LAN 2
WAN connection
server A
router
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 1: Introduction
14
EN
Connecting a LAN to the Internet does not technically differ from coupling
two LANs. The only difference is that it is not just a handful of computers
behind the Internet provider's router. Instead, it is the net of the networks -
the public Internet.
1.3.1 Bridgehead to the WAN
All routers have at least two connections:
at least one for the LAN
at least one for WAN connections
In addition to LAN connectivity (10/100 Mbps Ethernet), several models also
offer an integrated switch. For the connecting to the WAN, the routers use
ISDN, xDSL/cable or ADSL connectors. Several devices contain additionally a
wireless network card and can thus integrate also stations of WLANs (Wireless
LANs) into the routing.
The router's task is to transfer data from the local network to the target net-
work via a suitable WAN connection. Data is also transferred from the WAN
to the desired recipients in the LAN.
1.3.2 Areas of deployment for routers
Routers are mainly used for the following applications:
Internet access for a LAN (e.g. via DSL or ISDN)
The Internet consists of countless large and small networks that are inter-
connected into the world's largest WAN via routers. The router links all the
workstation computers on your local area network to the global Internet.
Security functions such as IP masquerading protect your LAN against
unauthorized access from outside.
LAN to LAN coupling (via VPN or ISDN)
LAN to LAN coupling links individual LANs to form one large network,
even if this means crossing continents. A typical example: A branch office
is to be connected to the LAN of the headquarters. In principle, you can
connect LANs in two ways:
Not possible with
all LANCOM
devices.
High-speed coupling via VPN
The fastest and most economical LAN to LAN links are possible with
VPN (Virtual Private Network) technology, as VPN uses the Internet as
the basis for its communications. The fast xDSL connection of the
router comes into its own here. The precondition: a VPN gateway with
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 1: Introduction
15
EN
access to the Internet is required on either side of the network inter-
connection.
Conventional via ISDN
Without VPN, a LAN to LAN interconnection can alternatively be real-
ized via ISDN. In this case, an intelligent line management and
sophisticated filter mechanisms keeps connection costs low.
Remote access to the company network (via VPN or ISDN)
The work of many office workers in modern organizations is less and less
dependent on any definite location—the most important factor here is
unimpaired access to shared and freely available information.
Remote Access Service (RAS) is the magic word here. Employees working
from home or field staff can dial into the company network via VPN or
ISDN. When working with remote access via ISDN, the router protects the
company network: the call back function only grants access to known and
registered users.
1.4 What can your LANCOM VPN do?
The following table contains a direct comparison of the properties and func-
tions of your devices with other models:
VPN gateways
VPN tunnel via the
Internet
LANCOM 7011
VPN
LANCOM 8011
VPN
Application
LAN to LAN coupling via VPN
RAS server (via VPN)
Internet access
IP router
IPX router (via ISDN), e.g. for coupling of Novell networks or dialling into
Novell networks
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 2: Installation
22
EN
LAN link
(only LANCOM
7011 VPN)
Connecting status of the LAN interface:
LAN data
(only LANCOM
7011 VPN)
Data traffic on the LAN interface:
DMZ link
(only LANCOM
7011 VPN)
Connecting status of the DMZ interface
DMZ data
(only LANCOM
7011 VPN)
Data traffic on the DMZ interface.
ETH 1 to ETH 4
(only LANCOM
8011 VPN)
Connection status and data traffic of the four LAN ports with integrated
switch:.
green inverse flashing Establishing further connection (only if B channel 1 and B
channel 2 share display)
green constantly on Connection established via B channel
green flickering Data traffic (send or receive)
off No network device connected
green constantly on Connection to network device operational, no data traffic
off No data traffic
green flickering Data traffic
red flickering Collision of packets
off No network device connected
green constantly on Connection to network device, no data traffic
off No data traffic
green flickering Data traffic
red flickering Collision of packets
off No network device connected
green constantly on Connection to network device, no data traffic
green flickering Data traffic
red flickering Collision of packets
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 2: Installation
23
EN
VPN
VPN connection status
Security
Status of the Firewall. Shows the state of security settings and blocked attacks
on the secured network.
COM
(only LANCOM
8011 VPN)
Connection status of the serial configuration port:
LCD display
Only LANCOM
8011 VPN
The LCD display of the LANCOM 8011 VPN shows the following information
in two lines with 16 characters in revolving alternation:
Device name
Firmware version
Temperature
Date and time
CPU usage
Memory usage
Number of VPN channels
Data transfer downstream
Data transfer upstream
off No VPN channel established
green blinking Connection established
green flashing First connection
green inverse flashing Further connections
green constantly on VPN channel is established
green constantly on Security settings are okay. Rules for filtering packets are
established
red/
green
blinking Insecure configuration
red flickering Security alarm: filtering packets with Firewall rules
off No session logged in
green constantly on Serial configuration session logged in
green flickering Data transmission on serial configuration session
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 2: Installation
24
EN
2.3.2 The back of the unit
LANCOM 7011 VPN
The connections and switches of the LANCOM 7011 VPN are located on the
back panel:
Voltage switch
Connection for the included power adapter
Reset switch
LAN port as 10/100Base-Tx
DMZ port
Serial configuration port
ISDN/S
0
port
WAN port
LANCOM 8011 VPN
On the LANCOM 8011 VPN ports and switches of the router are placed on the
front and back:
The following ports can be found on the front side:
Four 10/100Base Tx ports for local networks
WAN port
ISDN/S
0
port
Serial configuration interface
LANCOM 8011 VPN
WAN ISDN COM
ETH4 ETH3 ETH2 ETH1
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 2: Installation
25
EN
Reset switch
The following ports can be found on the back:
Voltage Switch
Port for power cable
2.4 Hardware installation
The installation of the LANCOM VPN base station takes place in the following
steps:
Only LANCOM
8011 VPN
Mounting – If desired, mount the device into a free slot of a 19” rack.
LAN – connect the LANCOM VPN to your LAN or to an individual PC. For
that purpose, plug the included network cable (green plugs) into the LAN
connector of the device and the other end into a free network connect-
ing socket of your local network, into a free socket of a hub/switch or into
the network socket of an individual PC.
The LAN connector identifies automatically the transfer rate (10/100
Mbps) of the connected network device (autosensing). A parallel connec-
tion of devices with different speeds and types is possible.
You should never have more than one unconfigured LANCOM VPN in
a network segment at any given time. All unconfigured LANCOM VPN
devices use the same IP address (with the final digits '254'), which
would result in an address conflict. To avoid problems, always config-
ure multiple LANCOM VPN devices one at a time, immediately assign-
ing each device a unique IP address (one that does not end with
'254').
The reset switch has two different functions depending on the length of time that it is
pressed:
Restarting the device (soft reset) – push the button for less than five seconds. The
device will restart.
Resetting the configuration (hard reset) – push the button for more than five seconds.
All the device's LEDs will light up green and stay on. As soon as the reset switch is
released, the device will restart with factory default settings.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 2: Installation
26
EN
Only LANCOM
7011 VPN
DMZ – connect a PC with the included crossover cable to the DMZ
port .
WAN – connect the WAN port with the included connector cable (dark
blue plug) e. g. with the ethernet port of a DSL modem or of a cable
modem.
ISDN – to connect the LANCOM VPN to the ISDN, plug one end of the
supplied ISDN connector cable (light blue plugs) in the ISDN/S
0
port of
the router and the other end into an ISDN/S
0
multi-device mode or point-
to-point mode connection.
Configuration port – you may optionally connect the router directly to
the serial port (RS-232, V.24) of a PC. Use the cable supplied for this pur-
pose. Connect the configuration port of the LANCOM with a free serial
port of the PC.
Connect to power – Connect socket of the unit to a power supply
using the included power adapter and switch it on .
With the LANCOM 7011 VPN only use the included power supply unit!
Using an unsuitable power supply unit may cause damage or injury.
Operational? – After a short device self-test the Power LED will be per-
manently lit. Green LAN LEDs indicate the LAN sockets that have function-
ing connections.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 2: Installation
27
EN
2.5 Software installation
This section covers the installation of the included system software LANtools
for Windows.
You may skip this section if you use your LANCOM VPN exclusively
with computers running operating systems other than Windows.
2.5.1 Starting LANCOM setup
Place the LANCOM CD in your CD drive. The LANCOM setup program will start
automatically.
If the setup program does not start automatically, run AUTORUN.EXE
in the root folder of the LANCOM CD.
Configuration PC with
serial port
ISDN-(NTBA)
LAN
Network terminator,
e.g. SDSL modem
Example for LANCOM 8011 VPN
DMZ
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 2: Installation
28
EN
In Setup select Install LANCOM Software. The following selection menus
will appear on the screen:
2.5.2 Which software should you install?
LANconfig is the configuration program for all LANCOM routers and
Wireless LAN access points. WEBconfig can be used alternatively or in
addition via a web browser.
LANmonitor lets you monitor on a Windows PC all LANCOM routers and
Wireless LAN access points.
LANCAPI is a special form of the CAPI-2.0 interface that all workstations
of the LAN need to get access to office communication functions as fax or
EuroFile transfer. With LANCAPI Dial-Up Networking Support, single
workstations can realize dial-up connections to an Internet provider via
LANCAPI. The CAPI fax modem makes you available a first class fax
driver.
The LANCOM VPN Client enables a setting of VPN connections from a
remote workstation via Internet to a router with LANCOM VPN Option.
With LANCOM Online Documentation, you can copy the documenta-
tion files on your PC.
Select the appropriate software options and confirm your choice with Next.
The software is automatically installed.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
29
EN
3 Basic configuration
The basic configuration can be performed on a step-by-step basis using a
convenient setup wizard to guide you through the setup process and prompt
you for the required information.
First, this chapter will inform you which information is required for the basic
configuration. Use this section to assemble the information you will need
before launching the wizard.
Next, enter the data in the setup wizard. Launching the wizard and the proc-
ess itself are described step by step - with separate sections for LANconfig and
WEBconfig. Thanks to the information that you have collected in advance, the
basic configuration is quick and effortless.
At the end of this chapter we will show you the settings that are needed for
the LAN's workstations to ensure trouble-free access to the router (’TCP/IP
settings to workstation PCs’ page 37).
3.1 Which information is necessary?
The basic configuration wizard will take care of the basic TCP/IP configuration
of the router, protect the device with a configuration password, and will set
up the ISDN connection if required. The following descriptions of the informa-
tion required by the wizard are grouped in these three configuration sections:
TCP/IP settings
protection of the configuration
information on DSL connection
information on ISDN connection
configuring connect charge protection
3.1.1 TCP/IP settings
The TCP/IP configuration can be realized in two ways: either as a fully auto-
matic configuration or manually. No user input is required for the fully auto-
matic TCP/IP configuration. All parameters are set automatically by the setup
wizard. During manual TCP/IP configuration, the wizard will prompt you for
the usual TCP/IP parameters: IP address, netmask etc. (more on these topics
later).
Fully automatic TCP/IP configuration is only possible in certain network envi-
ronments. The setup wizard therefore analyses the connected LAN to deter-
mine whether it supports fully automatic configuration.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
30
EN
New LAN—fully automatic configuration possible
If all connected network devices are still unconfigured, the setup wizard will
suggest fully automatic TCP/IP configuration. This may be the case in the fol-
lowing situations:
a single PC is connected to the router
setup of a new network
Fully automatic TCP/IP configuration will not be available when integrating
the LANCOM VPN in an existing TCP/IP LAN. In this case, continue with the
section ’Information required for manual TCP/IP configuration’ page 30.
The result of the fully automatic TCP/IP configuration: the router will be
assigned the IP address '172.23.56.1' (netmask '255.255.255.0'). In addition,
the integrated DHCP server will be enabled so that the LANCOM VPN can
automatically assign IP addresses to the devices in the LAN.
Configure manually nevertheless?
The fully automatic TCP/IP configuration is optional. You may also select man-
ual configuration instead. Make your selection after the following considera-
tions:
Choose automatic configuration if you are not familiar with networks and
IP addresses.
Select manual TCP/IP configuration if you are familiar with networks and
IP addresses, and one of the following conditions is applicable:
You have not yet used IP addresses in your network but would like to
do so now. You would like to specify the IP address for your router,
selecting it from the address range reserved for private use, e.g.
'10.0.0.1' with the netmask '255.255.255.0'. At the same time you
will set the address range that the DHCP server uses for the other
devices in the network (provided that the DHCP server is switched on).
You have previously used IP addresses for the computers in your LAN.
Information required for manual TCP/IP configuration
During manual TCP/IP configuration, the setup wizard will prompt you for the
following information:
IP address and netmask for the LANCOM VPN
Assign a free IP address from the address range of your LAN to the
LANCOM VPN and specify the netmask.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
31
EN
Enable DHCP server?
Disable the DHCP server function in the LANCOM VPN if you would like to
have a different DHCP server assign the IP addresses in your LAN.
3.1.2 Configuration protection
The password for configuration access to the LANCOM VPN protects the con-
figuration against unauthorized access. The configuration of the router con-
tains a considerable amount of sensitive information such as your Internet
access information. We therefore strongly recommend protecting it with a
password.
The setup wizard for the basic configuration automatically disables remote
configuration access via ISDN, thus protecting your configuration against
tampering. ISDN remote configuration access can be enabled at any time
using the security wizard (see ’Have you permitted remote configuration?
page 64).
3.1.3 Settings for the WAN connection
For the WAN connection it may be necessary to enter the transfer protocol
being used. The wizard will e.g. automatically enter the correct settings for
major DSL providers. You only need to enter the protocol used by your access
provider if the wizard does not list your provider.
3.1.4 Settings for the ISDN connection
Set up the basic configuration of your ISDN connection if required. You will
need the following data:
One or more ISDN MSNs on which the router will accept calls. MSNs are
ISDN subscriber numbers that are assigned to you by your telephone pro-
vider. They are normally entered without an area code. These numbers are
only relevant for the router functions (LAN to LAN coupling, RAS), not for
remote configuration and LANCOM VPN Option.
A dialing prefix for access to the public telephone network. This is nor-
mally required only when using an ISDN PBX. '0' is the usual prefix. It is
used for all outgoing calls.
Finally, you should know whether your telephone provider transmits an
ISDN connect-charge pulse. This signal can be used LANCOM VPN for
connect-charge budgets and the accounting function.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
32
EN
3.1.5 Connect charge protection
Connect charge protection blocks connections that go beyond a previously set
amount, protecting you from unexpectedly high connection costs.
In LANCOM VPN, there are three independent budgets: For DSL access, you
can set a maximum connection time in minutes. In addition to this time
budget, there is also a budget for limiting ISDN connection charges.
In order for the limitations according to connect charge rates to func-
tion properly, it is necessary to enter the information for connect
charge rates through ISDN.
Any budget can be deactivated by entering the value '0'.
It is possible to completely turn off connect charge protection
3.2 Instructions for LANconfig
Start up LANconfig by clicking Start Programs LANCOM
LANconfig
LANconfig automatically detects the new LANCOM VPN in the TCP/IP net-
work. Then the setup wizard starts that will help you make the basic set-
tings of the device or will even do all the work for you (provided a suitable
network environment exists).
If the setup wizard does not start automatically, start a manual search
for new devices on all ports (if the LANCOM VPN is connected via a
serial port) or in the network (Device Find).
If you cannot access an unconfigured LANCOM VPN, the problem may
be due to the netmask of the LAN: with less than 254 possible hosts
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
33
EN
(netmask > '255.255.255.0'), please ensure that the IP address
'x.x.x.254' is located in your own subnet.
If you have chosen automatic TCP/IP configuration, please continue with
Step .
If you would like to configure the TCP/IP settings manually, assign an
available address from a suitable address range to the LANCOM VPN.
Confirm your choice with Next.
Specify whether or not the router should act as a DHCP server. Make your
selection and confirm with Next.
In the following window, specify the password for configuration access.
Note that the password is case-sensitive and ensure that it is sufficiently
long (at least 6 characters).
In addition, you may specify whether the device may only be configured
from the local network or whether remote configuration via the WAN (i.e.
a remote network) is also permissible.
Please note that enabling this will also permit remote configuration
via the Internet. You should always make sure that the configuration
access is protected with a password.
In the next window, select your DSL provider from the list that is displayed.
If you select 'My provider is not listed here,' you must enter the transfer
protocol used by your DSL provider manually. Confirm your choice with
Next.
Enter the ISDN subscriber numbers (as MSNs, i.e. without area code) on
which the router will accept calls. Multiple numbers are separated by
semicolons. If you do not specify any MSNs, the router will answer all
incoming calls on the ISDN connection.
In addition, you can enter a trunk code for dialling into ISDN. Finally, you
should specify whether or not the tariff information is to be transmitted at
your ISDN connection. Confirm your choice with Next.
Connect charge protection can limit the cost of DSL and ISDN connections
to a predetermined amount if desired. Confirm your choice with Next.
Complete the configuration with Finish.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
34
EN
Section ’TCP/IP settings to workstation PCs’ on page 37 will describe
the settings required for the individual workstations in the LAN.
3.3 Instructions for WEBconfig
To configure the router with WEBconfig you must know how to address it in
the LAN. An unconfigured LANCOM VPN always reacts to a certain IP address,
and in some network configurations even to a name.
Does my LANCOM VPN react to a name?
If you do not yet have a DHCP or DNS server on your LAN, the router reacts to
any name (like 'LANCOM' or 'Router') that you specify in the URL address field
of a web browser.
If you don't know whether IP addresses have been used in your net-
work up until now, display the IP address of your own PC (see the fol-
lowing section). If the 'IP Address' field contains the value '0.0.0.0',
this indicates that an IP address has not yet been assigned to the net-
work card.
What is the IP address of the LANCOM VPN?
The IP address of an unconfigured LANCOM VPN results from the IP address
of your PC by replacing the last number of its IP address (after the third dot)
with 254.
For example, if your PC is assigned the IP address 10.0.0.17, then you will find
an unconfigured LANCOM VPN under the address 10.0.0.254. The IP address
of your PC can be displayed (depending on the operating system) with the fol-
lowing command line commands (entry under Windows at the command
prompt):
Operating system Command in the command line
Windows Me, Windows 98, Windows 95 winipcfg
Windows XP, Windows 2000, Windows NT 4.0 ipconfig
Linux, UNIX ipconfig
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
35
EN
Starting the wizards in WEBconfig
Start your web browser (e.g. Internet Explorer, Netscape Navigator,
Opera) and call the LANCOM VPN there:
http://<IP address of the LANCOM>
(or with any desired name)
If you cannot access an unconfigured LANCOM VPN, the problem may
be due to the netmask of the LAN: with less than 254 possible hosts
(netmask > '255.255.255.0'), please ensure that the IP address
'x.x.x.254' is located in your own subnet.
The WEBconfig main menu will be displayed:
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
36
EN
The setup wizards are tailored precisely to the functionality of the spe-
cific LANCOM VPN. As a result, your device may offer different wizards
than those shown here.
If you have chosen automatic TCP/IP configuration, please continue with
Step .
If you would like to configure the TCP/IP settings manually, assign an
available address from a suitable address range to the LANCOM VPN. Also
set whether or not it is to operate as a DHCP server. Confirm your entry
with Apply.
In the following 'Security settings' window, specify a password for config-
uration access. Note that the password is case-sensitive and ensure that
it is sufficiently long (at least 6 characters).
You may specify whether the device may only be configured from the local
network or whether remote configuration via the WAN (i.e. a remote net-
work) is also permissible.
Please note that enabling this will also permit remote configuration
via the Internet. You should always make sure that the configuration
access is suitably protected, e.g. with a password.
Remote configuration via a direct ISDN connection is available independ-
ently of the WAN remote configuration: in this case, the configuration PC
establishes a direct dial-up ISDN connection to the LANCOM VPN, for
example using Windows Dial-Up Networking. ISDN remote configuration
can be enabled by specifying an MSN/terminal device selection digit for
it. In this case, the LANCOM VPN will accept calls on that MSN/terminal
device selection digit and can be remotely configured via the ISDN con-
nection.
Confirm your selection with Apply.
In the next window, select your DSL provider from the list that is displayed.
Confirm your choice with Apply.
If you select 'My provider is not listed here,' you must enter the transfer
protocol used by your DSL provider manually in the next window. Confirm
your choice with Apply.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
37
EN
Connect charge protection can limit the cost of DSL and ISDN connections
to a predetermined amount if desired. Confirm your choice with Apply.
If your devices does not feature an ISDN port, you may now close the
setup wizard. Otherwise the wizard will prompt you to configure the ISDN
port now. Make your choice and confirm it with Apply.
Enter the ISDN subscriber numbers (as MSNs, i.e. without area code) on
which the router will accept calls. Multiple numbers are separated by
semicolons. If you do not specify any MSNs, the router will answer all
incoming calls on the ISDN connection.
In addition, you can enter a trunk code for dialling into ISDN. Finally, you
should specify whether or not the tariff information is to be transmitted at
your ISDN connection. Confirm your entries with Apply.
The basic setup wizard reports that all the necessary information has been
provided. You can end the wizard with Go on.
TCP/IP settings to workstation PCs
The correct addressing of all devices within a LAN is extremely important for
TCP/IP networks. In addition, all computers must know the IP addresses of two
central points in the LAN:
Default gateway – receives all packets that are not addressed to comput-
ers within the local network.
DNS server – translates network names (www.lancom.de) or names of
computers (www.lancom.de) to actual IP addresses.
The LANCOM VPN can perform the functions of both a default gateway and a
DNS server. In addition, as a DHCP server it can also automatically assign valid
IP addresses to all of the computers in the LAN.
The correct TCP/IP configuration of the PCs in the LAN depends on the method
used to assign IP addresses within the LAN:
Entering the password in the web browser
When you are prompted for a password by your
web browser when accessing the device in the
future, enter it in the Password field. Please
note that the password is case-sensitive. Leave
the User Name field blank.
Entering the configuration password
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 3: Basic configuration
38
EN
IP address assignment via the LANCOM VPN (default)
In this operating mode the LANCOM VPN not only assigns IP addresses to
the PCs in the LAN, it also uses DHCP to specify its own IP address as that
of the default gateway and DNS server. The PCs must therefore be config-
ured so that they automatically obtain their own IP address and the IP
addresses of the standard gateway and DNS server (via DHCP).
IP address assignment via a separate DHCP server
The workstation PCs must be configured so that they automatically obtain
their own IP address and the IP addresses of the standard gateway and
DNS server (via DHCP). The IP address of the LANCOM VPN must be stored
on the DHCP server so that the DHCP server transmits it to the PCs in the
LAN as the standard gateway. In addition, the DHCP server should also
specify the LANCOM VPN as a DNS server.
Manual IP address assignment
If the IP addresses in the network are assigned static ally, then for each PC
the IP address of the LANCOM VPN must be set in the TCP/IP configuration
as the standard gateway and as a DNS server.
For further information and help on the TCP/IP settings of your
LANCOM VPN, please see the reference manual. For more information
on the network configuration of the workstation computers, please
refer to the documentation of your operating system.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 4: Setting up Internet access
39
EN
4 Setting up Internet access
All computers in the LAN can take advantage of the central Internet access of
the LANCOM VPN. The connection to the Internet provider can be established
via any WAN connection. Internet access via ISDN can be used as a backup
connection for DSL, for example.
Does the setup wizard know your Internet provider?
A convenient wizard is available to help you set up Internet access. The wizard
knows the access information of major Internet providers and will offer you a
list of providers to choose from. If you find your Internet service provider on
this list, you normally will not have to enter any further transfer parameters to
configure your Internet access. Only the authentication data that are supplied
by your provider are required.
Additional information for unknown Internet providers
If the setup wizard does not know your Internet provider, it will prompt you
for all of the required information step by step. Your provider will supply this
information.
DSL
Protocol: PPPoE, PPTP or Plain Ethernet (IPoE)
Additionally for Plain Ethernet: own public IP address with netmask
(not to be confused with the private LAN IP address), default gateway
and DNS server. These values can be received automatically from pro-
viders that support DHCP.
User name and password
DSL or ISDN
connection
LANCOM VPN
router in the LAN of
the Internet provider
Internet
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 4: Setting up Internet access
40
EN
ISDN – dial-in number
User name and password
Additional connection options
You may also enable or disable further options in the wizard, depending on
whether or not they are supported by your Internet provider:
Time-based billing or flat rate – select the accounting model used by your
Internet provider.
When using time-based billing, you can set the LANCOM VPN to
automatically close existing connections if no data has been trans-
ferred within a specified time (the so-called idle time).
In addition, you can activate a line monitor that identifies inactive
remote stations faster and therefore can close the connection before
the idle time has elapsed.
Active line monitoring can also be used with flat rate billing to con-
tinuously check the function of the remote station.
You also have the option of keeping flat rate connections alive if
required. Dropped connections are then automatically re-established.
Dynamic channel bundling (ISDN only)
if required, the second ISDN B-channel will automatically be bundled
to the connection. This doubles the available bandwidth; it may also
double your connect charges as well, however. What's more, your
ISDN connection will be busy in this case, with all other incoming and
outgoing calls being rejected.
Data compression (ISDN only)
this permits an additional increase in data throughput.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 4: Setting up Internet access
41
EN
4.1 Instructions for LANconfig
Highlight the LANCOM VPN in the selection window. From the menu bar,
select Tools Setup Wizard.
From the menu, select the Setup Internet access wizard and click Next.
In the following window select your country and your Internet provider if
possible, and enter your access information.
Depending on their availability, the wizard will display additional options
for your Internet connection.
The wizard will inform you as soon as the entered information is complete.
Complete the configuration with Finish.
4.2 Instructions for WEBconfig
In the main menu, select Setup Internet access.
In the following window select your country and your Internet provider if
possible, and enter your access information.
Depending on their availability, the wizard will display additional options
for your Internet connection.
The wizard will inform you as soon as the entered information is complete.
Complete the configuration with Apply.
LANconfig:
Quick access to the setup wizards
Under LANconfig, the fastest way to launch the
setup wizards is via the button on the toolbar.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 5: Linking two networks
48
EN
Remote Windows workgroups do not appear in the Windows Network
Neighbourhood, but can only be contacted directly (e.g. via Find
Computers).
5.2 Instructions for LANconfig
Perform the configuration on both routers, one at a time.
Launch the 'Connect two local area networks' wizard. Follow the wizard's
instructions and enter the required information.
The wizard will return a message to indicate that it has all the information
it needs. Close the wizard with Finish.
After finishing the configuration of both routers, you can test the network
connection. Try to contact a computer in the remote LAN (e.g. with a
ping
). The LANCOM VPN should automatically set up a connection to the
remote station and contact the required computer.
5.3 Instructions for WEBconfig
Under WEBconfig, the coupling of networks via VPN cannot be con-
figured using the wizard. It can only be set up in the expert configu-
ration. For details, please see the reference manual.
Perform the configuration on both routers, one at a time.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 5: Linking two networks
49
EN
From the main menu, launch the 'Connect two local area networks' wiz-
ard. Follow the wizard's instructions and enter the required information.
The wizard will return a message to indicate that it has all the information
it needs. Close the wizard with Terminate.
After finishing the configuration of both routers, you can test the network
connection. Try to contact a computer in the remote LAN (e.g. with a
ping
). The LANCOM VPN should automatically set up a connection to the
remote station and contact the required computer.
Ping – quick testing for TCP/IP connections
To test a TCP/IP connection, simply send a
ping
from your computer to a computer in the
remote network. For more information on the 'ping' command, please see the documentation
of your operating system.
IPX and NetBIOS connection can be
tested by searching for a remote Novel
Server or a computer in the remote Win-
dows workgroup from your computer.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 6: Providing dial- up access
51
EN
6.1.1 General information
The following entries are required to set up a RAS connection. The first column
indicates whether the information is required for a VPN and/or an ISDN con-
nection. .
Notes to the individual values:
User name and password: Users authenticate themselves with this
information when dialling in.
Incoming number: The LANCOM VPN uses the optional ISDN caller ID
as an additional user authentication. This security function should not be
used when users dial in from differing locations.
Please refer to chapter ’Linking two networks’ page 42 for advice
about the other values required for the installation of a RAS access.
Coupling Entry
VPN + ISDN User name
VPN + ISDN Password
VPN Shared secret for encryption
VPN Hide local stations for access to remote network (Extranet VPN)?
ISDN Incoming number of remote station
ISDN TCP/IP routing for access to remote network
ISDN IPX routing for access to remote network
VPN + ISDN IP addresses for the dial-up PCs: static or dynamic by address range (IP
address pool)
VPN + ISDN NetBIOS routing for access to remote network?
VPN + ISDN Name of remote workgroup (NetBIOS only)
The ISDN calling line identity (CLI)
The ISDN caller IDalso known as CLI (Calling Line Identity)this is the telephone number
of the caller which is transmitted to the participant receiving the call. As a rule, it consists of
the country and area codes and an MSN.
The CLI is well-suited for authentication purposes for two reasons: it is very difficult to manip-
ulate, and the number is transferred free of charge via the ISDN control channel (D-channel).
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 6: Providing dial- up access
54
EN
6.2 Settings for the dial-in computer
6.2.1 Dial-up via VPN
For dialing into a network via VPN a workstation requires:
an Internet access
a VPN client
LANCOM Systems offers the LANCOM VPN Client on the LANCOM CD. It can
be run under Windows 2000 and Windows XP. A detailed description of the
LANCOM VPN Client and a description of its installation can also be found on
the CD.
For configuring a new profile, select the option 'Configure VPN Remote Access
(IPSec over PPTP)' in the LANCOM VPN Client configuration wizard.
The wizard asks then for the values that have been defined during the instal-
lation of the RAS access in the LANCOM VPN.
Please notice the following relationship between the names of the
entries of the LANCOM VPN Client and the LANconfig wizard:
LANCOM VPN Client LANconfig
Preshared Key Shared Secret
PPTP User name Name
PPTP password Password
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 6: Providing dial- up access
55
EN
6.2.2 Dial-up via ISDN
A number of settings must be configured on the dial-in computer. These are
briefly listed here, based on a Windows computer:
Dial-Up Networking (or another PPP client) must be correctly configured
Network protocol (TCP/IP, IPX) installed and bound to the dial-up adapter
New connection in Dial-Up Networking with the call number of the router
Terminal adapter or ISDN card set to PPPHDLC
PPP selected as the Dial-Up server type, 'Enable software compression'
and 'Require data encryption' unchecked
Select desired network protocols (TCP/IP, IPX)
Additional TCP/IP settings:
Assignment of IP address and name server address enabled
'IP header compression' disabled
These settings will permit a PC to dial into a remote LAN via ISDN and access
its resources in the usual manner.
6.3 Instructions for LANconfig
Launch the 'Provide Dial-In access (RAS)' wizard. Follow the wizard's
instructions and enter the required information.
The wizard will return a message to indicate that it has all the information
it needs. Close the wizard with Finish.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 6: Providing dial- up access
56
EN
Configure Dial-Up Networking access on the dial-in PC as described.
Next, test the connection (see box ’Ping – quick testing for TCP/IP connec-
tions’ page 49).
6.4 Instructions for WEBconfig
RAS access via VPN cannot be configured using the wizard under
WEBconfig yet. It can only be set up in the expert configuration. For
details, please refer to the reference manual.
From the main menu, launch the 'Connect two local networks' wizard.
Follow the wizard's instructions and enter the required information.
Configure Dial-Up Networking access on the dial-in PC as described.
Next, test the connection (see box ’Ping – quick testing for TCP/IP connec-
tions’ page 49).
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 7: Sending faxes with LANCAPI
57
EN
7 Sending faxes with LANCAPI
With LANCAPI by LANCOM it is possible to send faxes comfortably from your
workstation PC, without having connected a fax device. To do so, you need to
install several components:
the LANCAPI client. It provides the connection between your worksta-
tion PC and the LANCAPI server.
the CAPI fax modem. This tool simulates a fax device on your worksta-
tion PC.
the MS Windows fax service. This is the interface between the fax appli-
cations and the virtual fax.
The installation of the LANCAPI client is described in the reference manual.
This chapter shows the installation of LANCOM CAPI fax modem and MS Win-
dows fax service.
7.1 Installation of the LANCOM CAPI fax modem
Select the entry Install LANCOM software in the setup program of your
LANCOM CD.
Highlight the option CAPI fax modem, click Next and follow the instruc-
tions of the installation routine.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 7: Sending faxes with LANCAPI
58
EN
When the installation was successful, the LANCOM CAPI fax modem is
entered into the Phone and Modem Options of the control panel.
7.2 Installation of the MS Windows fax service
Select the option Printers and Faxes from the control panel.
Select the option Set up faxing from the window ’Printers and Fax’. Fol-
low, if necessary, the instructions of the installation tool. Into the recent
window, an icon will appear for the newly installed fax printer.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 7: Sending faxes with LANCAPI
59
EN
For checking the installation, click with the right mouse button on the fax-icon
and select Properties. The LANCOM CAPI fax modem should now be entered
into register 'devices'.
7.3 Sending a fax
After installing all required components, you have several possibilities to send
a fax from your workstation PC. If you have already an existing data file, you
can send it directly from your respective application. If you only want to send
a short message, select the MS Windows fax service. You can use of course
any other fax software alternatively.
7.3.1 Send a fax with any given office application
Open as usual a document in your office application and select the menu
item File/Print.
Adjust the fax device as printer.
Click on OK. A wizard appears, that will guide you through the remaining
sending process.
7.3.2 Send a fax with the MS Windows fax service
Open the window ’Printers and Faxes’ from the control panel.
Double click with the left mouse button the icon of the fax device.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 7: Sending faxes with LANCAPI
60
EN
The fax client console will open. Select the menu item Send a Fax. A wiz-
ard will assist you through the remaining sending process.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 8: Security settings
61
EN
8 Security settings
Your LANCOM VPN has numerous security functions. You find in this chapter
all information you need for an optimal protection.
8.1 The security settings wizard
Access to the configuration of a device permits not only to read out critical
information such as WEP key or Internet password. Rather, also the entire set-
tings of the security functions (e.g. firewall) can be altered then. So an unau-
thorized configuration access endangers not only a single device, but the
entire network.
Your LANCOM VPN has a password protection for the configuration access.
This protection is already activated during the basic configuration by entering
a password.
The device locks access to its configuration for a specified period of time after
a certain number of failed log-in attempts. Both the number of failed attempts
and the duration of the lock can be set as needed. By default, access is locked
for a period of five minutes after the fifth failed log-in attempt.
8.1.1 Wizard for LANconfig
Mark your LANCOM VPN in the selection window. Select from the com-
mand bar Extras Setup Wizard.
Select in the selection menu the setup wizard Control Security Settings
and confirm your choice with Next.
Enter your password in the following windows and select the allowed pro-
tocols for the configuration access from local and remote networks. Addi-
tionally, enter the MSN for remote configuration via ISDN.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 8: Security settings
62
EN
In a next step parameters of the configuration lock like number of failed
log-in attempts and the duration of the lock can be adjusted.
Now activate Stateful Inspection, ping-blocking and Stealth mode in the
the firewall configuration.
The wizard will inform you when entries are complete. Complete the con-
figuration with Finish.
8.1.2 Wizard for WEBconfig
Under WEBconfig you have the possibility to run the wizard Security settings
to control and change the settings. The following values are handled:
password for the device
allowed protocols for the configuration access of local and remote net-
works
the MSN for remote configuration via ISDN
parameters of configuration lock (number of failed log-in attempts and
duration of the lock)
8.2 The firewall wizard
The LANCOM VPN incorporates an effective protection of your LAN and WLAN
when accessing the Internet by its Stateful Inspection firewall and its firewall
filters. Basic idea of the Stateful Inspection firewall is that only self-initiated
data transfer is considered allowable. All unasked accesses, which were not
initiated from the local network, are inadmissible.
The firewall wizard assists you to create new firewall rules quickly and com-
fortably.
Please find further information about the firewall of your LANCOM VPN and
about its configuration in the reference manual.
8.2.1 Wizard for LANconfig
The firewall wizard assists you to create new firewall rules quickly and com-
fortably .
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 8: Security settings
63
EN
Mark your LANCOM VPN in the selection window. Select from the com-
mand bar Extras Setup Wizard.
Select in the selection menu the setup wizard Configuring Firewall and
confirm your choice with Next.
In the following windows, select the services/protocols the rule should be
related to. Then you define the source and destination stations for this rule
and what actions will be executed when the rule will apply to a data
packet.
You finally give a name to the new rule, activate it and define, whether
further rules should be observed when the rule will apply to a data packet.
The wizard will inform you as soon as the entries are complete. Complete
the configuration with Finish.
8.2.2 Configuration under WEBconfig
Under WEBconfig it is possible to check and modify all parameters related to
the protection of the Internet access under Configuration Firewall / QoS
Rules Rule Table.
8.3 The security checklist
The following checklist provides a comprehensive overview of all security set-
tings for professionals. Most of the points on this checklist are no subject of
concern in simple configurations, since these generally adequate security set-
tings are already implemented during basic configuration and by the security
wizard.
Detailed information on the security settings listed here can be found
in the reference manual.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 8: Security settings
64
EN
Have you assigned a password for the configuration?
The simplest option for the protection of the configuration is the estab-
lishment of a password. As long as a password hasn't been set, anyone
can change the configuration of the device. The field for entering the
password is contained in LANconfig in the 'Management' configuration
area on the 'Security' tab. It is particularly required to assign a password
to the configuration if you want to allow remote configuration.
Have you permitted remote configuration?
If you do not require remote configuration, then deactivate it. If you
require remote configuration, then be sure to assign a password protec-
tion for the configuration (see previous section). The field for deactivating
the remote configuration is also contained in LANconfig in the 'Manage-
ment' configuration area on the 'Security' tab. Select here under 'Access
rights - of remote networks' for all types of configuration the option 'not
allowed'.
Have you provided the SNMP configuration with a password?
Also protect the SNMP configuration with a password. The field for pro-
tection of the SNMP configuration with a password is also contained in
LANconfig in the 'Management' configuration area on the 'Security' tab.
Have you activated IP masquerading?
IP masquerading is the hiding place for all local computers for connection
to the Internet. Only the router module of the unit and its IP address are
visible on the Internet. The IP address can be fixed or assigned dynami-
cally by the provider. The computers in the LAN then use the router as a
gateway so that they themselves cannot be detected. The router separates
Internet and Intranet, as if by a wall. The use of IP masquerading is set
individually for each route in the routing table. The routing table can be
found in the LANconfig in the 'IP router' configuration section on the
'Routing' tab.
Have you closed critical ports with filters?
The firewall filters of the LANCOM VPN devices offer filter functions for
individual computers or entire networks. Source and target filters can be
set for individual ports or for ranges of ports. In addition, individual pro-
tocols or any combinations of protocols (TCP/UDP/ICMP) can be filtered.
It is particularly easy to set up the filters with LANconfig. The 'Rules' tab
under 'Firewall/QoS' can assist you to define and change the filter rules.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 8: Security settings
65
EN
Have you excluded certain stations from access to the router?
Access to the internal functions of the devices through TCP/IP can be
restricted using a special filter list. Internal functions in this case are con-
figuration sessions via LANconfig, WEBconfig, Telnet or TFTP. This table is
empty by default and so access to the router can therefore be obtained by
TCP/IP using Telnet or TFTP from computers with any IP address. The filter
is activated when the first IP address with its associated network mask is
entered and from that point on only those IP addresses contained in this
initial entry will be permitted to use the internal functions. The circle of
authorized users can be expanded by inputting further entries. The filter
entries can describe both individual computers and whole networks. The
access list can be found in LANconfig in the 'TCP/IP' configuration section
on the 'General' tab.
Is your saved LANCOM VPN configuration stored in a safe place?
Protect the saved configurations against unauthorized access in a safe
place. A saved configuration could otherwise be loaded in another device
by an unauthorized person, enabling, for example, the use of your Inter-
net connections at your expense.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 9: Troubleshooting
66
EN
9Troubleshooting
In this chapter, you will find suggestions and assistance for a few common dif-
ficulties.
9.1 No WAN connection is established
After start-up the router automatically attempts to connect to the access pro-
vider. During this process, the Online LED will blink green. If successful, the
LED will switch over to steady green. If, however, the connection can't be
established, the Online LED will light up red. The reason for this is usually one
of the following:
Problems with the cabling?
Only the cable provided with your device should be used to connect to the
WAN. This cable must be connected to the Ethernet port of your broadband
access device. The WAN link LED must light green indicating the physical con-
nection.
Has the correct transfer protocol been selected?
The transfer protocol is set along with the basic settings. The basic setup wiz-
ard will enter the correct settings for numerous DSL providers automatically.
Only if your DSL provider is not listed, you will have to enter manually the pro-
tocol being used. In any case, the protocol that your DSL provider supplies you
with should definitely work.
You can monitor and correct the protocol settings under:
9.2 DSL data transfer is slow
The data transfer rate of an broadband (Internet) DSL connection is dependent
upon numerous factors, most of which are outside of one's own sphere of
influence. Important factors aside from the bandwidth of one's own Internet
connection are the Internet connection and current load of the desired target.
Configuration tool Run command
LANconfig Management Interfaces Interface settings WAN Inter-
face
WEBconfig Expert Configuration Setup Interfaces WAN Interface
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 9: Troubleshooting
67
EN
Numerous other factors involving the Internet itself can also influence the
transfer rate.
Increasing the TCP/IP window size under Windows
If the actual transfer rate of a DSL connection is significantly below the fastest
rate listed by the provider, there are only a few possible causes (apart from the
above-mentioned external factors) which may involve one's own equipment.
One common problem occurs when large amounts of data are sent and
received simultaneously with a Windows PC using an asynchronous connec-
tion. This can cause a severe decrease in download speed. The cause of this
problem is what is known as the TCP/IP receive window size of the Windows
operating system that is set to a value too small for asynchronous connec-
tions.
Instructions on how to increase the Windows size can be found in the Knowl-
edge Base of the support section of the LANCOM web site (www.lancom.de
).
9.3 Unwanted connections under Windows XP
Windows XP computers attempt to compare their clocks with a timeserver on
the Internet at start-up. This is why when a Windows XP in the WLAN is
started, a connection to the Internet is established by the LANCOM.
To resolve this issue, you can turn off the automatic time synchronization on
the Windows XP computers under Right mouse click on the time of day
Properties Internet time.
9.4 Cable testing
LANCOM 8011 VPN
only
A cabling defect might have occurred, if no data is transmitted over LAN or
WAN connection, although the configuration of the devices does not show
any discernible errors.
You can test the cabling with the built-in cable tester of your LANCOM.
Change under WEBconfig to menu item Expert configuration Status
LAN statistics Cable test. Enter here the name of the interface to be
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 9: Troubleshooting
68
EN
tested (e.g. “DSL1” or “LAN-1”). Pay attention to the correct spelling of the
interfaces. Start the test for the specified interface by clicking on Execute.
Change then to menu item Expert configuration Status LAN statis-
tics Cable test results. The results of the cable test for the individual
interfaces are show up in a list.
The following results can occur:
OK: Cable plugged in correctly, line ok.
open with distance “0m”: No cable plugged in or interruption within less
than 10 meters distance.
open with indication of distance: Cable is plugged in, but defect (short-
circuited) at the indicated distance.
Impedance error: The pair of cables is not terminated with the correct
impedance at the other end.
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 10: Appendix
69
EN
10 Appendix
10.1 Performance data and specifications
LANCOM 7011 VPN LANCOM 8011 VPN
Firewall Stateful inspection, IP packet filter with port ranges; masquerading (NAT/PAT) of TCP,
UDP, ICMP, FTP, PPTP, H.323, NetMeeting IRC and IPSec; DNS forwarding; inverse mas-
querading for IP services from the Intranet such as web server; support of 2 local net-
works; e.g. DMZ with own IP address range without NAT.
Quality of Service Dynamic bandwidth management with IP traffic-shaping/limiting with dynamic, abso-
lute or per connection transfer limits or guaranteed minimum bandwidths, separated
from send or receive site, TOS or DiffServ priority queuing, automatic packet size
adoption incl. PMTU adjustment or fragmentation.
Security Intrusion detection (IP spoofing, login attempt, port scans), denial-of-service protec-
tion (fragmentation error, SYNflooding, automatic closing of ports/connections). DNS
hitlist as well as wild card filter (URL blocking). High availability with ISDN dial backup
for Internet access or VPN connections. Email alerting, SNMP traps and SYSLOG. PAP,
CHAP and MS-CHAP as PPP authentification, password-protected configuration
remote access per interface, access control list (IP, MAC and protocol filter) for config-
uration access and LANCAPI, ISDN remote access list. FirmSafe with two firmware ver-
sions for absolute secure software upgrades.
VPN/IPSec 200 IPSec sessions parallel. Encryption methods: AES and 3-DES (for LANCOM 8011
VPN with hardware acceleration), Blowfish, CAST, MD-5 or SHA-1 Hashes IKE with
Preshared Keys
IPSec clients LANCOM VPN client free of charge, for Windows 2000 and Windows XP (IPSec over
PPTP; allocation of a local intranet address to the VPN client), 3rd-Party VPN clients
with IKE Aggressive Mode.
LANCOM Dynamic VPN Connection to dynamic IP addresses: transferring of the dynamic IP address via ISDN B
or D channel, IKE main mode. Connection from dynamic to static IP addresses:
encrypted transferring of the dynamic IP address via ICMP or UDP packet, IKE Main
Mode.
Router modes, services and
interfaces
IP, IPX and NetBIOS/IP multi protocol Router, HTTP and HTTPS Server (WEBconfig),
DNS Client, DNS Server, DNS Relay, DNS Proxy, DHCP Client, DHCP Relay and DHCP
Server incl. auto detection, Dynamic DNS Client, NTP Client, SNTP Server, NetBIOS/IP
Proxy, N : N IP address mapping
LAN protocols IP: ARP, Proxy ARP, IP, ICMP, UDP, TCP, TFTP, RIP-1, RIP-2, DHCP, DNS, SNMP, HTTP,
HTTPS, BOOTP, NTP/SNTP, NetBIOS, RADIUS, LANCAPI
IPX: RIP, SAP, IPX and SPX watchdogs, NetBIOS watchdogs
WAN protocols
WAN protocols (ISDN)
(Ethernet) PPPoE, PPTP (PAC or PNS) and Plain Ethernet (with and without DHCP)
D channel: 1TR6, DSS1 (Euro ISDN); B channel: PPP (asynchronous/synchronous),
X.75, HDLC, ML PPP for channel bundling, V.110/GSM/HSCSD, CAPI 2.0 via LANCAPI,
Stac data compression, optional leased line support for D64, D64S2, D64SY
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 10: Appendix
70
EN
Interfaces WAN/LAN/DMZ: 10/100 Mbps Fast
Ethernet
ISDN (RJ-45): ISDN S0 Bus
Serial config (8 pol. Mini DIN); COM port:
9600-11500 baud
WAN: 10/100 Mbps Fast Ethernet
LAN/DMZ/Switch: 4 ports, 10/100 Mbps
Fast Ethernet
ISDN (RJ-45): ISDN S0 Bus
Serial config (8 pol. Mini DIN) COM port:
9600-11500 baud
Data rate IPSec encryption >7 MBit/s (Blowfish) IPSec encryption >22 MBit/s (AES, 3-DES)
Management Outband command line interface, serial V.24/V.28 port (8 pol. mini-DIN)
Inband LANconfig (Windows configuration program), incl. setup wizard; LAN-
monitor (Windows status monitor); WEBconfig (integrated Web Server);
telnet; SNMP management via SNMP V2; remote maintenance via ISDN
or Dynamic DNS; RADIUS user management for dial in (PPP/PPTP and
ISDN CLIP); browser (HTTP/HTTPS); VPN tunnel; WAN or LAN access sep-
arately activatable; simultaneous remote configuration and manage-
ment of several devices with LANconfig/LAN monitor, supervisor alarm
via SNMP traps, SYSLOG and email; scheduled events of all parameters
and actions (e.g. firewall filter or connections) via CRON service.
Tools LANconfig (Windows program ), LANmonitor (Windows status display),
WEBconfig (integrated Web-server)
Statistics Very extensive Ethernet, IP and DNS statistics; SYSLOG error counter, connecting and
online time as well as transfer quantity per station; accounting information exportable
via LANmonitor and SYSLOG
Diagnosis Very extensive LOG and TRACE mechanism, integrated PING and TRACEROUTE.
Hardware Design without ventilator and with high
MTBF, external power adapter (230 V)
temperature 5–40 °C; humidity 0–80 %;
non-condensing. robust plastic case 210
x 140 x 45 mm (B x H x T), ports on the
back, prepared for wall mounting,
Kensington-style lock
Design without rotating ports and with
high MTBF, internal power supply (110-
230 V) temperature 5–40 °C; humidity
0–80 %; non-condensing. Robust metal
case, 19” 1HE (435 x 45 x 207 mm), con-
nectors on the front, 19” rack mount bit
Approvals EU (CE certification: EN 55022, EN 55024, EN 60950)
Package contents CD, printed manual English, German
Power adapter, cable for outband inter-
face, ISDN connection cable, LAN twisted
pair cable (DMZ)
CD incl. firmware and tools ( LANconfig,
LANmonitor, LANCAPI), printed manual
(English, German), power adapter, cable
for outband interface, ISDN connection
cable, 2 Ethernet cable (WAN, LAN)
Service Warranty: 3 years
Support: Via hotline and Internet
Options 61501 19’’ rack mount adapter
00789 ISDN leased line option (D64S,
D64S2, D64SY)
61401 Service option (product replace-
ment, 4 years warranty)*
61401 Service option (advanced replace-
ment, 4 years warranty)*
61402 LANCOM VPN option 500 chan-
nels
61403 LANCOM VPN option 1000 chan-
nels
00789 ISDN leased line option (D64S,
D64S2, D64SY)
LANCOM 7011 VPN LANCOM 8011 VPN
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 10: Appendix
71
EN
10.2 Contact assignment
10.2.1 DSL interface
6-pin RJ45 socket
10.2.2 ISDN-S
0
interface
8-pin RJ45 socket, corresponding to ISO 8877, EN 60603-7
Connector Pin IAE
1T+
2T-
3R+
4–
5–
6R-
Connector Pin Line IAE
1––
2––
3T+2a
4R+1a
5R-1b
6T-2b
7––
8––
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 10: Appendix
72
EN
10.2.3 Ethernet interfaces 10/100Base-T
8-pin RJ45 socket, corresponding to ISO 8877, EN 60603-7
10.2.4 Configuration interface (Outband)
8-pin mini-DIN socket
10.3 CE declaration of conformity
This product corresponds to the requirements of the guide line about radio
installations and telecommunication sending installations (FTEG) and to the
guide line 1999/5/EG (R&TTE).
This product has been notified in the countries of Germany, Great Britain, Bel-
gium, Netherlands, Luxembourg, Austria, Switzerland.
Connector Pin Line
1T+
2T-
3R+
4–
5–
6R-
7–
8–
Connector Pin Line
1CTS
2RTS
3RxD
4RI
5TxD
6DSR
7DCD
8DTR
UGND
LANCOM 7011 VPN – LANCOM 8011 VPN
Chapter 10: Appendix
73
EN
The CE declarations of conformity for LANCOM routers are available for down-
load on the LANCOM web site (www.lancom.de
).
LANCOM 7011 VPN – LANCOM 8011 VPN
Index
74
EN
11 Index
Numerics
10/100Base-TX
24
3-DES
42, 50
A
Accounting
31
AES
42, 50
Autosensing
25
B
Basic configuration
29
Blowfish
42, 50
C
Callback
15
Callback function
16, 42, 50
Calling Line Identity (CLI)
51
CAST
42, 50
charge lock
20
Configuration access
33, 36
Configuration file
65
Configuration interface
16
Configuration password
64
Configuration port
24
Configuration protection
16, 31
Connect charge information
37
Connect charge protection
32, 33, 37
Connect-charge budget
31
Connect-charge metering
31
Contact assignment
71
Configuration interface
72
DSL interface
71
Ethernet interface
72
ISDN-S0 interface
71
LAN interface
72
Outband
72
WAN interface
72
CPU usage
23
D
Date
23
Declaration of conformity
72
Default gateway
37, 64
Denial-of-Service Protecion
13
Device name
23
DHCP
38
DHCP server
16, 30, 31, 33, 36, 38
Dialing prefix
31, 37
Dial-up access
50
Dial-up adapter
55
DMZ port
24
DNS
access to the remote LAN
46
DNS server
16, 37, 38
Domain
46
DSL
data transfer is too slow
66
provider
33, 36
transfer protocol
36
DSL transfer protocol
33
E
Encryption
42, 50
F
Filter mechanisms
15
Firewall
12, 16, 64
Lock stations
65
Firewall filter
62
FirmSafe
16
Firmware version
23
Flat rate
40
H
Hardware installation
25
I
ICMP
64
Installation
17
LANCOM 7011 VPN – LANCOM 8011 VPN
Index
75
EN
ADSL 26
configuration port
26
DSL
26
ISDN
26
LAN
25
LANtools
26, 27
power adapter
26
Interconnection
42
Security aspects
42
Internet access
14, 39
Authentication data
39
Default gateway
39
DNS server
39
Flat rate
40
IP address
39
Netmask
39
Internet provider
39
Internet-Zugang
15
Intrusion Detection
12
IP
Filter
64
Lock ports
64
IP address
30, 47, 65
IP address of the LANCOM
25
IP masquerading
12, 14, 16, 64
IPoE
39
IP-Router
15
IPSec
42, 50
IPX
55
Binding
47, 53
External Network Number
47, 53
Frame type
47
Internal-Net-Number
53
IPX conventions
47
IPX router
15
Settings
46
ISDN
14
Basic configuration
37
caller ID
44, 51
Connect charge information
33
Connector cable
17
D channel
51
data compression
40
Dial-in number
40
dynamic channel bundling
40
MSN
31, 33, 37
NTBA
27
password for connection
45
S0 port
24
ISDN connection
27
Basic settings
31
ISDN leased line option
16
ISDN modem
50
ISDN PBX
31
ISDN S0 connection
16
L
LAN
Connector cable
17
LAN port
24
LAN to LAN coupling
14, 15, 31, 42
Required information
43
LANCAPI
16, 28
LANCOM setup
27
LANconfig
28, 32
run setup wizards
41
LAN-LAN-Kopplung
15
LANmonitor
28
LANtools
System preconditions
18
LCD display
23
LEDs
see status displays
18
Line management
15
M
MAC address filter
12, 16
Memory usage
23
Minimum bandwidth
13
MSN
51
LANCOM 7011 VPN – LANCOM 8011 VPN
Index
76
EN
N
NAT – see IP masquerading
NetBIOS
47
NetBIOS proxy
16
NetBIOS-Proxy
16
Netmask
30, 65
Network segment
25, 47
Number of VPN channels
23
P
Package contents
17
Password
31, 33, 42, 50
PAT – see IP masquerading
Ping
49
Plain Ethernet
39
Plain IP
39
Power adapter
24
PPP
50
PPP client
55
PPPoE
39
PPTP
39
Preshared Key
Shared Secret
45
Q
Quality-of-Service
13
R
Remote Access Service (RAS)
Configuring the dial-in computer
54
Enable software compression
55
Function
15
IPX
52
NetBIOS
53
Searching for Windows workgroups
53
Security aspects
50
setup
50
specify MSN
31
TCP/IP
52
User name
51
Remote configuration
33, 36
Remote configuration access
31
Remote configuration via ISDN
16
Remote-Access-Service (RAS)
Server
15
Reset connect charge protection.
20
Reset switch
24, 25
Resetting the configuration
25
Restarting the device
25
Router
13
Routing table
64
S
Searching for Windows workgroups
48
Security
Firewall wizard
62
Security settings wizard
61
Security checklist
63
Security features
14
Security settings
66
Setting up access to the Internet
39
SNMP
Protection of the configuration
64
Software installation
26
Stateful Inspection
12
Stateful Inspection Firewall
62
Status displays
18
DSL Data
21
ISDN Data
21
ISDN Status
21
LAN
22
Online
20
Power
19, 20
Security
23
VPN
23
WAN Data
21
WAN link
21
System preconditions
17
T
TCP
64
TCP/IP
17, 55
LANCOM 7011 VPN – LANCOM 8011 VPN
Index
77
EN
check connection 49
Settings
29, 33, 36
Settings to PCs in the LAN
37
Windows size
67
TCP/IP configuration
Automatic
36
fully automatic
29, 30
manual
29, 30
TCP/IP filter
12, 16, 64
TCP/IP router
Settings
45
Telnet
65
Temperature
23
TFTP
65
time
23
Transfer protocol
66
U
UDP
64
V
Virtual Private Network (VPN)
14, 15
Voltage switch
24, 25
VPN client
54
W
WAN
Connector cable
17
WAN connection
24
problems establishing the connection
66
WAN port
24
WEBconfig
34
Access address
34
password
37
Starting the wizards
35
System preconditions
18
Wide Area Network (WAN)
13
LANCOM 7011 VPN – LANCOM 8011 VPN
Index
78
EN
3

Hulp nodig? Stel uw vraag in het forum

Spelregels

Misbruik melden

Gebruikershandleiding.com neemt misbruik van zijn services uitermate serieus. U kunt hieronder aangeven waarom deze vraag ongepast is. Wij controleren de vraag en zonodig wordt deze verwijderd.

Product:

Bijvoorbeeld antisemitische inhoud, racistische inhoud, of materiaal dat gewelddadige fysieke handelingen tot gevolg kan hebben.

Bijvoorbeeld een creditcardnummer, een persoonlijk identificatienummer, of een geheim adres. E-mailadressen en volledige namen worden niet als privégegevens beschouwd.

Spelregels forum

Om tot zinvolle vragen te komen hanteren wij de volgende spelregels:

Belangrijk! Als er een antwoord wordt gegeven op uw vraag, dan is het voor de gever van het antwoord nuttig om te weten als u er wel (of niet) mee geholpen bent! Wij vragen u dus ook te reageren op een antwoord.

Belangrijk! Antwoorden worden ook per e-mail naar abonnees gestuurd. Laat uw emailadres achter op deze site, zodat u op de hoogte blijft. U krijgt dan ook andere vragen en antwoorden te zien.

Abonneren

Abonneer u voor het ontvangen van emails voor uw Lancom 8011 VPN bij:


U ontvangt een email met instructies om u voor één of beide opties in te schrijven.


Ontvang uw handleiding per email

Vul uw emailadres in en ontvang de handleiding van Lancom 8011 VPN in de taal/talen: Engels als bijlage per email.

De handleiding is 1,42 mb groot.

 

U ontvangt de handleiding per email binnen enkele minuten. Als u geen email heeft ontvangen, dan heeft u waarschijnlijk een verkeerd emailadres ingevuld of is uw mailbox te vol. Daarnaast kan het zijn dat uw internetprovider een maximum heeft aan de grootte per email. Omdat hier een handleiding wordt meegestuurd, kan het voorkomen dat de email groter is dan toegestaan bij uw provider.

Stel vragen via chat aan uw handleiding

Stel uw vraag over deze PDF

Andere handleiding(en) van Lancom 8011 VPN

Lancom 8011 VPN Gebruiksaanwijzing - Deutsch - 82 pagina's


Uw handleiding is per email verstuurd. Controleer uw email

Als u niet binnen een kwartier uw email met handleiding ontvangen heeft, kan het zijn dat u een verkeerd emailadres heeft ingevuld of dat uw emailprovider een maximum grootte per email heeft ingesteld die kleiner is dan de grootte van de handleiding.

Er is een email naar u verstuurd om uw inschrijving definitief te maken.

Controleer uw email en volg de aanwijzingen op om uw inschrijving definitief te maken

U heeft geen emailadres opgegeven

Als u de handleiding per email wilt ontvangen, vul dan een geldig emailadres in.

Uw vraag is op deze pagina toegevoegd

Wilt u een email ontvangen bij een antwoord en/of nieuwe vragen? Vul dan hier uw emailadres in.



Info