SANGFOR WANO

IPSEC VPN & Sangfor VPN

1 IPSEC VPN/Sangfor VPN Introduction

2 IPSEC VPN Compare With Sangfor VPN

3 Sangfor VPN Troubleshooting

1. IPSEC VPN/Sangfor VPN Introduction
IPSEC VPN Introduction
The IPsec VPN service provides secure Internet Protocol (IP) communications by authenticating and
encrypting each IP packet of a communication session.

Sangfor WANO support build IPsec VPN tunnel with third party network device, but WANO must be
deployed as gateway or single arm mode.

It is a low cost network connection solution for customer compared to leased-line and MPLS VPN.

VPN tunnel
IPSEC VPN Build Process

Phase 1:
1. Mode: Main/Aggressive
2. SA exchange: Authentication algorithm/Encryption algorithm/DH
Group/ISAKMP life time/
3. Exchange Pre-shared key
4. Exchange and Verify ID
5. Other: NAT/DPD

Phase 2:
1. Protocol :AH/ESP
2. PFS
3. Encryption : DES/3DES/AES128 Hash:MD5/SHA
4. SA lifetime
5. Local subnet and peer subnet
Sangfor WANO IPSEC VPN Features
1. IPSec VPN mode:
IPSec VPN has two mode, which are transport mode and tunnel mode.
Sangfor IPSec VPN only support tunnel mode.
2. Main or Aggressive:
Use main mode only if two sites with public IP and deploy as gateway mode that has direct
connection to internet without using NAT.
Only DLAN 5.x can support IPSec VPN to use aggressive mode in Single-arm mode.
(IAM11.X/WANO9.X/SSL6.x)
Bridge mode not support IPSec VPN.
3. Authentication algorithm:
Sangfor support MD5/SHA-1, not support SHA-2
4. Encryption algorithm:
Sangfor support DES/3DES/AES-128, not support AES-256
5. DH Group:
Sangfor support 1/2/5 , other does not support
Sangfor WANO IPSEC VPN Features
6. ID:
Main mode only support IP Address
Aggressive mode DLAN 5.x support IP/FQDN(string)/User FQDN(email)
DLAN 4.x support FQDN(string)/User FQDN(email)
7. NAT-T:
If traffic NAT between two VPN devices, WANO
must enable NAT-T in both devices.
8. DPD:
Use to detect other status, such as IP change.
Sangfor device default enable DPD, cannot change in WebUI. DPD can only be disabled in pshell.
Sangfor not support keep alive and heartbeat method. If the third device enabled it, it may cause VPN
not stable, suggest to disable it.
9. PFS:
Sangfor PFS DH group must be the same with Phase 1 DH group.
10. ISAKMP life time & SA lifetime suggest to use 28800, more stable.
IPSEC VPN Case And Confirm List
Sangfor device build IPSEC VPN with Fortinet device

Sangfor with
Fortinet

IPSec VPN Confirm List

IPSec VPN
confirm list
Sangfor VPN Introduction
Sangfor VPN is a very easy, fast and flexible VPN solution, but only for Sangfor device to
Sangfor device.
PDLAN is a portable VPN client for Windows user.
Sangfor has own patent in Sangfor VPN.

VPN tunnel
Sangfor VPN Concepts
1. VPN HQ and Branch
HQ: Sangfor VPN server side.
Branch: Sangfor VPN client side.
2. WebAgent: Used for dynamic IP resolve or multi line policy.
Ip: 4009
Ip1#ip2: 4009
webagent.sangfor.net.cn/webagent/vpn/malaysiacti.php
3. VPN local subnet: Define which local subnet can access to VPN tunnel, such as IPSec VPN Phase 2.
Subnet that same with VPN interface subnet default can access to VPN tunnel.
4. Tunnel Route: Define Source/Destination subnet from VPN HQ to another VPN branch.
Branch A  HQ  Branch B
A don’t need to build VPN connection to B. They can connect each other via tunnel route
Sangfor VPN Concepts
5. PDLAN: A program for Sangfor VPN mobile user.
6. Virtual IP Pool: Each mobile user will get a virtual IP from HQ
7. Tunnel NAT: Used for branch IP conflict scenario
Sangfor VPN Configuration Steps
1. Webagent
2. VPN local subnet
Sangfor VPN 3. Create VPN user for branch
Server Side Tunnel NAT
Tunnel service control
4. SD WAN Multi-line policy

1. VPN connection
Tunnel service control
Sangfor VPN
Client Side 2. VPN local subnet
3. VPN tunnel route
4. SD WAN Multi-line policy

12
Sangfor VPN Server Side Configuration
Sangfor VPN Client Side Configuration
Sangfor VPN Case
Environment and Requirement

LAN:172.17.6.2/24

Branch 172.17.7.x want to visit HQ 172.17.6.x /172.17.8.x /172.17.9.X server

Sangfor VPN Case HQ Configuration

Why we don’t need to add 172.17.6.0/24 in local subnet ?

Because LAN interface 172.17.6.2 is in 172.17.6.0/24
Sangfor VPN Case Branch Configuration
2. IPSEC VPN Compare With Sangfor VPN
IPSEC VPN Compare With Sangfor VPN
IPSec VPN Sangfor VPN
Port UDP 500,4500 Default TCP/UDP 4009; can specify
License Need, but free Don’t need
Tunnel NAT No Yes
Multi line support No Yes
Tunnel route No Yes
Tunnel service control No Yes
Tunnel traffic control No Yes
Multicast service No Yes
Static public IP At least one No
Mobile support PPTP/L2TP PDLAN (only windows PC)
Company support Most company Only Sangfor
Stability ISP has no limit on standard port May limit in internet
3. Sangfor VPN Troubleshooting
Troubleshooting—Cannot Build Sangfor VPN

1. Check the VPN status, make sure the status is running.

2. Check the configuration of both two sides.

3. Telnet HQ VPN listening port from branch.

4. If the VPN tunnel cannot build between two devices, you should check the VPN module log in
system log. The log will record the error details.
Troubleshooting—Packet Loss Or Latency In
VPN Tunnel
1. Internet network reason:
a) Ping each other for testing, record the packet loss rate and latency
b) Both device ping internet URL such as www.google.com, record the packet loss rate and
latency
c) Send TCP packet for testing. Server side send to the client side. Compare the data of two
side (Because the TCP packet is different from ICMP. Sangfor VPN is not using ICMP
protocol, so this method is more accurate.)
Solution:
d) If internet network packet loss rate is high, we can change the transfer protocol from TCP
to UDP
e) We can change the VPN listening port in HQ device to avoid the port is being blocked
f) We can try swap HQ and branch. Use HQ device to connect to branch
g) Change Sangfor VPN to standard VPN
Troubleshooting—Packet Loss Or Latency In
VPN Tunnel
2. Device reason
We must make sure that our device work in it's capability.
Run the following command, we can know the status of device.
Uptime/free -m/mpstat -P ALL 1

Normal average<sum(load average)/CPU kernel number

 

If the number of free is too small, we should take note on this

If the number of %idle is too small, we should be careful the CPU usage
Troubleshooting—Packet Loss Or Latency In
VPN Tunnel
2. Device reason
The interface compatibility does not match with other device.
We can run this command (ifconfig) to check the compatibility.

Normal data is when the number of error/dropped/overruns/frame is not increase

Solution:
a. Change line/change interface
b. Lock the interface speed to 1000Mb/s Full-duplex
c. Add a switch between two device
Troubleshooting—Packet Loss Or Latency In
VPN Tunnel
3. Local Area Network reason
a) If our device work in Single-arm mode, the transfer byte may limited by the device by default,
especially there is bandwidth management device, firewall or IPS in the network.
b) Usually the packet loss rate and the latency is low in Local Area Network.

4. Software reason
a) Check the system log, whether have alarm logs or error logs or not.
b) Some firmware version may have bug, suggest to upgrade the device firmware to stable version.
Practice
Requirement:
1. All branches and mobile users need to
access HQ
2. HQ / Branch B / Branch C must be able
to communicate with each other
3. Mobile E need to visit B server, but
don’t want to build VPN with B
4. Branch C internet traffic must go
through HQ, because HQ has a device
to audit traffic
Practice Solution
1. All branches and mobile users need to visit HQ server
A-B A-C use Sangfor VPN
A-D use IPSec VPN
A-E use Sangfor VPN Pdlan
2. HQ / Branch B / Branch C must be able to communicate with each other
B C IP conflict, so we must use tunnel NAT access A, then use tunnel route visit each other
3. Mobile E need to visit B server, but don’t want to build VPN with B
Use tunnel route from A to B
4. Branch C internet traffic must go through HQ, because HQ has a device to audit traffic
Use tunnel route access internet from HQ function
Question
1. Why do we need to configure VPN local subnet in Sangfor VPN ?

2. If customer want to use 2 WAN links to build VPN, how to configure ?

3. Does WANO support Sangfor VPN with CISCO Firewall ?

4. Describe the difference between Sangfor VPN and IPSEC VPN.

Thank you !
tech.support@sangfor.com
community.sangfor.com

Sangfor Technologies (Headquarters)

Block A1, Nanshan iPark, No.1001
Xueyuan Road, Nanshan District,
Shenzhen, Guangdong Province,
P. R. China (518055)