Professional Documents
Culture Documents
SANGFOR - WANO - v9.5.3 - Associate - 04 - IPSEC VPN and Sangfor VPN
SANGFOR - WANO - v9.5.3 - Associate - 04 - IPSEC VPN and Sangfor VPN
Sangfor WANO support build IPsec VPN tunnel with third party network device, but WANO must be
deployed as gateway or single arm mode.
It is a low cost network connection solution for customer compared to leased-line and MPLS VPN.
VPN tunnel
IPSEC VPN Build Process
Phase 1:
1. Mode: Main/Aggressive
2. SA exchange: Authentication algorithm/Encryption algorithm/DH
Group/ISAKMP life time/
3. Exchange Pre-shared key
4. Exchange and Verify ID
5. Other: NAT/DPD
Phase 2:
1. Protocol :AH/ESP
2. PFS
3. Encryption : DES/3DES/AES128 Hash:MD5/SHA
4. SA lifetime
5. Local subnet and peer subnet
Sangfor WANO IPSEC VPN Features
1. IPSec VPN mode:
IPSec VPN has two mode, which are transport mode and tunnel mode.
Sangfor IPSec VPN only support tunnel mode.
2. Main or Aggressive:
Use main mode only if two sites with public IP and deploy as gateway mode that has direct
connection to internet without using NAT.
Only DLAN 5.x can support IPSec VPN to use aggressive mode in Single-arm mode.
(IAM11.X/WANO9.X/SSL6.x)
Bridge mode not support IPSec VPN.
3. Authentication algorithm:
Sangfor support MD5/SHA-1, not support SHA-2
4. Encryption algorithm:
Sangfor support DES/3DES/AES-128, not support AES-256
5. DH Group:
Sangfor support 1/2/5 , other does not support
Sangfor WANO IPSEC VPN Features
6. ID:
Main mode only support IP Address
Aggressive mode DLAN 5.x support IP/FQDN(string)/User FQDN(email)
DLAN 4.x support FQDN(string)/User FQDN(email)
7. NAT-T:
If traffic NAT between two VPN devices, WANO
must enable NAT-T in both devices.
8. DPD:
Use to detect other status, such as IP change.
Sangfor device default enable DPD, cannot change in WebUI. DPD can only be disabled in pshell.
Sangfor not support keep alive and heartbeat method. If the third device enabled it, it may cause VPN
not stable, suggest to disable it.
9. PFS:
Sangfor PFS DH group must be the same with Phase 1 DH group.
10. ISAKMP life time & SA lifetime suggest to use 28800, more stable.
IPSEC VPN Case And Confirm List
Sangfor device build IPSEC VPN with Fortinet device
Sangfor with
Fortinet
IPSec VPN
confirm list
Sangfor VPN Introduction
Sangfor VPN is a very easy, fast and flexible VPN solution, but only for Sangfor device to
Sangfor device.
PDLAN is a portable VPN client for Windows user.
Sangfor has own patent in Sangfor VPN.
VPN tunnel
Sangfor VPN Concepts
1. VPN HQ and Branch
HQ: Sangfor VPN server side.
Branch: Sangfor VPN client side.
2. WebAgent: Used for dynamic IP resolve or multi line policy.
Ip: 4009
Ip1#ip2: 4009
webagent.sangfor.net.cn/webagent/vpn/malaysiacti.php
3. VPN local subnet: Define which local subnet can access to VPN tunnel, such as IPSec VPN Phase 2.
Subnet that same with VPN interface subnet default can access to VPN tunnel.
4. Tunnel Route: Define Source/Destination subnet from VPN HQ to another VPN branch.
Branch A HQ Branch B
A don’t need to build VPN connection to B. They can connect each other via tunnel route
Sangfor VPN Concepts
5. PDLAN: A program for Sangfor VPN mobile user.
6. Virtual IP Pool: Each mobile user will get a virtual IP from HQ
7. Tunnel NAT: Used for branch IP conflict scenario
Sangfor VPN Configuration Steps
1. Webagent
2. VPN local subnet
Sangfor VPN 3. Create VPN user for branch
Server Side Tunnel NAT
Tunnel service control
4. SD WAN Multi-line policy
1. VPN connection
Tunnel service control
Sangfor VPN
Client Side 2. VPN local subnet
3. VPN tunnel route
4. SD WAN Multi-line policy
12
Sangfor VPN Server Side Configuration
Sangfor VPN Client Side Configuration
Sangfor VPN Case
Environment and Requirement
LAN:172.17.6.2/24
4. If the VPN tunnel cannot build between two devices, you should check the VPN module log in
system log. The log will record the error details.
Troubleshooting—Packet Loss Or Latency In
VPN Tunnel
1. Internet network reason:
a) Ping each other for testing, record the packet loss rate and latency
b) Both device ping internet URL such as www.google.com, record the packet loss rate and
latency
c) Send TCP packet for testing. Server side send to the client side. Compare the data of two
side (Because the TCP packet is different from ICMP. Sangfor VPN is not using ICMP
protocol, so this method is more accurate.)
Solution:
d) If internet network packet loss rate is high, we can change the transfer protocol from TCP
to UDP
e) We can change the VPN listening port in HQ device to avoid the port is being blocked
f) We can try swap HQ and branch. Use HQ device to connect to branch
g) Change Sangfor VPN to standard VPN
Troubleshooting—Packet Loss Or Latency In
VPN Tunnel
2. Device reason
We must make sure that our device work in it's capability.
Run the following command, we can know the status of device.
Uptime/free -m/mpstat -P ALL 1
If the number of %idle is too small, we should be careful the CPU usage
Troubleshooting—Packet Loss Or Latency In
VPN Tunnel
2. Device reason
The interface compatibility does not match with other device.
We can run this command (ifconfig) to check the compatibility.
Solution:
a. Change line/change interface
b. Lock the interface speed to 1000Mb/s Full-duplex
c. Add a switch between two device
Troubleshooting—Packet Loss Or Latency In
VPN Tunnel
3. Local Area Network reason
a) If our device work in Single-arm mode, the transfer byte may limited by the device by default,
especially there is bandwidth management device, firewall or IPS in the network.
b) Usually the packet loss rate and the latency is low in Local Area Network.
4. Software reason
a) Check the system log, whether have alarm logs or error logs or not.
b) Some firmware version may have bug, suggest to upgrade the device firmware to stable version.
Practice
Requirement:
1. All branches and mobile users need to
access HQ
2. HQ / Branch B / Branch C must be able
to communicate with each other
3. Mobile E need to visit B server, but
don’t want to build VPN with B
4. Branch C internet traffic must go
through HQ, because HQ has a device
to audit traffic
Practice Solution
1. All branches and mobile users need to visit HQ server
A-B A-C use Sangfor VPN
A-D use IPSec VPN
A-E use Sangfor VPN Pdlan
2. HQ / Branch B / Branch C must be able to communicate with each other
B C IP conflict, so we must use tunnel NAT access A, then use tunnel route visit each other
3. Mobile E need to visit B server, but don’t want to build VPN with B
Use tunnel route from A to B
4. Branch C internet traffic must go through HQ, because HQ has a device to audit traffic
Use tunnel route access internet from HQ function
Question
1. Why do we need to configure VPN local subnet in Sangfor VPN ?