IPSec VPN requires sophisticated operational skills and high maintenance cost. To relieve network administrators from the intricate work, system provides an easy-to-use VPN technology - PnPVPN (Plug-and-Play VPN). PnPVPN consists of two parts: PnPVPN Server and PnPVPN Client.
- PnPVPN Server: Normally deployed in the headquarters and maintained by an IT engineer, the PnPVPN Server sends most of the configuration commands to the clients. The device usually works as a PnPVPN Server and one device can serve as multiple servers.
- PnPVPN Client: Normally deployed in the branch offices and controlled remotely by a headquarters engineer, the PnPVPN Client can obtain configuration commands (e.g. DNS, WINS, DHCP address pool, etc.) from the PnPVPN Server with simple configurations, such as client ID, password, and server IP settings.
The device can serve as both a PnPVPN Server and a PnPVPN Client. When working as a PnPVPN Server, the maximum number of VPN instance and the supported client number of each device may vary according to the platform series.
The workflow for PnPVPN is as follows:
- The client initiates a connection request and sends his/her own ID and password to the server.
- The server verifies the ID and password when it receives the request. If the verification succeeds, the server will send the configuration information, including DHCP address pool, DHCP mask, DHCP gateway, WINS, DNS and tunnel routes, etc,. to the client.
The client distributes the received information to corresponding functional modules.
- The client PC automatically gains an IP address, IP mask, gateway address and other network parameters and connects itself to the VPN.
PnPVPN Link Redundancy
The PnPVPN server supports dual VPN link dials for a PnPVPN client, and automatically generates the routing to the client. Also, it can configure the VPN monitor for the client. Two ISAKMP gateways and two tunnel interfaces need to be configured in the server. The two VPN tunnels need to refer different ISAKMP gateways and be bound to different tunnel interfaces.
The client supports to configure dual VPN dials and redundant routing. When the two VPN tunnels are negotiating with the server, the client generates routes with different priority according to the tunnel routing configuration at the server side. The high priority tunnel acts as the master link and the tunnel with low priority as the backup link, so as to realize redundant routing. The master VPN tunnel will be in the active state first. When master tunnel is interrupted, the client will use the backup tunnel to transfer the data. When the master tunnel restores to be normal, it will transfer the data again.
Configuring a PnPVPN Client
To configure a PnPVPN client, take the following steps:
- Select Network > VPN > IPSec VPN.
- In the IKE VPN Configuration section, click PnPVPN Client.
|Server Address1||Type the IP address of PnPVPN Server into the box. PnPVPN client supports dual link dials to the server side. This option is required.|
|Server Address2||Type the IP address of PnPVPN Server into the box. The server address 1 and the server address 2 can be the same or different. It is optional.|
|ID||Specifies the IKE ID assigned to the client by the server.|
|Password||Specifies the password assigned to the client by the server.|
|Confirm Password||Enter the password again to confirm.|
|Auto Save||Select Enable to auto save the DHCP and WINS information released by the PnPVPN Server.|
|Egress Interface 1||Specifies the interface connecting to the Internet. This option is required.|
|Egress Interface 2||Specifies the interface connecting to the Internet. The IF1 and the IF2 can be the same or different. It is optional.|
|Incoming IF||Specifies the interface on the PnPVPN Client accessed by the Intranet PC or the application servers.|
- Click OK to save the settings.
- Server Addresses1 and Egress IF1 both need to be configured. If you want to configure a backup link, you need to configure both the Server Address2 and Egress IF2.
If the server addresses or the Egress IFs are different, two separate VPN links will be generated.
The configuration of the two servers can be configured on one device, and can also be configured on two different devices. If you configure it on two devices, you need to configure AAA user on the two devices. The DHCP configuration for the AAA user should be the same, otherwise it might cause that the client and server negotiate successfully, but the traffic is blocked.