Viola M2M Gateway User Manual
Contents
1. Peer interface IFP par m 2miF peeriF Routing Remote IP Netmask status Check r x arctic 1 ppp4 10 100 100 11 110 100 100 2 Mone Active rite Disable Edit Remove E x arctic 2 ppp 10 100 100 5 10 100 100 4 Tunnel 192 168 100 0 255 255 255 0 Active na Disable Edit Remove El gt i arctic 3 ppp 10 100 1005 10 100 1006 Mone Active na Disable Edit Remove X xoi ma HHHH Fuel PAR AN Inactive nia Enable Edit Remove 1 Key management server public key 1024 35 121966023570561533592275977270623734011527680495476 7169646099445 Add key for peer arctic 4 r Key m Number of enabled keys 3 SSH listens on port 22 Change port Figure 6 1 SSH VPN configuration screen Configuration screen can be divided into different regions e On the top are summary about peers and their last check e Configured connections are listed next If the number of peers is over 500 list is divided to multiple pages Below the list are connection test buttons e Key management field is located below peer list Here are listed only those peers that do not have a key yet If existing key for a peer needs to be changed it must be done by editing the peer 16 CHAPTER 6 SSH VPN CONFIGURATION e On a bottom is SSH port configuration field 17 Using action buttons on the peer list the connections can be managed and monitored easily See figure 6 2 Peer InterfacelP pair m2miP peeriP RoutingRemote IPHetmasEStatusCheck Y pke_arctic_ te2. 9 3 Date and time It is important to have date and time set up correctly if certificate based VPNs are in use To configure date and time 1 Login to M2M Gateway and enter the web user interface main menu 2 From the top icon row on the blue background select System icon 3 From the System page select System Time icon There are two methods to configure system time manual and automatic with NTP protocol CHAPTER 9 ADDITIONAL SYSTEM CONFIGURATION 25 9 3 1 Manual configuration To configure system time manually Enter time and date to system time and press Apply then Set system time to hardware time System Time Day Date Month Wear Hour Tuesday etd hd June hd 2008 l os hd Jrs x 54 Set system time to hardware time Hardware Time Day Date Month Wear Hour Tuesday 24 June 2008 os hd 16 x 54 Sel hardware time to system time Time fone Change Europe Helsinki timezone to Figure 9 4 Manual system time configuration 9 3 2 Automatic configuration with NTP To configure system time automatically with NTP protocol Enter valid ntp server address to timeserver field and press Sync and Apply button on the bottom of the screen Time Server Timeserver hostnames or addresses e Sel hardware time too Figure 9 5 Automatic system time configuration 9 4 Backup The Backup module saves user made settings of the Viola M2M Gateway It backups configuration files and k
3. Figure 3 4 Select eth0 interface 10 Enter your preferred configuration to the configuration fields Boot Time Interface Parameters From DHCP From BOOTR Static Hame ethO IP Address 1727 16 62 Netmask 255 255 0 0 Broadcast automati C gt Automatic Activate at IL boot E ves C No Enable Prox ARP d ves No Figure 3 5 Ethernet configuration 11 Press Save and Apply button when you are ready to activate your new settings Note that your existing web browser connection hangs up after you apply the settings so open a new connection to the new IP address check your Ethernet cabling 12 Now you should be able to connect to the M2M Gateway with your new IP address Chapter 4 Network Configuration This chapter describes how to configure network interfaces on M2M Gateway 4 1 Configuration screens Network configuration screens can be found from main menu and pressing Network Configuration icon Network Configuration y Metwork Interfaces Routing and Gateways Hostname and ONS Client Host Addresses z Click this button to activate the current boot time interface and routing settings as they normally would be after a Apply Configuration reboot Waming this may make your system inaccessible via the network and cut off access to Webmin Figure 4 1 Network configuration menu Network Interfaces Displays running network configuration on the top on Interfaces Active Now list Thi
4. Viola M2M Gateway User Manual Document version 3 0 Modified June 25 2008 Firmware version 2 4 Contents 1 Introduction 1 1 About Viola M2M Gateway ir ko kin Wd di AA A ita ii 1 2 MOM Gateway Features ica e e els e AAA AA a LS Packaging miormatioin ds bread dd A eee Be Ee YE A eed LA Hardware description e ee te A e eara O Ee es ad AT Pront panel 4 3 2 4 4 460 eo we eB ea areas A Tee o ae ee esl te eke AR NN LAS Prodtuctlabel sica Bae 88 2 S Ps he ORAS de a Maw BS 2 Network Requirements 21 Connection Principle m yi ara i a Ae hi eR Oe ee eee ee ee ee ES 2 2 Minimal Network Requirements aoa a a a a a a a IIA 2 4 Other Network Services deso by de A E A ee OM Me A Se 2 5 Recommended Network Setup 2 6 Using the Second Ethernet Port 3 Quick Installation 3 1 Setting IP Address Using Web Browser pe 4 Network Configuration Al OMMGUTALION SCEN y e E ea a e Ad EES A a I a 5 VPN connectivity DOE VENT sn NR a Y oe valla ble VEN AYDOS Sao da da do ad ae de OS a a Oe a bok id ee o AS Dad lt Ly piCal connection schemes dun z lea LLANA AAA AR a AA E 5 4 Typical connection scheme with routing 0 4 a ae e ara aaa a 6 SSH VPN Configuration OL Introduction to SH VPN aaa eck he ob e E e AE ee eS 6 2 SSH VPN conte ttation sercen Ll orbita bei E dr 63 Creating New COnNectON s 2 a E AAA rs G2 Checane Connection 0 ark be leas naa A ld dao r aia E E ES 6 0 Finalising SOH V
5. 09 00 51 memgw pppa 21604 Sent 340 bytes received 342 bytes Jun 24 09 00 51 memgw pppd 21604 Exit Jun 24 09 00 51 memos logger start_tunnel killed old ppp pke_srctic test 2 Jun 24 09 00 51 memgw pppd 22025 pppd 2 4 2 started by root uid O Jun 24 09 00 51 memgw ppp 22025 Using interface ppp Jun 24 09 00 51 m2mgw pppd 22023 Connect pppO lt gt dew pts0l Jun 24 09 00 52 memaw ppp 220237 local IP address 10 10 10 21 Jun 24 09 00 52 m2mgw ppp 22025 remote IF address 10 10 10 22 Last 20 lines of Only show lines with text Figure 9 9 System log view OpenVPN has its own logs which can be found from OpenVPN configuration 9 6 Supportlog Supportlog is a module that helps Viola Systems technical support team in troubleshooting situations It generates a collection of data from system that helps identifying the problem It can generate a log package that can be e mailed to Viola Systems technical support It is possible to collect all the data or smaller selection Supportlog This module creates supportlog reports from system and peer status and configuration Select which reports to show below Select all S5HWPR interface status lt S5HWPN peer configuration S5HWPR keys and key status L2TP interface status el 1 L2TP peer configuration E Open FM interface status Open PN peer configuration Ethernet information ta IP interface status and c
6. If a firewall or network configuration does not allow the use of a DMZ or only few host has to have access to the M2M Gateway the second Ethernet can be used The second Ethernet of the M2M Gateway can be enabled from the Web user interface The IP address of the second Ethernet of the M2M Gateway is then used as the default gateway for the devices connected to the second Ethernet port Company Firewall Local Ethernet eth e ethO Viola M2M Gateway Figure 2 3 Second Ethernet port in use Chapter 3 Quick Installation This chapter describes how to configure the network interfaces on M2M Gateway 3 1 Setting IP Address Using Web Browser This section describes how to change factory default IP address for the first time 1 Connect the cross over Ethernet cable between Viola M2M Gateway Ethernet 0 connector and your configuration computer 2 Configure your computer to use the same IP address space than Viola M2M Gateway laptop IP for example 10 10 10 11 with netmask 255 0 0 0 Check with ping command 3 Connect to the Viola M2M Gateway using your web browser The default IP address of Viola M2M Gateway is 10 10 10 10 netmask 255 0 0 0 Note that you have to connect to a HTTPS port 10000 see figure 3 1 E 9 50 8 luanin doa Figure 3 1 Browser https example 4 Your browser might mention about certificates you can safely ignore them at this point 5 When you get to the login screen enter username and
7. password and press Login button Logout successful Use the form below to login again Login to Webmin You must enter a username and password to login to the Webmin server on 172 16 6 2 Usemame Password Be eae ES Remember login permanently Figure 3 2 Login screen Note Default username is viola adm and default password is violam2m It is recommended that the default password is changed before the product is connected to a public network 11 CHAPTER 3 QUICK INSTALLATION 12 6 Now you should be logged in a see a main configuration menu Icons on the blue background are primary navigation icons and they are always visible on the screen Icons lower are secondary navigation icons and clicking them allows the user to change the specific settings they represent See figure 3 3 5 Viola MaM Gateway System Networking EJ Others Viola M2M Gateway y 2 FR ur 538 LETP YP RN Configuration Network Configuration OpenVPN Configuration SoH VPN configuration NE A Viola MaM Backup Viola MaM Supportlog Figure 3 3 Main configuration menu 7 Select Network Configuration icon on the first page 8 From the next screen select Network Interfaces icon 9 Below the text Interfaces Activated at Boot Time select ethO Interfaces Activated at Boot Time Name IT ype l P Address Netmask Activate al boot P roxy GRP enabled etho Ethernet 72166 2 255 255 0 0 ves No
8. the IP address has to be changed to the IP address of the machine the backup was created on Afterwards the secondary unit can replace the primary unit seamlessly without any further configuration 9 5 System logs To reach the system logs 1 Login to M2M Gateway and enter the web user interface main menu 2 From the top icon row on the blue background select System icon 3 From the System page select System Logs icon Logs can be searched with defined text or just show last n entries CHAPTER 9 ADDITIONAL SYSTEM CONFIGURATION ZA Last 20 lines of Only show lines with text Jun 24 06 58 26 memgw sshdf pam_ unis 21914 session closed for user viola adm Jun 24 09 00 51 memo sshdipam_unix 21976 session opened for user vpn by uid 0 5 Jun 24 09 00 51 memgw logger start_tunnel starting YPN pke_arctic_test_2 Jun 24 09 00 51 memos logger start_tunnel ppp finished pke_arctic_test_2 Jun 24 09 00 51 m2mgw pppd 21604 Terminating on signal 15 Jun 24 09 00 51 m2mgw sshdt pam unix 21558 session closed for user pr Jun 24 09 00 51 memo pppd 21604 Child process pppd tcharshunt pid 216055 terminated with signal 15 Jun 24 09 00 51 memgw pppd 21604 Modern hangup Jun 24 09 00 51 memgw ppp 21604 Connection terminated Jun 24 09 00 51 m maw pppd 21604 Connect time 42 8 minutes Jun 24 09 00 51 m2mgw pppd 21604 Sent 340 bytes received 342 bytes Jun 24 09 00 51 memos pppd 21604 Connect time 42 8 minutes Jun 24
9. the VPN peer is used as the target for the network connection status check Le the M2M Gateway is not required to accept ICMP ECHO messages The network connection status check can also be made using some public IP address e g the public IP address of the M2M Gateway In this case the target host of the network connection check is required to accept ICMP ECHO messages and that they are not blocked by any firewall Deft Pori SSIEVPY tunnel SSH remote acces ICMP ECHO IS ICMP Network connection checking OpenVPN 1194 TCP UDP OpenVPN tunnel L2TP 1701 L2TP VPN tunnel Table 2 1 Network services 2 5 Recommended Network Setup The M2M Gateway is recommended to be connected to a DMZ of a firewall This way the M2M Gateway can have public or private IP address depending on the firewall configuration When placed in DMZ the firewall protects efficiently against any unauthorized access to the M2M Gateway Only incoming SSH connections are required to have access to DMZ zone Services other than SSH are optional If the M2M Gateway is located in the DMZ and it has a private IP address the firewall has to support port forwarding or destination network address translation DNAT For firewall configuration please refer to your firewall documentation or to your local network administrator Company Firewall Local Ethernet Viola M2 M Gateway Figure 2 2 Recommended network setup 2 6 Using the Second Ethernet Port
10. with the instructions given in this manual or if the product has been tampered with The devices mentioned in this manual are to be used only according to the instructions described in this manual Faultless and safe operation of the devices can be guaranteed only if the transport storage operation and handling of the devices is appropriate This also applies to the maintenance of the products To prevent damage both the product and any terminal devices must always be switched OFF before con necting or disconnecting any cables It should be ascertained that different devices used have the same ground potential Before connecting any power cables the output voltage of the power supply should be checked This product is not fault tolerant and is not designed manufactured or intended for use or resale as on line control equipment in hazardous environments requiring fail safe performance such as in the operation of nuclear facilities aircraft navigation or communication systems air traffic control direct life support machines or weapons systems in which the failure of our hardware or software could lead directly to death personal injury or severe physical or environmental damage Chapter 1 Introduction This document describes how to configure the Viola M2M Gateway product 1 1 About Viola M2M Gateway The Viola M2M Gateway is a network device that enables VPN connection between company network and remote Arctic devices It can also be
11. 10 20 20 20 ethl1 192 168 1 1 10 20 20 21 w Arctic Hostname ViolaArctic eth 0f 172 16 1 1 Local Ethernet Default gateway 192 168 1 x Remote Ethernet RARA Local workstation Remote device 172 16 1 x Default gateway Figure 5 2 Typical network setup with routing As the previous example explained some of the basic operations this example assumes that those are clear at the time of reading this If this is not the case please take some time and browse the user interfaces of both M2M Gateway and Arctic This will make the settings more familiar to you Select routing mode to Tunnel the following network 1P address and netmask is the address that is located in the opposite side of the tunnel For example on Arctic set IP address to be the address that is assigned to the eth1 of M2M Gateway and vice versa Chapter 6 SSH VPN Configuration This chapter describes how to use SSH VPN module on Viola M2M Gateway 6 1 Introduction to SSH VPN SSH VPN uses SSH keys and remote nodes hostname to authenticate and validate remote connections It is the default VPN for Viola Arctic products 6 2 SSH VPN configuration screen X SSH YPN configuration A aR E a a ga E A E E NN E A ar me a E E a a SUMA Peers4 F Active 3 Inactive 1 Last check Checked 3 Peers 3 DK 0 Failed 2008 05 25 05 41 55 A A A A A A A a a A A A A A a ee a a ae a
12. APTER 6 SSH VPN CONFIGURATION 18 1 Open Arctic user interface and SSH VPN configuration screen on M2M Gateway to separate web browser windows 2 On the Arctic navigate to Network gt SSH VPN page 3 Copy key from Arctic to M2M see figure 6 4 4 Select correct peer from list on M2M paste Arctic key below and press Enter key button 5 Copy M2M key from Server public key field 6 Copy key from M2M to Arctic see figure 6 4 Key managemen Local sah public key Primary server key Primary server SSH public key 172 162001 1024 33 14317721719 032500 Insert SSH key for primary Server 7z186 2001 Retrieuf Arctic Backup server key Backup serve SSH public key B2 236 160 1776 1024 35 151 0996433265466 Insert OSH ke ior backup server 62 296 160 176 incar ficus Key management Sener public ke 5 1 19 1 669 5976 14155 yt gt lb gy M2M Gateway Add key Tor pee d Kay Select right peer Figure 6 4 SSH VPN key exchange After the keys are exchanged the peer can be enabled on the M2M Gateway Just press Enable button on the peer list Please note that the Arctic needs to be restarted before the connection comes up After the Arctic restarts and connects the peer status can be checked on the M2M by selecting a checkbox on the peer list and pressing Start check button For more information about configuring Arctic refer to Arctic User Manual 6 4 Checking connection Connection status displayed on SSH
13. PN Setipi lt doo did ed da ddr e eb ee Sed 0 07 Editing existing connection szronu naa di Es agia ARA AAA OL DOE Por Conc U aO pa a A A e A AA E SR E E 7 L2TP VPN Configuration tol Introduction to LZIP VPN 24 hs A 64 44k E e a Oe e etica 2 12 Treo VEN conto uration screen lea a ee HM ok Sod gece aia eh BR a ia To Creatine mew CONMeCCUION era AS Ee OD GAR ae AA A 8 OpenVPN Configuration 9 Additional System Configuration 9 1 Changing system password lt 244444 Bare adidas a a eek SW aed 002 BARC WAN 2 dla Se be ei ob ec de es de he ee Be es ls ae o a e 9 2 1 Firewall configuration screen s 4 9 6 44 220 A Se eee O 022 Chane me real rules te tec Rw EK Ae bo ee ERR ew EMD ES CONTENTS Oi Ds MA A A ed ol a dh 8 te 24 Oe Manual onerat O 24 dao Aaa A ES GG e Be a GS 25 9 3 2 Automatic configuration with NTP 44 8aaeaacecs ee ee A ERE DDS 25 Ola IDC way esse E As ie ge ee dk Se we ci i AAA ade e 25 9AT Back p screen wath es a Aiki ee e des Sched A ee As NAS eevee eS 25 O42 Creatine backs dd amp cao ee oh be i Ae RR Oe ee oe eA dd Oe eee ee 26 94 3 Restorine DACKIIPS a ot ede E Go E aA we ee ee Ee de a he eS 26 9 4 4 Moving backups between units cw 4 44 A ee Re ee 26 Oo YSL OL fi Se are ee ee oa Bee eae iaa a eee ere Ss a ad 26 900 SUPPOLOS raro e nd de Bs Ta 08 Es ch se ete e ho Es Gs Gs ee Sr ee ee A Ta 21 Of Factory default settiigs Lira o E A A ERY BOY a GS 27 10 Advanced setting
14. Problems This warranty does not apply to a Viola Systems software products b expendable components such as cables and connectors or c third party products hardware or software supplied with the warranted product Viola Systems makes no warranty of any kind on such products which if included are provided AS IS Excluded is damage caused by accident misuse abuse unusually heavy use or external environmental causes 133 Remedies Your sole and exclusive remedy for a covered defect is repair or replacement of the defective product at Viola Systems sole option and expense and Viola Systems may use new or refurbished parts or products to do so If Viola Systems is unable to repair or replace a defective product your alternate exclusive remedy shall be a refund of the original purchase price The above is Viola Systems entire obligation to you under this warranty IN NO EVENT SHALL VIOLA SYSTEMS BE LIABLE FOR INDIRECT INCIDENTAL CONSEQUENTIAL OR SPECIAL DAMAGES OR LOSSES INCLUDING LOSS OF DATA USE OR PROFITS EVEN IF VIOLA SYSTEMS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES In no event shall Viola Systems liability exceed the original purchase price of the device server Some states or countries do not allow the exclusion or limitation of incidental or consequential damages so the above limitation or exclusion may not apply to you 13 4 Obtaining Warranty Service You must notify Viola Systems within th
15. VPN page does not update automatically it has to be updated manually is current status needs to be checked To check current status of a peer 1 Checked peers are selected by using checkboxes next to peer names Peers can be selected individually or they can all be selected using Check all button 2 Connection check is started by pressing Start check button After the check is done the results are displayed above the peer list Checked n Peers gt n OK n Failed date 3 Results for individual peers can be seen on Check column on peer list Note peer interface tells which interface is assigned to a peer It is a local interface on M2M Gateway and it can not be used to determine the current connection status CHAPTER 6 SSH VPN CONFIGURATION 19 6 5 Finalising SSH VPN setup After all the peers have been configured there are couple issues that need some attention 1 Keys needs to be locked This can be done by pressing Lock keys button This locks the keys and prevents their accidental deletion 2 Create backup Instructions for this can be found in section 9 4 6 6 Editing existing connection Peers can be edited by selecting Edit button from the peer list All the parameters except peer name can be changed from this edit screen Note that the keys must be unlocked if keys need to be changed Edit peer Peer name awctic 2 Peer 55H key 1024 35 16364002716132956456733563565912601119081175203231731 IP pair r
16. can log in a system are viola adm and root e User viola adm is the only one who can log in to a web user interface e User root can log in only locally remote root access is restricted 9 2 Firewall Firewall in an important part of the M2M Gateway product Firewall should always be turned on and configured as strict as possible to keep out any unauthorized traffic It is not recommended to use M2M Gateway without firewall turned on if connected to any public network For more detailed explanation about firewall configuration refer to application note Configuring Viola M2M Gateway firewall 23 CHAPTER 9 ADDITIONAL SYSTEM CONFIGURATION 24 9 2 1 Firewall configuration screen To reach the firewall configuration screen 1 Login to M2M Gateway and enter the web user interface main menu 2 From the top icon row on the blue background select Networking icon 3 From the Networking page select Linux Firewall icon The firewall configuration is divided into sections Firewall has three chains input forward and output which are listed separately Showing IPtable Packet filtering filter hd Add anew chain named Incoming packets INPUT Select all Invert selection Action Condition yyy a Accept i state of connection is ESTABLISHED Accept i state of connection is RELATED A Accept lr protocol is ICMP Accept I protocol is TCP and destination port is 22 and state of connection is MEW d z a a
17. e warranty period to receive warranty service During the warranty period Viola Systems will repair or replace at its option any defective products or parts at no additional charge provided that the product is returned shipping prepaid to Viola Systems All replaced parts and products become the property of Viola Systems Before returning any product for repair customers are required to contact the Viola Systems 32 Chapter 14 Technical Support 14 1 Contacting Technical Support e Phone 358 20 1226 226 e Fax 358 20 1226 220 e E mail supportQviolasystems com e On line http www violasystems com 14 2 Recording Product Information Before contacting our Technical Support staff record the following information about your product e Product name e Serial no Note the status of your product in the space below before contacting technical support Include information about error messages diagnostic test results and problems with specific applications 33 Index About 6 Back panel 8 Backup 25 Copyright 3 Date and time 24 Disclaimer 4 Factory defaults 27 Features 6 Firewall 23 Front panel 7 IP address 11 L2TP VPN 20 Limited warranty 32 Network requirements 9 Network services 10 OpenVPN 22 Packaging 7 Password 23 Product label 8 Quick start 11 Revision history 4 Specifications 31 SSH VPN 16 System log 26 VPN overview 14 Warranty 5 34
18. em P peer iP 10 100 100 3 10 100 100 4 Routing mode Tunnel the following network Remote network IF 932 168 100 0 Remote network mask 255 255 255 0 Peer enabled Yes Figure 6 5 SSH VPN peer edit screen 6 7 SSH port configuration Default port for SSH is 22 It is recommended to change this to something less common to increase system security Changing SSH port on M2M Gateway is done by entering new port to a configuration field located in the bottom of the SSH VPN configuration screen and pressing Change port button Note that changing SSH port on M2M Gateway requires configuration changes to SSH VPN connected Arctics as well Also remote SSH access has to use new port Chapter 7 L2TP VPN Configuration 7 1 Introduction to LZTP VPN L2TP VPN uses username and password to authenticate and validate remote connections It is available on Viola Arctic products 7 2 L2TP VPN configuration screen Configuration screen is shown in figure 7 1 L2TP VPH configuration Y X L2TP YPN configuration Global Settings Port 1701 Link test interwal 60 Reply timeout 20 Enabled WES Edit settings Peer Interface bp peerip Routingyp NetmaskUsemame Password StatusCheck l ntp test _peerino IF ee Mone ntp test_peerpasswordhereActive n a Disable Edit Remove Add peer Summary Peers Active 1 Inactive 0 Figure 7 1 L2TP VPN configuration screen Using action buttons on the peer list the connections can be managed and
19. eys of VPN tunnels and firewall settings 9 4 1 Backup screen Backup screen can be found from the Web user interface main screen Press Viola M2M Backup icon to open backup screen CHAPTER 9 ADDITIONAL SYSTEM CONFIGURATION 26 X M M Backup This module creates or restores a backup of the main configuration files e q PRD for the Mahl Gateway create backup gt restore backup Y Oper a Figure 9 6 Backup screen 9 4 2 Creating backups From the first page select Viola M2M Backup icon and press create backup button to create a backup file When the backup is created succesfully a notification text appears yw The backup was created successfully saved as me mbackup 20058 06 23 0620 00 30 46 F 64 24 in Jopitrriolaime mbBackups Figure 9 7 Backup created message 9 4 3 Restoring backups Press open button to select the backup you want to restore and press restore backup button to restore the backup Choose fle Konqueror Directory of 14kB 13 Jun 2008 09 12 29 kB 23 Jun 2008 06 20 Ok Figure 9 8 Backup restore selection 9 4 4 Moving backups between units To restore a backup on a different machine the backup file has to be copied into the opt viola m2mBackups directory on the second machine Besides that the MD5 file has also to be copied onto the new machine This file has to copied into the opt viola MD5 directory After restoring the backup as described above
20. f its products or to discon tinue the manufacture of any of its products or to discontinue the support of any of its products without any written announcement and urges its customers to ensure that the information at their disposal is valid Viola software and programs are delivered as is The manufacturer does not grant any kind of warranty including guarantees on suitability and applicability to a certain application Under no circumstances is the manufacturer or the developer of a program responsible for any possible damages caused by the use of a program The names of the programs as well as all copyrights relating to the programs are sole property of Viola Systems Any transfer licensing to a third party leasing renting transportation copying editing translating modifying into another programming language or reverse engineering for any intent is forbidden without the written consent of Viola Systems Viola Systems has attempted to verify all information in this manual as of the publication date We assume no responsibility for any errors that may appear in this guide Information in this manual may change without prior notice from Viola Systems Revision History 05 2004 Manual released version 1 0 08 2004 Version 2 0 06 2008 Version 3 0 Warranty and Safety Instructions Read these safety instructions carefully before using the product Warranty will be void if the product is used in any way which is in contradiction
21. face e SSH Telnet Login debugging console not recommended for normal usage 28 CHAPTER 10 ADVANCED SETTINGS 29 Others menu Others gt wl A EA Command Shell Webmin Actions Log Figure 10 3 Others menu e Command Shell debugging console for system level commands e Webmin Actions Log Web user interface access log data Chapter 11 Troubleshooting Q When setting up routing mode tunnel the following network routing to M2M Gateway eth1 does not work A Check that IP forwarding has been enabled and internal firewall does not block packets Q From Arctic Ethernet connection to M2M Gateway Ethernet is not working A Check that IP forwarding has been enabled on Arctic Q If only one public IP is available can the M2M Gateway be used A Yes if firewall connected to public IP can forward incoming SSH connections to the M2M Gateway 30 Chapter 12 Technical Specifications Table 12 1 Technical specifications Techical specifications can be changed without notification l Chapter 13 Limited Warranty 13 1 Coverage Viola Systems warrants this hardware product to be free from defects in materials and workmanship for the warranty period This non transferable limited warranty is only to you the first end user purchaser The warranty begins on the date of purchase and lasts for the period specified below Viola M2M Gateway one 1 year 13 2 Excluded Products and
22. g in company intranet may require configuration in order to integrate M2M Gateway to an existing network 2 2 Minimal Network Requirements At it s minimum the M2M Gateway requires these settings e One public IP address for M2M Gateway e SSH port default 22 unblocked for incoming connections to M2M Gateway from the remote network Although this configuration is minimal it can be used for testing and evaluating more complex systems It is always recommended to consult local network administrator when installing new servers to public network 2 3 Routing Setup When the M2M Gateway is installed to existing network some configuration require adding route to M2M Gateway and devices behind it This means that for example local firewall to router needs to be aware of routes going via the M2M Gateway Routing can be complex to setup in large networks and it is recommend to consult local network administrator also about routing CHAPTER 2 NETWORK REQUIREMENTS 10 2 4 Other Network Services M2M Gateway network services are listed in table 2 1 The only mandatory service is Secure Shell SSH SSH server listens for incoming connections from Arctic devices in port 22 default This port must not be blocked by any firewall otherwise the remote Arctic devices are not able to open VPN connections to the M2M Gateway Arctic uses ICMP ECHO ping messages to check it s network connection to the M2M Gateway By default the private IP address of
23. ine the remote network routed thorough the tunnel 4 Username and password must be the same than on the Viola Arctic 5 When you are done press Confirm button to save the settings The tunnel should now be added to the tunnel list 6 Enable the tunnel by clicking Enable text 7 The connection can be tested by selecting the checkbox next to the peer name and pressing the Start check button See figure 7 1 Add peer Peer name IP pair immiP peerIP Routing mode Mo routing e Remote network IF Remote network mask Username Password Figure 7 3 L2TP VPN new peer Chapter 8 OpenVPN Configuration Please refer to Viola Systems OpenVPN application note 22 Chapter 9 Additional System Configuration 9 1 Changing system password It is always recommended that the default password will be changed during the installation To change the password for user interface login 1 From the top icon row on the blue background select System icon 2 From the System page select Change Passwords icon 3 From the user list select user viola adm 4 Enter new system password and press Change to commit the new password See figure 9 1 Changing Unix user password Changing password for viola acim New password Hew password again Zz Force user to change password at nest login e Change password in other modules Figure 9 1 Password change screen Note that the only users who
24. monitored easily See figure 7 2 Possible actions are visible in link to figure these are from left to right 1 Connectivity test selection box 2 Peer status icon enabled or disabled 3 Peer name 4 Interface available if peer is up 20 CHAPTER 7 L2TP VPN CONFIGURATION 5 IP pair assigned to tunnel Routing mode none or network Remote IP if routing mode is set to network Netmask if routing mode is set to network L2TP username O 0 N O 10 L2T P password 11 Status Active or Inactive 12 Check status from last check n a OK or Failed 13 Enable Disable button 14 Edit button 15 Remove button yal Remote Peer Interface Routing IP Netmask Usemame Password Status Check IP pair m2miP peeriP ay ntp test peer rno lF 10 2 2 21 10 2 2 22 None ntp test peer passwordhere Active n a Disable Figure 7 2 L2P P VPN peer listing 7 3 Creating new connection To create new connection Ecit Remove 1 From the L2TP VPN configuration screen select Add peer button 2 Fill in the settings for the tunnel For simple point to point tunnel only peer name and IP pair are needed Peer name is the hostname of the Viola Arctic that forms the other end of the tunnel IP pair is an IP pair that does not conflict with any other address used See figure 7 3 3 Routing mode selects if the network on the other side of the tunnel is routed thorough the tunnel Remote network IP and network mask def
25. nector 5 Parallel connector VGA display connector Ethernet 0 connector Eth0 WAN oO N O Ethernet 1 connector Eth1 LAN 1 43 Product Label Product label is found on the bottom of the device and it contains the basic information about the unit such as product name serial number and MAC addresses of Ethernet ports VIOLA M2M GATEWAY 2008 06 24 M2M2 3GD 80 512 9369B0 MAC 00 30 48 93 69 B0 00 30 48 93 69 B1 INPUT VOLTAGE 100 240VAC 5A MAX FOR INDOOR lt 4 CE Viola Systems Ltd USE ONLY Tel 358 0920 1226 226 Fax 358 0520 1226 220 wwwwviolasystems com Figure 1 4 Product label Chapter 2 Network Requirements To work properly M2M Gateway requires the parameters described in this chapter to be configured For your network settings contact your local network administrator Note Misconfiguration of the M2M Gateway can seriously hinder your network Make sure you verify your network configuration with local network administrator 2 1 Connection Principle Company Intranet is normally connected to Internet via firewall Figure 2 1shows the M2M Gateway connected to the Demilitarized Zone DMZ of the firewall This configuration allows hosts from Company Intranet to connect via firewall to the M2M Gateway Other configurations are also possible Company Firewall Local Ethernet Viola M2M j Gateway Figure 2 1 DMZ Connection Note It is possible that internal routin
26. onfiguration IP routing status and configuration Open and established TCP and UDP connections a Firewall status and configuration Firmware version l sl Process list and CPU and memory usage system log security lag tunnel log sl l zi Meh backups status Figure 9 10 Supportlog screen 9 7 Factory default settings Factory default settings can be restored by selecting factoryBackup from backup restore selection screen See section 9 4 Chapter 10 Advanced settings These configuration options are targeted for advanced users only Under normal operation these shoul not be changed System menu System gt y Y Bootup and Shutdown Change Passwords system Logs ays Init Configuration system Time System and Server Status Figure 10 1 System menu Bootup and Shutdown change process and system level services on startup Running Processes can be used for monitoring current processes and deleting processes SysV Init Configuration innitab configuration runlevels for system startup System and Server Status N A reserved for future use Networking menu Networking 3 at Linus Firewall SoH Server coH Telnet Login Figure 10 2 Networking menu e SSH Server Advanced SSH server configurations Under normal operation only SSH port is changed from SSH VPN user inter
27. out external firewall The recommend method is to use a dedicated firewall and install M2M Gateway behind it VPN VPN is used to connect remote Arctic devices to local network Connection is started by Arctic and the M2M Gateway decides based on its configuration does it allow remote Arctic start VPN connection VPN connection can be disabled from M2M Gateway If connection is for some reason terminated it comes automatically back up Remote Management M2M Gateway offers full remote management Also traditional console access is available using SSH 1 3 Packaging information The product package should contain the following items e Viola M2M Gateway e Power cord e Viola M2M Gateway Quick Start Guide 1 4 Hardware description This section describes the front and back panel features of M2M Gateway 1 4 1 Front panel M2M Gateway front panel is shown in figure 1 2 Figure 1 2 Front panel LEDs and switches from left to right 1 Temp LED lit if system temperature is too high 2 Nic 2 activity LED Eth 1 LAN Nic 1 activity LED Eth 0 WAN Aa Q HD activity LED 5 Power LED 6 Reset switch 7 Power switch CHAPTER 1 INTRODUCTION 8 1 4 2 Back panel M2M Gateway back panel is shown in figure 1 3 MT gt an ey aa E a00 o Figure 1 3 Back panel Connectors from left to right 1 Power plug 2 Mouse and keyboard connector 3 USB connectors 4 Serial con
28. parison is shown in table 5 1 oT Decio Breil Defatt port SSH VPN Default tunnel for Viola Arctic products 22 TCP L2TP VPN Lighter but less secure alternative to SSH VPN 1701 UDP OpenVPN Best option for laptops and remote management 1194 UDP Table 5 1 VPN comparison table Selection of VPN depends on requirements available link capacity and used hardware 5 3 Typical connection scheme Typical connection scheme is described in figure 5 1 Company Firewall GPRS link VPN tunnel 10 20 2020 M2M m po Gateway 10 20 20 21 gt Arctic Hostname Wiola rctic ag Figure 5 1 Typical VPN connection 14 CHAPTER 5 VPN CONNECTIVITY 15 Network configuration in VPN tunneling will be easier if some rules are followed e Network addresses can not overlap it is always best to use dedicated IP address range for VPN tunnels Remember that VPN tunnel addresses are only visible between M2M Gateway and remote node e Netmasks should be strict to prevent network overlapping e Draw a network diagram with all the relevant information about the network you are building 5 4 Typical connection scheme with routing This example shows a little larger system This common setup is practical in connecting remote networks to as a part of local network This could be used to connect isolated remote stations to local monitor station Company Firewall eth MM VPN tunnel Gateway
29. q i ee ee ee ee gt gt gt gt gt gt gt gt E Accept lr protocol is UDP and destination port is 1194 1199 Accept i protocal is TCP and destination port is 10000 and state of connection is MEW Select all Invert selection Set Default Action To Drop xj Clear All Rules Delete Selected Add Rule a bs bc Figure 9 2 Firewall chain listing On the bottom there are action buttons which can be used to apply or revert the changes Click this button to make the firewall configuration listed above active Any firewall rules currently in effect will be flushed and replaced Click this button to reset the configuration listed above to the one that is currently active E ves No Change this option to control whether your firewall is activated at boot time or not Click this button to clear all existing firewall rules and set up new rules for a basic initial configuration Figure 9 3 Firewall action buttons 9 2 2 Changing firewall rules Default firewall rules allow only Arctic traffic Rules can be changed in firewall configuration screen 1 Existing firewall rules can be modified by clicking the Action text colored Drop Accept 2 Adding new rules can be done by clicking the blue arrows on the left side of the rules 3 Modified rules can be applied or old rules can be reseted using the buttons at the end of the page The modified rules have to be applied by pressing Apply Configuration button before they are in use
30. s 28 11 Troubleshooting 30 12 Technical Specifications 31 13 Limited Warranty 32 e A 32 13 2 Excluded Products and Problems ace ir s o oe oe hee EE ATA cd owe Oe de 32 Ss A E A 32 134 Obtaining Warranty Service 4a 24 wu EE SN E EA as G 32 14 Technical Support 33 14 1 Contacto lechnical Support lle 3 28 h a AE Se Ae dise 33 14 2 Recording Product Information s s s e e ee ee ee Bree Ree a a BE ee ete E A 33 Copyright and Trademark Copyright 2008 Viola Systems Ltd All rights to this manual are owned solely by Viola Systems Ltd referred in this manual as Viola Systems All rights reserved No part of the contents of this manual may be transmitted or reproduced in any form or by any means without the written permission of Viola Systems Ethernet is a trademark of XEROX Corporation Windows and Internet Explorer are trademarks of Mi crosoft Corporation Netscape is a trademark of Netscape Communications Corporation Linux is a Registered Trademark of Linus Torvalds All other product names used in this manual are the properties of their respective owners and are acknowledged Contact Information Viola Systems Ltd Lemmink isenkatu 14 18 B FIN 20520 Turku Finland Technical Support Phone 358 0 20 1226 226 Fax 358 0 20 1226 220 E mail support violasystems com On line http www violasystems com Disclaimer and Revisions Viola Systems reserves the right to change the technical specifications or functions o
31. s list contains all the interfaces running locally including VPN interfaces On the bottom there is a listing of physical interfaces eth0 and eth1 Interface confiuration can be changed by pressing underlined interface name See figure 4 2 Interfaces Activated at Boot Time Name Type IP Address Netmask Activate at boot Proxy ARP enabled tho Ethernet 1172 16 6 2 255 255 0 0 Ves No l eth Ethernet 172 30 30 1 255 255 255 0 Wes No lo Loopback 1127 0 0 1 255 0 0 0 Yes No Figure 4 2 Network interface list Routing and Gateways Configures default route static routes and displays running routes Default route can be changed from this screen Enter correct interface and IP address and press Save button Note do not define more than one default route Hostname and DNS Client Configures hostname and DNS settings Host Addresses Shows hostnames assigned to IP addresses 13 Chapter 5 VPN connectivity 5 1 VPN requirements VPN implementation on M2M Gateway requires e Open port in firewall for selected VPN server port e Fixed IP address for M2M Gateway accessible from public Internet or used APN e Remote client to connect to M2M Gateway most commonly Viola Arctic product e Usually third node to monitor the connections and to access remote nodes laptop central management Note that the M2M Gateway needs a fixed IP address 5 2 Available VPN types Available types are L2TP SSH and OpenVPN small com
32. st _1pppD 10 10 10 11 10 10 10 12 None Active n a Disable Edit Figure 6 2 SSH VPN peer listing Possible actions are visible in link to figure these are from left to right 1 Connectivity test selection box Peer status icon enabled or disabled Key status icon Peer name Interface assigned to peer IP pair assigned to tunnel Routing mode none or network Remote IP if routing mode is set to network O o N QA om F amp F W N Netmask if routing mode is set to network A Status Active or Inactive Check status from last check n a OK or Failed Enable Disable button Rh a N E Edit button Ww 14 Remove button 6 3 Creating new connection To configure a new connection 1 Go to SSH VPN configuration page 2 Press Add peer button located between peer list and key management box See figure 6 1 3 Enter values to fields Required fields are peer name and IP pair See figure 6 3 Remove Note Peer name must be same than hostname on Arctic 4 Press Confirm button and return to previous screen Add peer Feer name IP pair m2mlF peerlF Routing mode Ho routing Remote network IF Remote network mask Figure 6 3 SSH VPN peer creation screen After a new peer has been created it will show up in peer list and its status will be disabled To enable it the keys must be exchanged between Viola M2M Gateway and Arctic To do this CH
33. used to control and monitor Arctic devices in local or remote networks Concept of the Viola M2M Gateway is described in figure 1 1 Company Firewall aot hb sl E ye GPRS link Wiola M2M y l VPN tunnel Gateway Si LT Arctic Figure 1 1 Viola M2M Gateway concept Only a computer with network connection and a HTML browser is required to configure the M2M Gateway Using the M2M Gateway Web user interface you can configure and view the status of the remote Arctic devices and configure the VPN connection between M2M Gateway and Arctic device Arctics have a WWW user interface which can be used to configure them using a HTML browser For the rest of this documentation the Viola M2M Gateway is referred as M2M Gateway 1 2 M2M Gateway Features The M2M Gateway offers different advanced features for network usage In most simple usage only VPN feature is used but M2M Gateway makes possible to make complex network configurations Routing M2M Gateway can forward packets to local Ethernet eth0 which it is connected to company network Also it is possible to route packets to second Ethernet eth1 of M2M Gateway More complex routing solutions can be made but they need consultation of your local network administrator CHAPTER 1 INTRODUCTION 1 Firewall The M2M Gateway has internal firewall with graphical user interface It is possible to connect M2M Gateway directly to the Internet and filter unwanted connections with
Download Pdf Manuals
Related Search