SkyEdge VPN Configuration and Management - 1106 PDF

Virtual Private Network Configuration and Management
November 2006
Document No. DC-1085-40
Gilat Satellite Networks Ltd.
This document contains information proprietary to Gilat Satellite Networks Ltd. and may not be
reproduced in whole or in part without the express written consent of Gilat Satellite Networks Ltd. The
disclosure by Gilat Satellite Networks Ltd. of information contained herein does not constitute any
license or authorization to use or disclose the information, ideas or concepts presented. The contents of
this document are subject to change without prior notice.
SkyEdge VPN Configuration and Management
Contents
1. Purpose of this Document .............................................................................................1
2. Introduction....................................................................................................................2
2.1 General Overview of the IPSec Framework .............................................................2
2.2 SkyEdge VPN System Components.........................................................................3
2.2.1 SkyEdge VPN Network Topology ..................................................................4
2.2.2 Inbound Data Path ........................................................................................4
2.2.3 Outbound Data Path......................................................................................6
2.2.4 VPN Acceleration Device (VPNA)..................................................................7
2.3 SkyEdge VPN Main Features ..................................................................................8
2.3.1 VPN Authentication Method ..........................................................................9
2.3.2 VPN Management and Control ......................................................................9
2.3.3 VPNA Redundancy .......................................................................................9
2.3.4 VPNA Switchover Criteria ...........................................................................10
2.3.5 System Availability and Installation .............................................................10
2.4 SkyEdge VPN Sample Setup and IP Addresses ....................................................10
2.4.1 VPN Network IP Scheme ............................................................................11
2.5 VPNA SNMP Support ............................................................................................12
3. Configuring VPNA at the SkyEdge Hub ......................................................................14

3.1 Procedure Overview ..............................................................................................14
3.2 System Spreadsheet Configuration........................................................................14
3.3 Copying VPNA Software Pack Files to the Repository Directory ............................15
3.4 Defining VPNA on the NMS ...................................................................................17
3.5 Configuring VPNA Parameters ..............................................................................20
3.6 Configuring VPNA Redundant Parameters ............................................................27
3.7 Committing VPNA Configuration and Creating VPNA Config.xml File ....................29
3.8 Rebooting VPNA from the NMS .............................................................................30
3.9 Configuring VPNA NAT Parameters.......................................................................31
3.9.1 Configuring Static NAT at the VPNA............................................................31
3.9.2 Configuring Dynamic NAT at the VPNA.......................................................34
3.9.3 Working without NAT...................................................................................37
3.10 Copying the VPNA Operational and Configuration Files to an External Device ......39
4. Configuring VSAT VPN Parameters ............................................................................40

4.1 Activating VSAT Software Licensing ......................................................................40
4.2 Configuring VSAT VPN Tunnel ..............................................................................42
4.3 Committing VSAT Configuration Changes and Resetting VSATs ...........................48
SE VPN Configuration and Management

November, 2006 i
Proprietary and Confidential
5. Installing VPNA at the Data Center .............................................................................50

5.1 Preparing for the VPNA Installation at the Data Center Site...................................50
5.2 Installing VPNA .....................................................................................................51
5.3 Configuring VPNA Automatic Flash Boot Mode......................................................52
5.3.1 Procedure Prerequisites..............................................................................52
5.4 Switching to the VPNA Manual Boot Mode via CLI ................................................52
5.5 Configuring VPNA IP Addresses............................................................................55
5.6 Loading VPNA Operational File .............................................................................57
5.7 Selecting the Active Memory Bank for the Operational File....................................62
5.8 Loading VPNA Configuration File ..........................................................................65
5.9 Selecting the Active Memory Bank for the Configuration File .................................67
5.10 Selecting Automatic Flash Boot Mode from the Web..............................................68
5.11 Rebooting VPNA....................................................................................................70
5.12 Installing and Configuring the Redundant VPNA Card ...........................................72
6. Configuring VPNA via the Web Interface ....................................................................73

6.1 Configuring the VPNA Parameters.........................................................................73
6.2 Submitting VPNA Configuration Changes ..............................................................80
6.3 Enabling Configuration Version Check...................................................................82
6.4 Rebooting VPNA....................................................................................................83
7. VPNA Monitoring..........................................................................................................85
7.1 VPNA SkyManage Telemetries..............................................................................85
7.1.1 VPNA Status ...............................................................................................85
7.1.2 VPNA Info ...................................................................................................86
7.1.3 VPNA CPU Usage Telemetry ......................................................................87
7.1.4 VPNA Active Backbone Links Telemetry .....................................................89
7.2 VPNA Console Commands ....................................................................................92
7.2.1 VERSION....................................................................................................93
7.2.2 BB LINKS....................................................................................................94
7.2.3 CPU Utilization............................................................................................96
7.2.4 IP RTDMP...................................................................................................97
7.2.5 ROUTE PRINT ..........................................................................................100
7.2.6 OB STAT ..................................................................................................101
7.2.7 IB STAT ....................................................................................................103
7.2.8 VIEW Configuration...................................................................................105
7.3 NAT Commands ..................................................................................................106
7.3.1 IP NAT LNK ..............................................................................................106
7.3.2 NAT CFG ..................................................................................................106
7.3.3 NAT DFG ..................................................................................................106
7.3.4 NAT HLIST................................................................................................106

November, 2006 ii
7.4 VPNA Redundancy Commands ...........................................................................107

7.4.1 REDUN STAT ...........................................................................................107
8. Cisco VPN Server Configuration ...............................................................................108

8.1 VPN Server Configuration....................................................................................108
8.1.1 Router Configuration without Comments ...................................................111
9. Basic Troubleshooting Procedures ..........................................................................113

9.1 Troubleshooting VPNA Installation ......................................................................113
9.2 General Troubleshooting Procedures ..................................................................113
9.3 Using VPNS Debugger ........................................................................................115
10. Appendix A - VPNA Boot Modes ...............................................................................117
11. Appendix B - Switching to the VPNA Manual Boot Mode via the Web ....................118
12. Appendix C – Selecting Automatic Flash Boot Mode from the VPNA Console ......120

November, 2006 iii
1. Purpose of this Document
This document describes the SkyEdge VPN solution. This document consists of the
following main sections:
Introduction – Provides a brief overview of the VPN technology, IPSec

framework, and the SkyEdge implementation of the VPN technology. This
section also describes the Inbound and Outbound data paths in a SkyEdge VPN
network.
Configuring VPNA at the SkyEdge Hub – Provides a detailed description of the

VPN installation and configuration.
Configuring VSAT VPN Parameters – Provides a detailed description of the

configuration performed on the VSATs in order to support VPN.
Installing VPNA at the Data Center – Provides a step-by-step description of the

VPNA installation procedures at the Data Center.
Configuring VPNA via the Web Interface – Explains how to use the VPNA Web
interface (SkyManage).
VPNA Monitoring – Lists the main VPNA Web and CLI commands that enable
monitoring the VPNA operation.
Cisco VPN Server Configuration – Provides a sample configuration of the VPNS

server.
Basic Troubleshooting – Describes basic procedures that can be performed after

completing the installation and configuration of a SkyEdge VPN network.
NOTE
The procedures described in this document are applicable to SkyEdge
versions 4.X and VPNA version 02.00.01.00.
NOTE
This document does not describe the VPNA upgrade procedures.

November, 2006 1
2. Introduction
The SkyEdge VPN feature enables remote sites to use the Internet or any public
network to obtain secure access to an organization’s central site or to a business
partner network.
This document explains how to configure embedded VPN VSATs and the VPN
Acceleration (VPNA) server. It also contains a configuration example for a 3rd party
VPN server (VPNS) that is not managed by Gilat or the NMS.
The procedures described in this document should be performed by trained technical

personnel who have knowledge of and working experience with embedded VPN
(EVPN) clients, VPNA servers, and Gilat SkyEdge NMS systems.
The VPN solutions described in this document use security protocols that comply
with IPSec standards.
NOTE
To support VPN operations, the SkyEdge NMS system must have the
relevant software licenses. For more information, see
Section 4.1 Activating VSAT Software Licensing.
2.1 General Overview of the IPSec Framework
A Virtual Private Network (VPN) uses an IPSec (Internet Protocol Security)

framework that provides:
Authentication – The ability to verify that each side of a communications
channel (tunnel) is exactly the entity it claims to be and cannot be changed
unknowingly
Integrity – The ability to verify and validate that data sent through the tunnel
was not altered in any way
Confidentiality – The ability to prevent other parties from viewing or

understanding the information sent through the tunnel
Encryption – The method used to achieve the best available confidentiality
Non-repudiation – The ability to prove that specific information was sent by the
other side

November, 2006 2
2.2 SkyEdge VPN System Components
The EVPN system uses the following components:
An Embedded VPN client that resides in each SkyEdge VSAT.
A VPN Acceleration device (VPNA) that resides in each Remote Data center that
requires VPN connection service. The VPNA server does not reside at the
SkyEdge hub and is not controlled by the SkyEdge NMS.
A 3rd party VPN Gateway (VPNS) that resides in each Remote Data center that
requires VPN connection service. This component is not under Gilat control. The
following options are supported:
− Cisco Router with compatible IOS, PIX Firewall version 6.3 or later, and
Concentrator 3000
− CheckPoint Firewall-1 and VPN-1 package (NG R55 or later)
− Netscreen NS family
− Nortel
− Linksys product line
NOTE
The VPN server (VPNS) is not under Gilat control and must be
configured and managed in accordance with the instructions of its
manufacturer.
The VPNS Server is always defined as the default gateway of the
Destination PC. This way the basic configuration of the customer’s
network is not affected by the SkyEdge VPN feature and the Destination
PC does not have to be dedicated to the VPN implementation.

November, 2006 3
2.2.1 SkyEdge VPN Network Topology
Figure 1 presents a typical VPN configuration in a SkyEdge network.
Figure 1: General View of the VPN Site-to-Site Topology
NOTE
The Allot QoS device is configured to prioritize the VPN encrypted traffic
over the other traffic.
In the shared hub environment, an additional Allot QoS device (total of
two Allot QoS devices) must be installed at the hub.
2.2.2 Inbound Data Path
This section provides a brief description of the Inbound Data path in a typical
SkyEdge-VPN system:
The PC connected to the VSAT (Source PC) generates an IP Packet and sends it
to the VSAT. The source of the packet is the Source PC and the destination is the
Remote Data Server located at the Customer’s site.

November, 2006 4
The VSAT receives the IP Packet and sends an Acknowledgement message to the
PC.
The VSAT uses Gilat proprietary protocols (adds the Backbone headers to the IP
packet) and applies TCP spoofing techniques for acceleration purposes.
The VSAT applies VPN (IP-Sec) Encryption on the packet and sends it to the
DPS over the Inbound. The source of the packet is changed to the VSAT IP
address and the destination is changed to the VPNS.
The DPS receives the packet and routes it to its destination – VPNS. The DPS
does not handle the packet, it just routes it to the VPNS. The source of the packet
is the VSAT IP address and the destination is the VPNS.
The VPNS receives the packet, strips it of the VPN IP Sec encryption layer and
sends the packet to the VPNA. The source of the packet is the VSAT IP address
and the destination is changed to the VPNA server.
NOTE
In a SkyEdge VPN network, it is possible to implement NAT at the VPN
server.
In systems without NAT:
The VPNA removes the Backbone headers and handles the TCP spoofing. The
source of the packet is changed to the Source PC and the destination is changed
to the Remote Data Server.
The VPNA delivers the original source IP packet to the Remote Data Server at
the Customer’s Data Center.
In systems with NAT:
The VPNA removes the Backbone headers and handles the TCP spoofing. Then,
using NAT configuration, the Source IP address of the packet (PC connected to
the VSAT) is replaced with the predefined and pre-allocated local IP address.
The VPNA delivers the IP packet (from the new local IP address) to the Remote
Data Server at the Customer’s Data Center site.

November, 2006 5
NOTE
The use of NAT in a SkyEdge VPN network is not mandatory. The
decision on whether to use NAT is based on the nature of applications
and system architecture.
If NAT is not used, permanent routing entries or the default gateway must
be defined at the Destination PC as to ensure that the packets returning
to the VSATs are sent first to the VPNA and not to the VPNS.
VPNS is defined as the default gateway of the Destination PC.
2.2.3 Outbound Data Path
This section provides a brief description of the Outbound Data path in a typical
SkyEdge-VPN system:
The Remote Data Server at the Data Center (Destination PC) generates an IP
packet and sends it to the VPNA. The source of the packet is the Remote Data
Server and the destination is the PC connected to the VSAT.
Because of routing configuration, the packet is first sent to the VPNA for
processing.
The VPNA receives the IP Packet and sends an Acknowledgement message to

the PC.
The VPNA applies Gilat proprietary protocols (adds the Backbone headers and
handles the TCP spoofing). The source of the packet is changed to the VPNA
server and the destination is changed to the VSAT.
The VPNA forwards the packet to the VPNS.
The VPNS applies the VPN (IP Sec) Encryption on the packet and sends to it to
the DPS. The source of the packet is changed to the VPNS and the destination is
the VSAT.
The DPS receives the packet and forwards it to the VSAT over the Outbound.
The VSAT receives the packet, strips it of the VPN IP Sec encryption layer,
applies Gilat proprietary protocols, and handles the TCP Spoofing. The source of
the packet is changed to the Remote Data Server IP address and the destination is
changed to the IP address of the PC connected to the VSAT.
The VSAT forwards the IP packet to the PC.

November, 2006 6
2.2.4 VPN Acceleration Device (VPNA)
The VPNA runs on a Force card cPCI-690 platform under the VxWorks
environment. VPNA card is installed at the lower slot of the VPNA machine chassis.
On/Off
Power
Figure 2: VPNA Machine Chassis
VPNA machine chassis is one-U rack-mounted unit. Each VPNA machine chassis
contains one VPNA card.
Figure 3 shows the front panel of the VPNA card. The front panel contains one
Ethernet port (ETH 1) which is used for telnet connection to the VPNA. This
connection is used for Management/Control of the VPNA.
Figure 3: VPNA Front Panel
The VPNA front panel contains two identical RS-232 Serial ports. The lower Serial
port is used for terminal connection to the VPNA. The upper Serial port is not in use.
The VPNA RTM (Rear Transition Module) is connected to the back of the VPNA
card. One of the Ethernet ports (ETH 2) connects to the VPNS. This is the VPNA
Application connection. The rest of the ports on the VPNA RTM are not in use.
As shown in Figure 4, the VPNA machine chassis is installed in the mini hub rack.
Depending on the particular configuration of the customer’s network other
components supporting various can be installed in the rack containing VPNA
devices.

November, 2006 7
Figure 4: VPNA Rack
In Figure 4, an active and redundant VPNA cards are installed in the mini hub rack.
2.3 SkyEdge VPN Main Features
This section lists the main VPN features implemented in the SkyEdge system:
The EVPN client (VSAT containing the embedded VPN) acts as a generic IPSec
peer
The VSAT with EVPN supports Split Tunneling
− The user is granted or denied permission to enter a VPN tunnel based on

source and destination IP addresses. If granted, all traffic goes through the
VPN Tunnel.
Specific configuration for each Site-to-Site connection
− Up to 3 Destination networks and Subnet masks
− Remote Peer address

November, 2006 8
− Authentication parameters
− Encryption parameters
− VPN authentication method – Shared Secret
− All traffic is routed through the tunnel
Only one VPN tunnel is allowed per VSAT at any time. Up to five different VPN
Tunnel configurations can be defined for each VSAT. However, only one
configuration can work at a given moment.
2.3.1 VPN Authentication Method
VPN authentication is accomplished by using a pre-shared secret – a predefined key

agreed upon by parties at both ends of the VPN tunnel. This key is manually entered
into the VSAT and VPN server components.
2.3.2 VPN Management and Control
The Local Management Interface enables the VPNA operator to log on to a web
portal or manually connect a serial console for basic configuration (IP address, IP
mask, boot options, loading files from TFTP, etc.). The machine arrives with default
values that enable immediate access to the web interface.
2.3.3 VPNA Redundancy
VPNA supports a one-to-one redundancy process, where VPNA devices are installed
in pairs: Active and Standby.
The two VPNA servers monitor each other’s operation continuously, over the
Control LAN connection. In case the Active VPNA server fails, the backup server
becomes the active one. The switchover between the servers is automatic without any
intervention of external entity.
While implementing the redundancy scheme, the VPNA is actually divided into two
units: active and standby. This duality is transparent to the rest of the network. The
pair of VPNA represents a single IP address – the Advertised IP Address – and
there is no need to add any additional functionality to the rest of the network
components in order to support the redundancy scheme. In addition, each VPNA has
a private IP address over the Control LAN.
Each VPNA machine’s Control interface must be connected to the same LAN in
order for the units to be able to exchange messages between them.

November, 2006 9
When the Standby VPNA becomes Active, it loads configurations, starts all the
pending tasks and then sends Gratuitous ARP on the Application port as to notify
routers about the change.
2.3.4 VPNA Switchover Criteria
The Standby VPNA server will be activated under the following terms:
The Active VPNA detects a loss of connection on its Application port and reports
that to the Standby VPNA. Upon receiving this message, the Standby VPNA
starts the switchover process.
The Active VPNA detects a loss of connection on its Control LAN and
Application ports. The Active VPNA reboots automatically. During the reset of
the Active VPNA, the Standby VPNA detects that the Active VPNA is down and
performs the switchover.
Standby VPNA realizes it lost connection to Active VPNA on CONTROL LAN.

Standby VPNA send reboot command to Active VPNA and performs switchover.
2.3.5 System Availability and Installation
Gilat supplies the embedded VPN client and the VPNA device components.
The customer is responsible for purchasing, configuring, and maintaining the VPN
server (VPNS).
The local network system administrator will supply the IPSec parameters for
configuring the VPN client.
2.4 SkyEdge VPN Sample Setup and IP Addresses
NOTE
This section provides an example of a SkyEdge VPN setup. This example
should be used as a reference when learning about the SkyEdge VPN
feature.
The network topology and IP addressing scheme vary from one network
to another.
Figure 5, below shows a sample topology of a SkyEdge VPN network, where the
VPN Server and the DPS are connected via a Switch. In this setup, the VPNS
functions as the Border router of the system. This diagram also contains sample IP
addresses of the components.

November, 2006 10
Figure 5: SkyEdge VPN Sample Topology
2.4.1 VPN Network IP Scheme
NOTE
The IP addressing scheme provided in this section is for reference
purposes only.
Table 1: Sample SkyEdge VPN Network IP Addresses
Component IP Address Default Gateway

Source PC (connected to the 10.10.2.2 10.10.2.1 (VSAT)
VSAT)
VSAT 10.10.2.1 (172.24.4.1) DPS
DPS 172.24.4.1 172.24.4.254 (VPNS
interface/Border Router)
VPNS 172.24.4.254/10.2.2.254 172.24.4.1 (DPS/Border
Router)
VPNA 10.2.2.2/172.23.123.123 10.2.2.254 (VPNS)
Des PC (Remote Data 10.2.2.3/4/6/253 10.2.2.254 (VPNS)
Server)

November, 2006 11
2.5 VPNA SNMP Support
The VPNA MIB file is supplied to the customers with the VPNA device. The VPNA
MIB file should be installed on the PC used for monitoring the VPNA operation.
This is the PC that is connected to the VPNA Control IP address. Any MIB Browser
can be used for viewing the VPNA MIB file.
The MIB Browser should be installed on the PC connected to the VPNA Control IP
address. After the installation is completed, open the MIB Browser and load the
VPNA MIB file.
Table 2 lists the VPNA SNMP telemetries and their explanations as they appear in
the VPNA MIB file.
Table 2: VPNA SNMP Telemetries
VPNA SNMP Telemetry Explanation

vpnaUptime Indicates how long the VPNA has been
operational since it was last reset.
vpnaSoftwareversion Indicates VPNA software version.
vpnaCPUUtilization Displays VPNA current CPU utilization.
vpnaTotalOutboundBytes Indicates the total number of bytes transmitted
over the Outbound since the last VPNA reset.
vpnaAverageOutboundBytes Displays the average number of bytes
transmitted over the Outbound during a period
of one minute.
vpnaTotalOutboundPackets Lists the total number of packets transmitted
over the Outbound since the last VPNA reset.
vpnaAverageOutboundPackets Displays the average number of packets
transmitted over the Outbound during a period
of one minute.
vpnaTotalInboundBytes Indicates the total number of bytes received on
the Inbound since the last VPNA reset.
vpnaAverageInboundBytes Shows the average number of bytes received
on the Inbound during a period of one minute.
vpnaTotalInboundPackets Indicates the total number of packets received
on the Inbound since the last VPNA reset.
vpnaAverageInboundPackets Lists the average number of packets received
on the Inbound during a period of one minute.
vpnaNumberofActiveConnections Displays the number of currently active VPN
(VSAT-VPNA) links.
vsatid Displays the CPA number of the VSAT
currently connected to the VPNA via the VPN
tunnel.

November, 2006 12
VPNA SNMP Telemetry Explanation

dataConnectionStatus Indicates Backbone status of the VSAT
tunnel.
vsatip Displays the IP address of the VSAT currently
connected to the VPNA via the VPN tunnel.
subnetMask Displays the subnet mask of the VSAT
tunnel.
vsatType Indicates the VSAT product type. Values:
SkyEdge, Cisco Network Module (Bruno), and
Unknown.
The Unknown type is displayed for VSATs that
have not sent any packets to the VPNA within
a predefined period.

November, 2006 13
3. Configuring VPNA at the SkyEdge Hub
3.1 Procedure Overview
VPN Configuration in SkyEdge consists of the two main stages:
Hub Configuration – this stage includes copying the VPNA software files to the
NMS Server, defining and configuring VPNA on the NMS, configuring VSATs
to support the VPN feature and preparing VPNA software files for the VPNA
installation at the Customer’s Data Center. All these procedures must be
performed at the SkyEdge Hub.
Customer’s Data Center – this stage includes VPNA installation and wiring and
VPNA configuration.
To configure the VPN feature in the SkyEdge network, perform the following steps
in this order:
System Spreadsheet Configuration
Copying VPNA Software Pack Files to the Repository Directory
Defining VPNA on the NMS
Configuring VPNA Parameters
Configuring VPNA Redundant Parameters
Committing VPNA Configuration and Creating VPNA Config.xml File
Rebooting VPNA from the NMS
Configuring VPNA NAT Parameters
Copying the VPNA Operational and Configuration Files to an External Device
3.2 System Spreadsheet Configuration
NOTE
When configuring a SkyEdge network containing VPNA version 2.0.1.0,
use the SkyEdge Parameters Ver. 2.6 spreadsheet.
This section provides a general description of the system spreadsheet configuration

in the systems containing VPNA. Generally, system spreadsheet configuration is
performed by Gilat Technical Support during the system initial installation and
configuration.

November, 2006 14
To configure VPN parameters in the SkyEdge Parameters Ver. 2.6 spreadsheet:
1. On the Main sheet, check the VPN option.
2. Define VPNA Backbone Fragment Size and TCP Advertised MSS.
3. The VPNA configuration is identical to the DPS configuration, with the

following exceptions:
Since the VPNA does not automatically adjust its Backbone fragment size and its
TCP MSS, these two parameters are duplicated in the BB and the TCP sheets,
first they must be duplicated for the DPS, and then for the VPNA.
The Backbone MIR and Hub MIR are duplicated in the BB sheet, with values
decreased by 18% in the VPNA, and non-limiting values in the DPS.
3.3 Copying VPNA Software Pack Files to the Repository Directory
VPNA software includes:
A VPNA pack file. This file contains the VPNA operational software and the
VPNA operational file. The VPNA pack file is stored on the NMS Server.
The pack file name format is VPNA_x.y.z.w_Pack.zip where x.y.z.w is the

VPNA version. The operational and boot file name format is
VPNA_x.y.z.w_bin.bin. The VPNA software pack file is used during VPNA
configuration on the NMS. The VPNA operational file (bin) is used during
VPNA configuration at the Customer’s Data Center.
NOTE
The VPNA_x.y.z.w_bin.bin file must be extracted from the VPNA software
pack file.
A Configuration parameters file. This file is produced by Gilat technical

personnel after completing the VPNA configuration on the NMS. The default file
name is CONFIG.XML. This file is automatically created after the VPNA
configuration changes are committed on the NMS. For more information, refer to
Section 3.5 Configuring VPNA .
The VPNA software pack file is stored in the D:\NMS\Repository\VPNA directory

at the NAS or NMS Server in the systems without NAS.

November, 2006 15
To access the VPNA software files on the NMS Server/NAS:
1. In the systems with NAS, log on to the NMS Server as administrator with
password $giLat$.
2. In the systems without NAS, log on to the NMS Server as administrator

with password nms.
3. Open the D:\NMS\Repository\VPNA folder.
4. Verify that the latest VPNA software file is stored in the

D:\NMS\Repository\VPNA folder.
Figure 6: VPNA Repository
5. Verify that the VPNA_x.y.z.w_bin.bin file is extracted from the VPNA pack file
as shown in Figure 6 and Figure 7.
Figure 7: VPNA Pack File Contents

November, 2006 16
3.4 Defining VPNA on the NMS
To define a VPNA server on the NMS:
1. Open the NMS Browser.
2. In the Hub View, right-click the NMS Server icon and select New Hub Element.
Figure 8: NMS Server Commands Menu
Result: The Add Hub Element Wizard opens.
Figure 9: Add Hub Element Wizard – Adding a VPNA
3. In the Hub Element Type field, select VPNA.
4. In the Parent Element field, select None.
5. In the Repository File, select the relevant VPNA software file.
6. If the system contains a redundant VPNA, check the Support Redundancy

option.

November, 2006 17
7. Click Next.
Result: The Element Information window is displayed.
Figure 10: Add Hub Element Wizard – VPNA Element Information
8. Leave the default value in the Device ID field. The Device ID parameter is not
the VPNA number. The Device ID parameter is not in use in the current software
version.
9. In the Element Alias field, enter the name of the VPNA device. This is the name
that will be displayed on the NMS.
10. In the IP Address field, enter the VPNA Administration IP address. This address
is assigned to the front-end Ethernet interface of the VPNA device. In the
systems, where the VPNA server is installed at the Remote Data Center, this
address is used for connection to the FTP server and for Web connection to the
VPNA.
11. In the MAC Address field, enter the VPNA MAC address as it appears on the
front panel of the VPNA card.
12. In the Description field, enter a few words describing the VPNA. This field is
optional.
13. Click Next.
Result: If the system contains a redundant VPNA and the Redundancy option
was enabled as described in step 6, the VPNA Redundancy window is
displayed (Figure 11).
If the system does not contain a redundant VPNA, the SNMP Information
window is displayed (Figure 12).

November, 2006 18
Figure 11: Add Hub Element Wizard – VPNA Redundancy
14. In systems containing a redundant VPNA, configure the IP and MAC addresses
of the main and VPNA Redundant devices and click Next.
Result: The SNMP Information window is displayed.
Figure 12: Add Hub Element Wizard – SNMP Information
15. Verify that the SNMP configuration is as follows:
Read Community String – Public
Write Community String – Private
16. Click Next.
Result: The Summary window is displayed.

November, 2006 19
Figure 13: Add Hub Element Wizard – Summary
Result: The VPNA icon is displayed in the upper-right corner of the Hub
View window.
Figure 14: New VPNA Icon
17. Drag the new VPNA icon to its proper location in the Hub View window.
3.5 Configuring VPNA Parameters
NOTE
VPNA can be also configured via the SkyManage utility. For more
information, refer to Section 6 Configuring VPNA via the Web Interface.
To configure the VPNA parameters:
1. In the Hub View window, double-click the VPNA icon.
Result: The VPNA Configuration window is displayed.

November, 2006 20
Figure 15: VPNA Configuration – Element Definition
2. Review the VPNA Element Definition parameters. The VPNA Element

Definition parameters are configured in the process of the VPNA definition on the
NMS.
NOTE
If the VPNA redundancy is enabled, the MAC Address parameter on the
Element Definition tab is grayed out as shown in Figure 15. If there is
only one VPNA card in the system, its MAC Address value will be
displayed in the MAC Address field.
For information on how to configure the VPNA redundancy parameters,
refer to Section 3.6 Configuring VPNA Redundant Parameters.
3. In the VPNA Tree pane, click General.
Result: The VPNA General parameters are displayed.

November, 2006 21
Figure 16: VPNA General Parameters
4. Configure the VPNA Virtual IP Address and Subnet Mask parameters

according to the SkyEdge IP Addressing scheme.
NOTE
In the non-redundant VPNA setups, the default VPNA Virtual IP address
is 172.23.123.123.
5. Configure the VPNA CPA number.
6. In the VPNA Tree view, click Backbone.
Result: The VPNA Backbone parameters are displayed.

November, 2006 22
Figure 17: VPNA Backbone Parameters
NOTE
VPNA Backbone parameters are configured by Gilat Technical Support
according to the System spreadsheets.
7. Verify that the VPNA Fragment Size parameter is set to a value lower than the
DPS Fragment Size.
8. In the VPNA Tree view, click PortsApplicationIP
Result: The VPNA IP Port parameters are displayed.

November, 2006 23
Figure 18: VPNA IP Parameters (Partial View)
9. Configure the VPNA Data IP Address and Subnet Mask. These the IP address
and subnet mask of the VPNA user/Application Ethernet port. This port connects
to the VPNS.
10. Configure the VPNA Default Gateway IP Address. The VPNA Default gateway
IP address is the router’s interface connected to the VPNA application port.
11. In the VPNA Tree view, click PortsApplicationTCP.
Result: The VPNA TCP parameters are displayed.

November, 2006 24
Figure 19: VPNA TCP Parameters (Partial View)
12. Configure the relevant VPNA TCP parameters.
13. Verify that the TCP Spoofing parameter is set to Enable.
14. Verify that the TCP Connection Keep Alive parameter is set to Enable.
15. Under Sizing, verify that the VPNA TCP Advertised MSS parameter is set to a
value lower than the DPS TCP Advertised MSS.
16. Enable or Disable NAT at the VPNA. The decision whether to use NAT is based
nature of the system applications and network architecture.
For information on how to configure VPNA Static NAT, see

Section 3.9.1 Configuring Static NAT at the VPNA.
For information on how to configure VPNA Dynamic NAT, see

Section 3.9.2 Configuring Dynamic NAT at the VPNA.

November, 2006 25
For information on how to configure VPNA and Destination PC to work without

NAT, see Section 3.9.3 Working without NAT.
17. In the VPNA Tree view, click Advanced.
Result: The VPNA Advanced parameters are displayed.
Figure 20: VPNA Advanced Parameters
18. Configure the VPNA Advanced parameters, using the following guidelines:
Buffer Count – The number of memory buffers used internally by the VPNA.
VPN Server IP Address – The VPN Server IP Address that VPNA receives
from or sends to IP packets.
Raw IP Protocol Number – The IP protocol number that both the VPNA and
VSAT use to exchange packet between them.
Zero UDP Checksum – If entered, zeroes UDP checksum for locally destined
packets, and for packets sent by broadcast to the VSATs. UDP packets with a
checksum of zero are not checked for checksum.
Control Ethernet NIC – Defines which Ethernet NIC of FORCE card Ethernet
NICs is used for control.
Application Ethernet NIC – Defines which NIC of FORCE card Ethernet NICs
is used as the application port.

November, 2006 26
VPN Server Keep Alive – If enabled than the VPNA will ping VPNS every
predefined interval to determine its connectivity status. If disabled no keep alive
mechanism is activated. No matter the field value is, the VPNA will maintain its
regular functionality.
Enable Hardware Watchdog - Controls whether the VPNA board H/W

watchdog is enabled. The hardware watchdog, when enabled, will reset the board
out of a disfunctional state, when some technical conditions are met.
3.6 Configuring VPNA Redundant Parameters
NOTE
This section is relevant when configuring a redundant VPNA. When
configuring the system with a non-redundant VPNA, skip this section and
proceed to Section 3.7 Committing VPNA Configuration and Creating
VPNA Config.xml File.
To configure a redundant VPNA:
1. Double-click the VPNA icon.
Result: The VPNA Configuration window is displayed.
2. Click the Redundancy tab in the right pane.
Result: The first set of the VPNA Redundancy parameters is displayed.
Figure 21: VPNA Configuration: Redundancy Configuration - 1
3. Check the Enable Redundancy option.

November, 2006 27
4. Configure/Review the IP Address and MAC Address parameters of the VPNA

cards. These are the same parameters that are configured when adding VPNA
through the Add Hub Element wizard as shown in Section 3.4, step 14. The IP
Address parameter signifies the Control Virtual IP Address.
5. The Redundancy State parameter is non-editable.
6. In the VPNA tree view of the VPNA Configuration window, click Redundancy.
Result: The second set of the VPNA Redundancy parameters is displayed.
Figure 22: VPNA Redundancy Parameters
7. Configure the VPNA Redundancy parameters as follows:
VPNA Redundancy – Enables/Disables VPNA Redundancy.
VPNA A Private IP Address (Management IP Address) – VPNA A private IP

address on the Control LAN. This address is used by the VPNA to send\receive
health check messages on the Control LAN with the other VPNA unit.
VPNA B Private IP Address (Management IP Address) – VPNA B private IP

address on the Control LAN. This address is used by the VPNA to send\receive
health check messages on the Control LAN with the other VPNA unit.

November, 2006 28
Management Test Address - IP address of another device on the Control LAN.

When a timer expires the VPNA pings this address. The reply to this ping is used
to validate the VPNA connection to the Control LAN.
Application Port Test Address – IP address of another device on the LAN

connected to the user/application port. When a timer expires the VPNA pings this
address. The reply to this ping is used to validate the VPNA connection to the
LAN via the user/application port.
Switchover Criteria (Application Port Connectivity) – If selected and the

Active VPNA notifies in health check message that it has lost the connection to the
network connected to the user/application port then the Standby VPNA will perform
an automatic switchover.
3.7 Committing VPNA Configuration and Creating VPNA Config.xml File
NOTE
The Config.xml (otherwise known as Config or XML) file is the VPNA
configuration file that is created by configuring VPNA on the SkyEdge
NMS and issuing the Commit command (as described in this section).
The VPNA_x.w.y.z_Template.xml that is part of the VPNA pack file is not
the VPNA Configuration file.
To commit VPNA configuration changes and create a Config.xml file:
1. In the VPNA Configuration window, click the Validate button.
Result: The Validate Confirmation window is displayed.
2. Click OK.
3. Click the Save button.
Result: The Save Confirmation window is displayed.
4. Click the Commit button.
Result: The Commit Confirmation window is displayed.
5. Click OK.
Result: The VPNA Configuration file (Config.xml) is created in the

D:\NMS\Devices|VPNA\Configuration\Export.

November, 2006 29
Figure 23: VPNA Configuration File
NOTE
The Config.bck file is a backup file that is automatically created with the
Config.xml file.
To access the VPNA Config.xml file in the system with NAS, log on to the NMS
Server as Administrator with password $netWork$.
To access the VPNA Config.xml file in the system without NAS, log on to the
NMS Server as Administrator with password nms.
3.8 Rebooting VPNA from the NMS
For the VPNA configuration changes to take effect, the VPNA must be rebooted. In
case, the VPNA is connected to the NMS via LAN for debugging/initial installation
process, refer to the procedure in this section for information on how to reboot the
VPNA from the NMS.
In general, the VPNA is rebooted from its local web page as described later in this
document, see Section 5.11 Rebooting VPNA.
To reboot VPNA:
1. To reboot a non-redundant VPNA, right-click the VPNA icon and select

CommandsRebootActive.
2. To reboot a redundant VPNA, right-click the VPNA icon and select

CommandsRebootActive Standby.
Result: The VPNA Reboot Confirmation window is displayed.

November, 2006 30
3. Click Yes.
Result: The VPNA server or servers are rebooted.
4. Wait for the VPNA server to become active, or in case of a redundant VPNA,
wait for both VPNA units to become active.
3.9 Configuring VPNA NAT Parameters
This section describes the following procedures:
Configuring Static NAT at the VPNA
Configuring Dynamic NAT at the VPNA
Working without NAT
3.9.1 Configuring Static NAT at the VPNA
This section describes how to configure the static NAT feature at the VPNA.
Depending on the system configuration, you can use Static or Dynamic NAT. For
information on how to configure Dynamic NAT, see
Section 3.9.2 Configuring Dynamic NAT at the VPNA.
When using Static NAT, a static NAT entry must be configured for every PC behind
connected to a VSAT. This entry is then translated to one Public IP address.
To configure Static NAT at the VPNA:
1. In the VPNA Tree view, click the PortsApplicationNAT.
Result: The VPNA NAT parameters are displayed.

November, 2006 31
Figure 24: VPNA NAT Parameters
2. Configure the VPNA NAT parameters as follows:
Enabled – set this parameter to Enable
FTP Timer – verify that this parameter is set to 60 seconds
Proxy ARP – set this parameter to Enable
3. In the VPNA Tree view, click PortsApplicationNATStatic.

November, 2006 32
Figure 25: VPNA Static NAT Configuration
4. Enable the VPNA Static NAT.
5. Click PortsApplicationNATStaticConfiguration Instances.
Result: The VPNA Static NAT Configuration instances are displayed.
Figure 26: VPNA Static NAT Configuration Instances
6. To add a new entry, right-click the Static NAT Configuration table and select
Add Configuration.

November, 2006 33
Figure 27: NAT Configuration Instances Menu
Result: A new Static NAT Configuration instance is added to the table.
7. Configure the following parameters:
Private IP Address – VSAT Private IP address. The private IP address of the

hosts must be configured in the same subnet as the VSAT secondary IP
addresses.
Public IP Address – VSAT Public IP address. The public IP address of the hosts
must be configured in the same subnet as the VSAT main IP address. The VSAT
Main IP address is configured in the VSAT Data unique parameters in the VSAT
Ethernet port IP Profile section. The public IP address should be different from
the IP of the device.
Range – this parameter is not in use in the current software version.
8. Continue with the VPNA configuration on the NMS, go to step 13 in

3.9.2 Configuring Dynamic NAT at the VPNA
This section describes how to configure the dynamic NAT feature at the VPNA.
Depending on the system configuration, you can use Static or Dynamic NAT. For
information on how to configure Static NAT, see
Section 3.9.1 Configuring Static NAT at the VPNA.
When using Dynamic NAT, private IP addresses of several PCs are translated to a
group of Public IP addresses.
To configure Dynamic NAT at the VPNA:
1. In the VPNA Tree view, click the PortsApplicationNAT.

November, 2006 34
Figure 28: VPNA NAT Parameters
Enabled – set this parameter to Enable
FTP Timer – verify that this parameter is set to 60 seconds
Proxy ARP – set this parameter to Enable
3. In the VPNA Tree view, click PortsApplicationNATDynamic.
Result: The VPNA Dynamic NAT parameters are displayed.

November, 2006 35
Figure 29: VPNA Dynamic NAT Configuration
4. Enable the VPNA Dynamic NAT.
5. Configure Dynamic NAT timers: TCP, UDP, and ICMP. These timers define a
timeout for the release of the Public-Private ports. This can be specified for when
the ports are defined as TCP, UDP, or ICMP (pings). If the TCP/UDP/ICMP port
remains inactive for the specified timeout, the assigned Public IP address is
released and can be reassigned to a different private IP address.
6. Click PortsApplicationNATDynamicConfiguration Instances.
Figure 30: VPNA Dynamic NAT Configuration Instances - 1

November, 2006 36
Result: The VPNA Dynamic NAT Configuration instances are displayed.
Figure 31: VPNA Static NAT Configuration Instances (Partial View)
7. To add a new entry, right-click the Dynamic NAT Configuration table and select
Add Configuration.
Result: A new Static NAT Configuration instance is added to the table.
8. Configure the following parameters:
Start-End Private IP Address – Define the range of VSAT Private IP

addresses. The private IP address of the hosts must be configured in the same
subnet as the VSAT secondary IP addresses.
Start-End Public IP Address – Define the range of the VSAT Public IP

addresses. The public IP address of the hosts must be configured in the same
subnet as the VSAT main IP address. The public IP address should be different
from the IP of the device.

3.9.3 Working without NAT
In networks containing applications that do not support NAT, static routing entries
must be configured on the Destination PC connected to the VPNA. Using NAT in a
network ensures that the Destination PC sends packets addressed to the VSATs to the
VPNA.
When NAT is not used in a network, static routing entries must be defined at the
Destination PC, as to ensure that the returning packets will be sent to the VPNA and
not directly to the PC’s default gateway - VPNS. The VPNA will then forward the
packets to the VPNS.

November, 2006 37
The following routing entry must be configured on the Destination PC:
route9add9<VSAT IP family>9mask9255.255.0.09<VPNA IP address>9-p
As a result of this routing entry, all packets addressed to the VSAT IP address, will
be delivered first to the VPNA IP address. The –p key indicates that the routing
entry is permanent.
To disable NAT at the VPNA:
1. On the NMS Browser, In the VPNA Tree view, click the

PortsApplicationNAT.
Figure 32: Disabling NAT at the VPNA
Enabled – set this parameter to Disable
Proxy ARP – set this parameter to Disable

Section 3.5 Configuring VPNA Parameters.

November, 2006 38
3.10 Copying the VPNA Operational and Configuration Files to an External Device
After defining and configuring VPNA files on the SkyEdge, copy the following files
to an external device (e.g., disk-on-key):
Config.xml – create after configuring the VPNA at the NMS and committing the
configuration changes.
VPNA software pack file.
VPNA boot and operational file – Unzipped – VPNA_x.y.z.w.bin.bin (for

example VPNA_02.00.01.00.bin.bin)
These files will be used during VPNA installation and configuration at the Data
Center site.

November, 2006 39
4. Configuring VSAT VPN Parameters
NOTE
All procedures described in this section must be performed for each
VSAT that will be use the VPN feature.
Activating VSAT Software Licensing
Configuring VSAT VPN Tunnel
Committing VSAT Configuration Changes and Resetting VSATs
4.1 Activating VSAT Software Licensing
To activate the VSAT Software licensing:
1. Click the VSATs View button.
Result: The VSATs View window is displayed.
Figure 33: VSATs View
2. Browse to the VSAT you want to configure and double-click the VSAT icon.
Result: The VSAT Configuration window is displayed.

November, 2006 40
Figure 34: VSAT Configuration
3. Click the Data tab.
Result: The Data Tree view is displayed.
4. In the Data Tree view, click License Management.
Result: The VSAT License Management parameters are displayed.

November, 2006 41
Figure 35: VSAT Data Tab – License Management Parameters
5. Verify that the following licenses are set to Activate.
VSAT Enhanced IP
VSAT Embedded VPN
6. Configure VSAT VPN Tunnels as described in

Section 4.2 Configuring VSAT VPN Tunnel.
7. Save, commit, and reset the modified VSATs as described in

Section 4.3 Committing VSAT Configuration Changes and Resetting VSATs.
4.2 Configuring VSAT VPN Tunnel
NOTE
Only one VPN tunnel is allowed per VSAT at any time. Up to five different
VPN Tunnel configurations can be defined for each VSAT. However, only
one configuration can work at a given moment.
To configure VSAT VPN Tunnel parameters:
1. In the VSAT Configuration window, on the Data tab, click

PortsEthernetIP Sec.
Result: The VSAT IP Sec parameters are displayed.

November, 2006 42
Figure 36: VSAT IPSec Parameters
2. Set the Enable parameter to Yes.
3. Configure the Tunnels Configuration Valid parameter as follows:
If set to Yes, the NMS VPN Tunnel configuration overrides IPSec parameters
configured via the VSAT Web interface.
If set to No, the VSAT Web IPSec configuration will take precedence over the
NMS configuration.
4. Set the Crypto Type parameter to Internal. The Crypto Type parameter
indicates whether the VSAT (Internal) or an external router (External) will
perform the crypto (encryption) tasks. In a typical VPN network configuration,
this parameter should be set to Internal.
5. Double-click on the IPSec entry and click VPN Tunnel Instances.
Result: The VSAT VPN Tunnel Instances table is displayed.

November, 2006 43
Figure 37: VPN Tunnel Instances Table
6. Right-click the VSAT VPN Tunnel Instances table and select Add VPN Tunnel
to add one VPN Tunnel instances or select Add Multiple VPN Tunnel instances.
Up to five tunnels can be defined for each VSAT.
Result a new VPN Tunnel instance containing default values is added to the
table.
7. Right-click the VSAT VPN Tunnel Instances table and select

Display row in new window.
Result: The VPN Tunnel parameters are redisplayed.
Figure 38: VPN Tunnel Instances
8. Configure the VPN Tunnel instance parameters as follows:
Automatic Connect – Indicates whether the connection will be implemented

automatically (True) or only after detecting a valid destination server IP address

November, 2006 44
(False). Valid values: True, False. In the Gilat standard configuration, the
Automatic Connect parameter should be set to True.
VPN Server – Defines the IP address of the customer’s VPN Server end-point.
The default VPN Server IP address is 172.24.4.254.
VPNA IP Address – Defines the IP address of the VPN Acceleration Server at

the customer’s site. The default VPNA server IP address is 10.2.2.2.
VPNA cpa number – Defines the (CPA) number of the VPNA Server.
IPSec Encryption – Type of encryption to be used. Valid values: DES (Data

Encryption Standard), 3DES (Triple-DES), AES (Advanced Encryption
Standard), Automatic, None. The default value is 3DES.
IPSec Authentication – Hashed Message Authentication Code for packet

identification and encryption. Valid values: MD5 (Message Digest 5 ), SHA
(Secure Hash Algorithm ), Automatic. The default value is MD5.
Diffie-Hellman group – Key agreement protocol. Valid values: Group 1,

Group 2. The default value is Group 2.
Pre-shared Key – Secret authentication key (20 char. maximum).
Key Lifetime – Number of seconds key remains valid. Default: 60.
IKE Encryption – Valid values: DES, 3DES, AES. See IPSec Encryption
(above). The value of this parameter must match the IPSecEncryption value. The
default value is 3DES.
IKE Authentication – Valid values: MD5, SHA, Automatic. See IPSec

Authentication (above). The value of this parameter must match the
IPSecAuthentication value. The default value is MD5.
SA Lifetime – SA (Security Association) lifetime in seconds. Default: 28800

(8 hours).
SA Lifesize – SA buffer size in Kb. Default: 4608000.
PFS – Enables/Disables the Perfect Forward Secrecy feature. Values: Yes, No.
Default Route - Set this VPN tunnel to be the default routing entry for the
VSAT. Values: Yes, No.
9. Click the Back button .
Result: The VSAT VPNA Tunnel parameters are displayed as a table row.
10. Scroll to the right until the Local Secure Group parameter is displayed.

November, 2006 45
Figure 39: VPNA Tunnel Instances Configuration – Local Secure Group
NOTE
The Local Secure Group parameters define IP addresses connected to
the VSATs via LAN that are allowed to access the VPN tunnel.
The Remote Secure Group parameters define IP address which will go
through the VPN tunnel. Messages to other IP addresses (not configured
in the Remote Secure Group) will be forwarded normally. This is the
secure network behind the VPNA.
11. In the Local Secure Group column, click Open Element.
Result: The Local Secure Group parameters are displayed.
Figure 40: Local Secure Group Parameters
12. Right-click the Local Secure Group parameters table and select
Add Local Secure Group.
Figure 41: Adding a Local Secure Group

November, 2006 46
Result: A new entry is added to the Local Secure Group table.
13. Enter the VSAT network IP address and Subnet Mask.
Figure 42: Configuring Local Secure Group (VSAT)
14. Click the Back button .
Result: The VSAT VPNA Tunnel parameters are displayed as a table row.
15. Scroll to the right until the Remote Secure Group parameter is displayed.
Figure 43: VPNA Tunnel Instances Configuration – Local Secure Group
16. In the Remote Secure Group column, click Open Element.
Result: The Remote Secure Group parameters are displayed.

November, 2006 47
Figure 44: Local Secure Group Parameters
17. Right-click the Local Secure Group parameters table and select
Add Remote Secure Group.
Result: A new entry is added to the Remote Secure Group table.
18. Enter the VPNA network IP address and Subnet Mask.
Figure 45: Configuring VPNA Network IP Address and Subnet Mask
4.3 Committing VSAT Configuration Changes and Resetting VSATs
For the configuration changes to take effect, the modified VSATs must be reset.
To commit VSAT changes and reset VSATs:
1. In the VSAT Configuration window, click the Validate button.
Result: The Validate Confirmation window is displayed.
2. Click OK.
3. Click the Save button.
Result: The Save Confirmation window is displayed.

November, 2006 48
4. Click the Commit button.
Result: The Commit Confirmation window is displayed.
5. To reset one VSAT at a time, right-click the VSAT icon and select
CommandsAccessReset.
6. To reset multiple VSATs at the same time, right-click the relevant VSATs and
select Reset.
Result: The Reset Confirmation window is displayed.
7. Click Yes.
8. Verify that VSATs complete the power up sequence and enter the Backbone Up
state.

November, 2006 49
5. Installing VPNA at the Data Center
NOTE
This document describes the installation of VPNA version 2.0.1.0. This
document does not cover VPNA upgrade procedures.
For information about VPNA upgrade procedures, contact Gilat Technical
Support.
This section contains the following procedures that should be performed in this
order:
Preparing for the VPNA Installation at the Data Center Site
Installing VPNA
Configuring VPNA Automatic Flash Boot Mode
Switching to the VPNA Manual Boot Mode via CLI
Configuring VPNA IP Addresses
Loading VPNA Operational File
Selecting the Active Memory Bank for the Operational File
Loading VPNA Configuration File
Selecting the Active Memory Bank for the Configuration File
Selecting Automatic Flash Boot Mode from the Web
Rebooting VPNA
Installing and Configuring the Redundant VPNA Card
5.1 Preparing for the VPNA Installation at the Data Center Site
Before installing the VPNA at the Data Center site, verify that you have the
following:
Copies of the relevant software files on an external device: VPNA Operational

file and VPNA CONFIG.xml file created after defining the VPNA on the NMS.
A PC containing a terminal emulation program and a TFTP server that will be

used for VPNA configuration.
A serial cable (DB-9 Female to Micro D-Sub Male) Gilat P/N CB-0383-10.

November, 2006 50
A DB-9 Female to DB-9 Female cross cable (Null Modem).
An Ethernet cable to connect the card to the PC (either a crossed cable or two
straight-through cables and an Ethernet hub).
5.2 Installing VPNA
To connect VPNA:
1. Install the VPNA card into the lower slot of the VPNA chassis.
2. Connect the VPNA RTM (Rear Transition module) Ethernet port to the VPNS
network. This is the permanent operation connection.
3. Connect the console port on the VPNA Front panel to the PC serial connection.
This connection is used for management purposes.
4. Connect the VPNA card’s front end Ethernet port to the PC’s LAN connection.
This connection is temporary and it is used for installation purposes.
To the PC’s serial

connection
To the PC’s LAN port
Figure 46: VPNA – PC Connections
5. Connect the VPNA to power.
6. Configure the PC IP address to be in the 172.23.X.X IP subnet.
7. Open a Terminal connection to the VPNA. The terminal or terminal emulation

program should be configured with a bit rate of 9600 bps, 8 data bits and no
parity.
NOTE
Do not power up the VPNA at this stage.

November, 2006 51
5.3 Configuring VPNA Automatic Flash Boot Mode
Gilat recommends working with the VPNA in the Automatic Flash Boot mode.
At this mode, each time the VPNA is powered on or reset, the BOOTER reads
operational software from the active operational flash bank, loads it to memory and
executes it. The VPNA application reads configuration file from active configuration
flash bank.
NOTE
For more information about other VPNA Boot modes, refer to Appendix A
- VPNA Boot Modes.
For VPNA to operate in the Automatic Flash Boot mode the operational and
configuration files must be programmed to the VPNA Flash memory in advance,
through http upload (WEB) or TFTP/FTP (CLI) and the active operational and
configuration memory banks must be defined.
5.3.1 Procedure Prerequisites
CAUTION
This procedure assumes is that the VPNA Booter application has already
been programmed in the VPNA card’s flash memory. For more
information refer to Gilat Technical Support.
5.4 Switching to the VPNA Manual Boot Mode via CLI
To configure VPNA to operate in the Manual Boot mode via CLI:
1. Copy the VPNA software files from the external device to the Laptop. The
following files must be copied:
VPNA_02.00.01.00_bin.bin
Config.xml
2. Verify that the NIC that is connected to the VPNA is the only available
connection.
3. Open the TFTP server application and verify that it is connecting through the
correct IP address.
4. Push the Power button of the VPNA card.

November, 2006 52
Result: The VPNA power up process starts.
5. Follow the progress of the VPNA power-up process via the VPNA Console on
the PC.
6. At the VPNA-BOOTER>Automatic mode activated. Type [stop] and

hit [ENTER] key for switching to manual mode prompt
(see Figure 47), type stop and press Enter or press Esc and Enter to switch to
the Manual boot mode.
7. Verify that the cli_func: Mode parameter updated in flash to

MANUAL entry followed by the VPNA-BOOTER>VPNA-BOOTER> prompt
(see Figure 47) is displayed. This indicates that the VPNA has successfully
switched to the Manual boot mode.
NOTE
Figure 47, below, shows an example of the VPNA console printout during
the VPNA power-on process.
The actual printout during the VPNA installation may differ from the one
shown below.
Init GT MPSC0 as UART

Copy ROM to RAM
Started at phys. address: 0xff80000
Init DTLB/ITLB for block translation, enable MMU
Init L1-Icache
Init L1-Dcache
Init L2-Cache
Found IBM750FX at 667 MHz
Init exception vectors starting at address: 0x00000100
Onboard SDRAM : 256MB RAM
Init device library
Discovery.0 is /
PCI.1 is /PCI@1
PCI.0 is /PCI@0
pci.0 is /PCI@0/pci@20
Testing NVRAM......................done
Testing RAM .......................done
Testing Boot FLASH....CSUM 0x3138..done
Testing PCI Bus ...................done
Testing Discovery Ethernet.........done
Ethernet 1: 0:80:42:12:cd:3d
Ethernet 2: 0:80:42:12:cd:3e
Ethernet 3: 0:80:42:12:cd:3f
Autoboot enabled...00s
Copy USER_FLASH Memory1/2/3/4 to 0x00900000...

November, 2006 53
Start execution at boot address 0x00900000...

0xffffdf0 (tRootTask): wancom0: 10 MBPS full duplex link up
0xffffdf0 (tRootTask): wancom1: Link down
0xffffdf0 (tRootTask): wancom2: Link down
Attached TCP/IP interface to wancom unit 0
Attaching interface lo0...done
Adding 4521 symbols for standalone.
VxWorks
Copyright 1984-2002 Wind River Systems, Inc.
CPU: FORCE COMPUTERS PPC/PowerCoreCPCI-690

Runtime Name: VxWorks
Runtime Version: 5.5.1
BSP version: 1.2/2-6
Created: Dec 19 2004, 16:07:24
WDB Comm Type: WDB_COMM_END
WDB: Ready.
BOOT_FLASH_Init: Initialize handle to User_Flash_4 params OK

httpInit: Upload RPM successfully initialized.
httpInit: System File Registry successfully initialized.
httpInit: System File Manager successfully initialized.
httpInit: File System RPM successfully initialized.
httpInit: RPM dispatcher successfully initialized.
httpInit: MIME type guessing RPM successfully initialized.
BOOT_WEB_Init: WMB_COMPONENT_Start OK
VPNA Booter 02.00.01.00 starting...
VPNA booter software linked with boot_web library version

02.00.01.00
VPNA-BOOTER>Automatic mode activated. Type [stop] and hit [ENTER]
key for switching to manual mode.
System will operate EXTERNAL mode in.....: 05s
Type “stop” and press [ENTER] key here
cli_func: Changing to manual configuration mode...
Space required in flash memory: 880 bytes
Found 1 device(s) to program ...

Erasing: Bank 1, offset 0x0, size 0x20000 ...
Erasing flash memory ...
done.
Programming: Bank 1, offset 0x0, size 0x370 ...

Programming flash memory
0 |##################################################| 100%
Done.

November, 2006 54
Verifying: Bank 1, offset 0x0, size 0x20000 ...

PASS
cli_func: Mode parameter updated in flash to MANUAL

VPNA-BOOTER>VPNA-BOOTER>
VPNA-BOOTER>
Figure 47: Switching to the VPNA Manual Boot Mode
8. Configure the VPNA Control IP address as described in Section 5.5 Configuring

VPNA IP Addresses.
5.5 Configuring VPNA IP Addresses
NOTE
This section describes how to configure VPNA Control port IP address for
enabling Web access to the VPNA.
This procedure can be performed only via the VPNA console.
To configure the VPNA IP addresses:
1. Verify that the VPNA-BOOTER> prompt is displayed.
2. Configure the VPNA Control port IP address and Dummy Server IP address by
issuing a bootchange command (as shown in the listing below) and entering data
in the following fields:
boot device – VPNA card control port number (e.g., wancom0)
inet on ethernet (e) – VPNA control port IP address. Available during Booter
and VPNA application execution. This is a temporary server IP address that will
be used for VPNA configuration. This address will be used for Web connection
to the VPNA. The value differs depending on whether the system contains one or
two VPNA cards (non-redundant vs redundant).
− In the non-redundant VPNA setups, the inet on ethernet parameter should

be set to the VPNA Virtual IP address as it appears in the General
parameters section of the VPNA Configuration file. The default value is
172.23.123.123.

November, 2006 55
Figure 48: Non-Redundant VPNA Virtual IP Address
− In the redundant VPNA setups, the inet on ethernet parameter should be

set to the VPNA Private IP address as it appears in the Redundancy
parameters section of the VPNA Configuration file. The default Private IP
address for the first VPNA card is 172.17.4.2 and 172.17.4.3 for the second
VPNA card.
Figure 49: Redundant VPNA IP Addresses
host inet (h) – Dummy IP address (e.g., 100.100.100.100)

November, 2006 56
NOTE
In the non-redundant VPNA setups (where only one VPNA card is
installed), the inet
VPNA-BOOTER>bootchange
cli_func: Starting Vxworks Boot parameters configuration...

'.' = clear field; '-' = go to previous field; ^D = quit
boot device : wancom0
processor number : 0
host name :
file name :
inet on ethernet (e) : 172.23.123.123
inet on backplane (b):
host inet (h) : 100.100.100.100
(…)
************************************************************
CARD SHOULD BE REBOOTED IN ORDER FOR CHANGES TO BE EFFECTIVE
************************************************************
VPNA-BOOTER>
3. Reboot the VPNA card by issuing the reset command and pressing Enter.
VPNA-BOOTER> reset
cli_func: Resetting VPNA Booter...
Result: The VPNA card is reset.
4. Wait until the VPNA>BOOTER prompt reappears indicating that the reset
process is complete.
5. Load VPNA Operational file as described in Section 5.6 Loading VPNA

Operational File.
5.6 Loading VPNA Operational File
CAUTION
Loading an incorrect VPNA Operational file may cause the VPNA to be
inaccessible via the web interface. In this case, the VPNA should be
accessed through its console connection.

November, 2006 57
This section describes how to load the VPNA operational file into the VPNA
memory banks. VPNA has two memory banks (Bank A and Bank B) that store
VPNA software file. The VPNA operational file (VPNA_02.00.01.00_bin.bin)
should be programmed in both banks. Then, one memory bank is selected as active
bank from which the file will be loaded. By default, the active bank is Bank A.
NOTE
Use the procedure described below to load the VPNA Operational file to
both VPNA Flash banks.
To load VPNA Operational file:
1. On the Laptop connected to the VPNA, open the Internet Explorer and type the
VPNA Management IP address as the URL address:
http://<VPNA management IP address>. The default value is 172.23.123.123.
Result: The SkyManage VPNA Status page is displayed.
Figure 50: SkyManage VPNA Status Page (Partial View)
2. The SkyManage VPNA Status page provides information about the VPNA status.
At this stage of the installation, the VPNA should be in the Manual Boot mode, as
shown in Figure 50.
For more information about the VPNA Status page, refer to
Section 7.1.1 VPNA Status.

November, 2006 58
3. On the VPNA SkyManage toolbar, click Installer .
Result: The VPNA Logon window is displayed.
Figure 51: VPNA Configuration Logon
4. Log on to the VPNA Configuration page as follows:
User name – inst
Password - $Sat3998$
5. Click OK.
Result: The VPNA Installer – Boot Info page is displayed.

November, 2006 59
Figure 52: VPNA Installer - Boot Info Page
6. In the left pane, click Load Operational File.
Figure 53: Loading Operational File Option
Result: The Load Operational File page is displayed.

November, 2006 60
Figure 54: Loading VPNA Operational File
7. Select the Flash memory bank (Bank A or Bank B) to which the Operational
file will be loaded.
8. In the Load Operational file box, enter the full path and name of the VPNA
Operational file or click Browse to locate the file on the PC.
9. Click Load .
Result: The Confirmation window is displayed.
10. Click OK to load the VPNA Operational file.
11. Wait for the file loading process to complete. Depending on the file size, this
process may take up to a few minutes.
Result: Upon completion of the file loading process, the Operation

Succeeded Confirmation message is displayed.
12. Click OK.
13. Load the VPNA Operational file to the second Flash memory bank as described
in steps 5 through 11.

November, 2006 61
5.7 Selecting the Active Memory Bank for the Operational File
This section explains how to select the active VPNA memory bank from which the
Operational file will be loaded.
To select the active memory bank:
1. In the SkyManage Configuration page, select Boot Params from the left menu.
Figure 55: Configuring Boot Parameters
Result: The VPNA Boot Parameters page is displayed.

November, 2006 62
Figure 56: VPNA Installer – Boot Params Page
2. Under Program Active Bank selection to flash, in the Select file type section,
select VPNA Operational file.
3. In the Select active bank section, select the master memory bank (e.g., Bank A)
from which the VPNA Operational file will be loaded.

November, 2006 63
Figure 57: Programming Active Memory Bank
4. Click Select Bank .
Result: The Flash Programming was successful message is displayed upon

completion of the programming process.
Figure 58: Programming Active Bank - Completed

November, 2006 64
5.8 Loading VPNA Configuration File
CAUTION
Loading an incorrect VPNA Configuration file may cause the VPNA to be
inaccessible via the web interface. In this case, the VPNA should be
accessed through its console connection.
This section describes how to program the VPNA configuration file (Config.xml)
into the VPNA memory banks. VPNA has two memory banks (Bank A and Bank B)
that store VPNA software files. The VPNA configuration file should be programmed
in both banks. Then, one memory bank is selected as active bank from which the file
will be loaded. By default, the active bank is Bank A.
NOTE
Use the procedure described below to load the VPNA Configuration file to
both VPNA Flash banks.
The Config.xml file is the VPNA configuration file that was created using the
SkyEdge NMS as described in Section 3.5 Configuring VPNA Parameters.
To program VPNA Configuration file (Config.xml):

1. In the left pane of the VPNA SkyManage page, select Load Configuration File.
Figure 59: Selecting the Load Configuration File Option
Result: The Select flash bank page is displayed.

November, 2006 65
Figure 60: VPNA Installer – Load Configuration File Page
2. Select the VPNA Flash memory bank (Bank A or Bank B) to which the
Configuration File will be loaded.
3. In the Load Configuration file box, enter the full path and name of the VPNA
Configuration file or click Browse to locate the file on the PC.
4. Click Load.
5. Click OK to load the VPNA Configuration file.
6. Wait for the file loading process to complete. Depending on the file size, this
process may take up to a few minutes.
Result: Upon completion of the file loading process, the Operation

Succeeded Confirmation message is displayed.
7. Click OK.
8. Load the VPNA Configuration file to the second Flash memory bank as
described in steps 1 through 7.

November, 2006 66
5.9 Selecting the Active Memory Bank for the Configuration File
This section describes how to select the active VPNA memory bank from which the
Configuration file will be loaded.
To select the active memory bank:
1. In the SkyManage Configuration page, select Boot Params from the left menu.
Figure 61: Programming Active Bank for the VPNA Configuration File
2. Under Program Active Bank selection to flash, in the Select file type section,
select VPNA Configuration file.
3. In the Select active bank section, select the master memory bank (e.g., Bank A)
from which the VPNA Operational file will be loaded.
4. Click Select Bank.
Result: The Flash Programming was successful message is displayed upon

completion of the programming process.

November, 2006 67
5.10 Selecting Automatic Flash Boot Mode from the Web
NOTE
For information on how to set the VPNA Automatic Flash Boot mode from
the CLI, refer to Appendix C – Selecting Automatic Flash Boot Mode from
the VPNA Console.
It is recommended to configure VPNA to work in the Automatic Flash boot mode. In

this mode the VPNA will load Operational software from its Flash, run VPNA
application and then load Configuration file from Flash.
When configuring Automatic Flash boot mode, the countdown parameter is

specified. The countdown parameter indicates a timeout before operating the selected
boot mode. During this timeout, you can stop the Automatic boot mode and switch
into Manual mode.
To select the VPNA boot mode:
1. In the VPNA SkyManage page, select Boot Params from the left menu.
Figure 62: Configuring Boot Parameters
2. Scroll down to the Select Boot mode section.

November, 2006 68
Figure 63: Selecting Automatic Flash Boot Mode
3. In the Select Boot mode section, select the Automatic Flash boot mode.
4. In the Countdown field, enter 12 seconds. This value is hard-coded. Configure

the countdown before operating boot mode. During this timeout, the user can stop
the Autoboot mode and switch to the Manual mode.
5. Click Select Boot Mode.
Result: The Flash programming was successful message is displayed on the

Boot mode selection and timeout modification page.
NOTE
If an error message is displayed, select the Automatic Boot mode
manually from the console as described in Appendix C – Selecting
Automatic Flash Boot Mode from the VPNA Console.
6. Click Back to return to the VPNA Configuration page.

November, 2006 69
Figure 64: Boot Mode - Selected
5.11 Rebooting VPNA
NOTE
For the configuration changes to take effect, the VPNA must be reset. For
information on how to reboot the VPNA through the VPNA CLI, refer to
steps 3-4, Section 5.5 Configuring VPNA IP Addresses.
To reset the VPNA via the Web:
1. In the left pane of the VPNA SkyManage page, click Reset.
Figure 65: Selecting the Reset Option
Result: The VPNA Reset page is displayed.

November, 2006 70
Figure 66: Resetting the VPNA
2. Click Reset VPNA.
Result: The VPNA Reset Confirmation window is displayed.
3. Click OK to reset the VPNA.
Result: The VPNA Reset window is displayed.
Figure 67: VPNA Reset
4. Click OK.
5. Wait for the VPNA to complete its power-up sequence. Press F5 to refresh the
VPNA web interface.

November, 2006 71
6. When the power-up process is completed, the VPNA Status page is displayed as
shown below.
Figure 68: VPNA Status
5.12 Installing and Configuring the Redundant VPNA Card
The VPNA Redundancy mechanism requires placing two VPNA machines (pizza-
boxes) at the customer’s Data Center, each operating one compact CPI card running
the VPNA operational software.
To connect a Redundant VPNA card:
1. Install the VPNA card into the lower slot of the redundant VPNA chassis.
1. Connect the VPNA RTM (Rear Transition module) Ethernet port to the VPNS
network. This is the permanent operation connection.
To configure the VPNA Redundant card:
Perform the procedures described in Sections 5.3 through 5.11.

November, 2006 72
6. Configuring VPNA via the Web Interface
Configuring the VPNA Parameters
Submitting VPNA Configuration Changes
Enabling Configuration Version Check
Rebooting VPNA
6.1 Configuring the VPNA Parameters
NOTE
VPNA can be also configured via the SkyEdge NMS. For more
information, refer to Section 3 Configuring VPNA at the SkyEdge Hub.
VPNA Web configuration interface is similar to the SkyEdge VPNA NMS
configuration windows. For VPNA configuration guidelines, refer to
Section 3.5 Configuring VPNA Parameters.
To update the VPNA configuration parameters:
1. On the Laptop connected to the VPNA, open the Internet Explorer and type the
VPNA Management IP address as the URL address:
Result: The VPNA Status page is displayed.
2. Click the Tools option on the SkyManage Menu bar.
Figure 69: SkyManage Menu Bar with the Tools Option Selected
Result: The Tools page is displayed.
3. Click Config in the left menu.
Result: The VPNA Configuration page (General) is displayed.

November, 2006 73
Figure 70: SkyManage VPNA Configuration Page (General)
4. Configure/Review VPNA General parameters.
5. Click Backbone.
Result: The VPNA Backbone parameters are displayed.

November, 2006 74
Figure 71: VPNA Backbone Parameters
6. Configure/Review VPNA Backbone parameters.
7. Click PortsApplicationIP.
Result: The VPNA IP parameters are displayed.

November, 2006 75
Figure 72: VPNA IP Configuration
8. Configure/Review VPNA IP parameters.
9. Click PortsApplicationTCP.
Result: The VPNA TCP parameters are displayed.

November, 2006 76
Figure 73: VPNA TCP Configuration
10. Configure/Review VPNA TCP parameters.
11. Click PortsApplicationNAT.

November, 2006 77
Figure 74: VPNA NAT Configuration
12. Configure VPNA NAT settings as described in Section 3.9 Configuring VPNA
NAT Parameters.
13. If the system contains a redundant VPNA card, click Redundancy to configure
the VPNA Redundancy parameters. If there is only one VPNA card in the system,
skip this step and proceed to step 14.
Result: The VPNA Redundancy parameters are displayed.

November, 2006 78
Figure 75: VPNA Redundancy Parameters
14. Configure/Review the VPNA Redundancy parameters.
15. Click Advanced.
Result: The VPNA Advanced parameters are displayed.

November, 2006 79
Figure 76: VPNA Advanced
16. Configure/Review VPNA Advanced parameters.
17. If any changes were made, submit VPNA configuration and reboot the VPNA
card as described in Section 6.2 Submitting VPNA Configuration Changes.
6.2 Submitting VPNA Configuration Changes
For the VPNA configuration changes to take effect VPNA configuration must be
submitted and then the VPNA card must be rebooted.
To submit the VPNA configuration changes:
1. Open the SkyManage Tools page.

November, 2006 80
Figure 77: VPNA Tools Page
2. Click the Submit button .
Result: The Select Flash bank window is displayed.
Figure 78: Selecting VPNA Flash Bank
NOTE
Gilat recommends loading VPNA configuration changes into both VPNA
memory banks.
3. Click Flash-A to load the VPNA configuration changes to Bank A.
4. Wait for the loading process to complete.
Result: Upon completion of the loading process, the Operation Succeeded

message is displayed.

November, 2006 81
5. Click OK
6. Load VPNA configuration changes to the second Flash memory bank (Flash-B)
as described in steps 1 through 5.
7. Enable the VPNA Configuration Version check as described in Section 6.3

Enabling Configuration Version Check.
6.3 Enabling Configuration Version Check
The Configuration Version Check option serves to verify that the VPNA
Operational Software version matches the Configuration file version. If there is a
mismatch, the VPNA reboots.
If the Configuration Version Check option is disabled, VPNA powers up without

checking the Configuration file version. It is recommended to enable the
Configuration Version Check during normal operation of the VPNA.
By default, the Configuration Version Check option is enabled.
To enable the Configuration Version Check option:
1. In the left pane of the VPNA SkyMange page, click Set Config Version Check.
Result: The Select Active Configuration file version page is displayed.
Figure 79: Enabling Configuration Version Check

November, 2006 82
2. Check the Enabled option.
3. Click Update.
4. Click OK.
Result: The VPNA configuration is updated.
5. Upon completion of the update process, the Operation Succeeded message is

displayed.
6. Click OK.
7. Reboot VPNA as described in Section 6.4 Rebooting VPNA.
6.4 Rebooting VPNA
To reset the VPNA via the Web interface:
1. In the left pane of the VPNA SkyManage page, click Reset.
Result: The VPNA Reset page is displayed.

November, 2006 83
Figure 80: Resetting the VPNA
2. Click Reset VPNA.
Result: The VPNA Reset Confirmation window is displayed.
3. Click OK to reset the VPNA.
Result: The VPNA Reset window is displayed.
Figure 81: VPNA Reset
4. Click OK.
5. Wait until VPNA completes its power-up sequence.

November, 2006 84
7. VPNA Monitoring
This section describes the following:
VPNA SkyManage Telemetries
VPNA Console Commands
7.1 VPNA SkyManage Telemetries
7.1.1 VPNA Status
The VPNA Status page provides the following information:
Mode – VPNA current operation mode.
State – indicates whether VPNA is in the Active or Standby state.
Version – the VPNA software version.
Active BB Links – indicates the number of the VSATs currently connected to

the VPNA via VPN links.
Operation Time – indicates the period since the last VPNA reboot.
To access the VPNA Status page:
1. Open the VPNA SkyManage web page.
2. On the VPNA toolbar, click Status.
3. On the Status menu, click Status.

November, 2006 85
Figure 82: VPNA Status
The VPNA Status page provides the following information:
Mode – VPNA current operation mode.
State – indicates whether VPNA is in the Active or Standby state.
Version – the VPNA software version.
Active BB Links – indicates the number of the VSATs currently connected to

the VPNA via VPN links.
Operation Time – indicates the period since the last VPNA reboot.
7.1.2 VPNA Info
The VPNA Info page displays VPNA Configuration parameters.
To access the VPNA Info page, click Info on the Status menu.

November, 2006 86
Figure 83: VPNA Information
7.1.3 VPNA CPU Usage Telemetry
NOTE
The VPNA CPU telemetry is also available from the VPNA Console. For
information about the VPNA Console commands, refer to Section 7.2
VPNA Console Commands.
The VPNA CPU telemetry displays the current VPNA CPU utilization in percents.
NOTE
If the VPNA CPU utilization approaches 80%, contact Gilat Technical
Support.
To display the VPNA CPU utilization:
1. On the SkyManage toolbar, click Telemetry.
Result: The SkyManage Telemetry page is displayed.

November, 2006 87
2. In the left pane of the SkyManage Telemetry page, click CPU.
Result: The VPNA CPU telemetry is displayed.
Figure 84: VPNA CPU Utilization Telemetry
3. The CPU Utilization telemetry is continuously updated.
4. Right-click the Graph icon and select the length of the graph in minutes.
Figure 85: Selecting the CPU Utilization Graph Size
Result: The CPU Utilization graph of the selected length (in minutes) is
displayed.

November, 2006 88
Figure 86: CPU Utilization Displayed as a Graph
The CPU Utilization graph provides the following information:
Graph Refresh rate – this is a hard-coded value. It is set to 3 seconds.
Current – indicates that current VPNA CPU Utilization
Minimal – indicates the minimal CPU Utilization since the CPU Utilization
telemetry has been evoked.
Peak - indicates the highest CPU Utilization since the CPU Utilization telemetry
has been evoked.
Average - indicates the minimal CPU Utilization since the CPU Utilization
telemetry has been evoked.
7.1.4 VPNA Active Backbone Links Telemetry
NOTE
The VPNA Active BB Links telemetry is also available from the VPNA
Console. For information about the VPNA Console commands, refer to
Section 7.2 VPNA Console Commands.
The VPNA Active Backbone Links telemetry displays the number of currently
active VPN (VSAT-VPNA) links.
To display the VPNA Active Backbone Links telemetry:

November, 2006 89
1. On the SkyManage toolbar, click Telemetry.
Result: The SkyManage Telemetry page is displayed.
2. In the left pane of the SkyManage Telemetry page, click Active BB Links.
Result: The VPNA Active BB Links telemetry is displayed.
Figure 87: VPNA Active Backbone Links
The Active Backbone Links on VPNA command provides the following

information for each VSAT that is connected to the VPNA via a VPN link at the time
the command is issued:
CPA – the unique ID number of the VSAT that is currently connected to the VPNA
via the VPN tunnel.
VSAT State
− I_STATE (Information state) – indicates that the VSAT is in the Backbone

UP state.
− BLOCKED – indicates that a VPNA has sent a Disconnect message to the

VSAT. This is an internal VPNA state and is not related to the VSAT AAA
mechanism.
− SDCE – this is an internal VPNA state and indicates that a VSAT has sent a
packet to the VPNA while the VPNA was being reset.

November, 2006 90
VSAT Mode
− SAT (satellite) – VSAT standard operation mode.
OB ID – Outbound ID configured for the specified VSAT
Total Backbone Links UP – the number of VSATs that were in the Backbone
Up state were connected to the VPNA via the VPN link when the command was
issued.
Total Links Configured – this field is not in use.

November, 2006 91
7.2 VPNA Console Commands
The VPNA monitoring is done mostly using the VPNA Console commands.
CAUTION
Incorrect use of the VPNA Console commands will damage the system.
The VPNA Console commands should be used by experienced personnel
trained to work with SkyEdge equipment.
This section describes the main VPNA console commands:
VERSION
BB LINKS
CPU Utilization
IP RTDMP
ROUTE PRINT
OB STAT
IB STAT
VIEW

November, 2006 92
7.2.1 VERSION
Command Name
Version
Purpose
To display the VPNA software version number and the date that it was created.
Syntax
version
Example
The following message is displayed when the command is issued:
VPNA10>version
version
1970-JAN-17 03:32:16
VPNA software compiled on Apr 11 2006, 12:09:52, Running XML
version: 02.00.01.00

November, 2006 93
7.2.2 BB LINKS
Command Name
Backbone Links
Purpose
To display the number of currently active VPN (VSAT-VPNA) links.
Syntax
bb9links
Example
VPNA10>bb links
bb links
1970-JAN-17 03:30:50
-----------------------------------------------------------------
Backbone Links On VPNA
-----------------------------------------------------------------
-----------------------------------------------------------------
Total Backbone Links UP = 0
Total Links configured = 32640
-----------------------------------------------------------------
Explanation
The VPNA Active Backbone Links command provides the following information
for each VSAT that is connected to the VPNA via a VPN link at the time the
command is issued:
CPA – the unique ID number of the VSAT that is currently connected to the VPNA
via the VPN tunnel.
VSAT State
− I_STATE (Information state) – indicates that the VSAT is in the Backbone

UP state.

November, 2006 94
− BLOCKED – indicates that a VPNA has sent a Disconnect message to the

VSAT. This is an internal VPNA state and is not related to the VSAT AAA
mechanism.
− SDCE – this is an internal VPNA state and indicates that a VSAT has sent a
packet to the VPNA while the VPNA was being reset.
VSAT Mode
− SAT (satellite) – VSAT standard operation mode.
OB ID – Outbound ID configured for the specified VSAT
Total Backbone Links UP – the number of VSATs that were in the Backbone
Up state were connected to the VPNA via the VPN link when the command was
issued.
Total Links Configured – this field is not in use.

November, 2006 95
7.2.3 CPU Utilization
Command Name
CPU
Purpose
To display the VPNA CPU utilization.
NOTE
If the VPNA CPU utilization approaches 80%, contact Gilat Technical
Support.
Example
VPNA10>cpu
cpu
1970-JAN-17 03:32:19
cpu utilization: 0% max cpu utilization was 100%
Explanation
The VPNA CPU telemetry displays the current VPNA CPU utilization in percents
and the maximum CPU utilization since the VPNA was last reset.

November, 2006 96
7.2.4 IP RTDMP
NOTE
The ip9rtdmp command provides the same information as the
route9print command.
For more information about the route9print command, refer to
Section 7.2.5, ROUTE PRINT.
Command Name
IP Route Dump
Purpose
To display the contents of the VPNA routing table as it appears at the time the
command is issued. The ip9rtdmp command provides a momentary snapshot of the
VPNA routing table.
The ip9rtdmp command displays the following information:
Static routes
RIP dynamic routes. The ip9rtdmp command displays valid RIP dynamic
routes. The expired routing entries are not displayed by this command.
NOTE
To restart the ip9rtdmp counters, the VPNA must be reset.
Syntax
ip9rtdmp

November, 2006 97
Example
VPNA10>ip rtdmp
ip rtdmp
1970-JAN-17 03:31:37
VLAN 0
---------------+---------------+---------------+----+----+-----+----------+-----
IP | MASK | GW | IF | MT | ttl | ref | GID
---------------+---------------+---------------+----+----+-----+----------+-----
0. 0. 0. 0| 0. 0. 0. 0| 10. 2. 2.254| 2 | 1 | 9999| 31798| 0
10. 2. 0. 0|255.255. 0. 0| 10. 2. 2. 2| 2 | 0 | 9999| 71512| 0
10. 2.255.255|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 0| 0
10. 2. 2. 2|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 63522| 0
10. 2. 0. 0|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 87| 0
---------------+---------------+---------------+----+----+-----+----------+-----
Total route entries: 5
--------------------------------------------------------------------------------
Explanation
NOTE
The first entry in the VPNA routing entry defines the VPNA Default
Gateway address. If the packet’s destination address does not match any
of the entries in the routing table, the VPNA will forward to its Default
Gateway. In a standard configuration, the VPNS server is the VPNA
Default Gateway.
The ip9rtdmp command provides the following information:
IP – the destination IP address
Mask – the destination Subnet mask
GW – the Gateway address to the selected destination

November, 2006 98
IF – VPNA Interface:
− 2 – Ethernet
− 0 – Local (VPNA)
− 3 – Satellite interface
− According to this example, the VPNA routing table contains two entries on
the VPNA Ethernet interface and three entries on the VPNA local interface.
MT (Metric) – the number of hops between the packet source and destination.
TTL (Time to Live) –the period during which the routing entry is valid.
− 9999 – static routing entries.
− <any other value> - RIP dynamic routing entries
− In the example above, all VPNA routing entries are static.
Reference – the number of packets received by the VPNA from the selected
interface since the VPNA was last reset.
GID – Not in use
Total Routing Entries – the number of routing entries in the VPNA routing
table.

November, 2006 99
7.2.5 ROUTE PRINT
Purpose
To display the contents of the VPNA routing table as it appears at the time the
command is issued. The route9print command provides a momentary snapshot
of the VPNA routing table. To display information about all VLANs configured in
the system, use the route9print9all command.
Example
In this example, the route9print command displays information about VLAN 0:
VPNA10>route print
route print
1970-JAN-17 03:32:11
VLAN 0
---------------+---------------+---------------+----+----+-----+----------+-----
IP | MASK | GW | IF | MT | ttl | ref | GID
---------------+---------------+---------------+----+----+-----+----------+-----
0. 0. 0. 0| 0. 0. 0. 0| 10. 2. 2.254| 2 | 1 | 9999| 31798| 0
10. 2. 0. 0|255.255. 0. 0| 10. 2. 2. 2| 2 | 0 | 9999| 71512| 0
10. 2.255.255|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 0| 0
10. 2. 2. 2|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 63522| 0
10. 2. 0. 0|255.255.255.255| 10. 2. 2. 2| 0 | 0 | 9999| 87| 0
---------------+---------------+---------------+----+----+-----+----------+-----
Total route entries: 5
--------------------------------------------------------------------------------
Explanation
For explanation of the route print command refer to Section 7.2.4 IP RTDMP.

November, 2006 100
7.2.6 OB STAT
Command Name
Outbound Statistics
Purpose
To display the Outbound statistics. The obstat command displays information

about Outbound traffic going to VSATs through the VPNA tunnels.
Syntax
obstat
Example
VPNA10>obstat
obstat
1970-JAN-17 03:32:32
JAN 17 03:32
********** VPNA Outbound Statistics *************
----------------------------------------------------
Total packets handled to Outbound : 31778
Total packets sent to VPN Server : 31778
Total packets failed to be sent : 0
Total multicast\broadcast packets (discarded): 0
Total packets when BB link down (discarded): 0
----------------------------------------------------

November, 2006 101
Explanation
The obstat command provides the following information:
Total packets handled to Outbound – indicates the number of packets sent to

the VSATs.
Total packets sent to VPN Server – indicates the number of packets sent to the
VPNS to be forwarded to the VSATs. This parameter should be equal to the
Total packets handled to Outbound parameter.
Total packets failed to be sent – the total number of packets that could not be
sent.
The rest of the fields are used for debugging purposes.

November, 2006 102
7.2.7 IB STAT
Command Name
Inbound Statistics
Purpose
To display the VPNA Inbound statistics. The ibstat command provides statistics
about the traffic from the VSATs to the Destination PC at the Remote Data Center.
Syntax
ibstat
Example
VPNA10>ibstat
ibstat
1970-JAN-18 05:45:23
JAN 18 05:45
********** VPNA Inbound Statistics *************
----------------------------------------------------
Total packets recv with VPN RAW IP protocol : 31744
Total packets recv with destination VPNA : 31744
Total packets handled successfully : 31744
Total packets handling failed : 0
Total packets failed on invalid VSAT CPA : 0
Total packets failed on invalid IP packet size : 0
Total packets failed on VPNS table full : 0
----------------------------------------------------

November, 2006 103
Explanation
The ibstat command provides the following information:
Total packets received with VPN RAW IP protocol – indicates the number of
Raw IP packets received by the VPNA.
Total packets received with destination VPNA – indicates the number of

packets received by the VPNA. This parameter should be equal to the Total
packets handled to Outbound parameter.
Total packets handled successfully – the total number of packets that were
successfully transmitted to the Destination PC by the VPNA.
The rest of the fields are used for debugging purposes.

November, 2006 104
7.2.8 VIEW Configuration
Command Name
View
Purpose
To display the VPNA configuration. The view command lists the VPNA
configuration parameters and their values.
Syntax
view
Example
VPNA10>view
VPNA Boot parameters:
NAME VALUE STATUS
Parameters Authenticity [0xda5ac011] [VALID]

-----------------------------------------------------------------
GENERAL
======================
boot_mode [FLASH] (0x2)
Server_IP [100.100.100.100]
VPNA_IP [172.23.123.123]
transfer_type [TFTP] (0x1)
timeout [10] [seconds]
boot_file_name []
config_file_name []
-----------------------------------------------------------------
OPERATIONAL
======================
NAME VALUE STATUS
==============================================================
vpna_active_boot_bank [0xb0011a1d] [A]
BANK A
vpna_boot_A_valid [0xda5ac011] [VALID]
crc_boot_A [0x593f2b] [VALID]
len_boot_A [0x2f3a60] [Bytes]
label_boot_A [Config_08-01-06]
BANK B

November, 2006 105
vpna_boot_B_valid [0xda5ac011] [VALID]

crc_boot_B [0x593f2b] [VALID]
len_boot_B [0x2f3a60] [Bytes]
label_boot_B [CONFIG_1013-8-1-06]
-----------------------------------------------------------
CONFIGURATION
================================
NAME VALUE STATUS
==============================================================
vpna_active_confg_bank [0xc0066b1e] [A]
BANK A
vpna_config_A_valid [0xda5ac011] [VALID]
crc_config_A [0x79f98f84] [VALID]
len_config_A [35039] [Bytes]
label_config_A [config1]
BANK B
vpna_config_B_valid [0xda5ac011] [VALID]
crc_config_B [0x42a751ad] [VALID]
len_config_B [35039] [Bytes]
label_config_B [config1]
==============================================================
view
7.3 NAT Commands
7.3.1 IP NAT LNK
The ip nat lnk command displays all active NAT links.
7.3.2 NAT CFG
The ip nat cfg command displays VPNA static NAT configuration.
7.3.3 NAT DFG
The ip nat dfg command displays VPNA dynamic NAT configuration.
7.3.4 NAT HLIST
The ip nat hlist command displays VPNA dynamic NAT table as it appears at
the time of issuing the command.

November, 2006 106
7.4 VPNA Redundancy Commands
7.4.1 REDUN STAT
The redun stat command displays the status of the current and remote VPNA
units.
NOTE
This redun main and redun listen and commands are used for
debugging and are for internal use only.

November, 2006 107
8. Cisco VPN Server Configuration
To configure the Cisco VPN Server, run a configuration file similar to the one shown
in Section 8.1 VPN Server Configuration. Refer to Section 8.1.1 Router
Configuration without Comments for an example of router configuration without
comments.
By default, the VPN Server looks for these files locally. In these listings, comments
are preceded by Remark, are in italics and are grayed out.
8.1 VPN Server Configuration
This section contains a sample configuration for the VPN Server (VPNS). Typically
VPN Server is a Cisco router.
Refer to Section 8.1.1 Router Configuration without Comments for an example of

router configuration without comments.
This configuration of the VPNS is taken from the sample SkyEdge setup described in
Section 2.4 SkyEdge VPN Sample Setup and IP Addresses.
Figure 88: SkyEdge VPN Sample Setup

November, 2006 108
VPNS configuration:
Remark: In this setup we have one router terminating the VPN

connection
this configuration file is for the VPN router that is terminating
the VPN.
!
ip subnet-zero
!
Remark: The crypto map isakmp defines the IKE process. Each
policy defines a different option. In this configuration, we
enable all 4 options for DES - 3DES - MD5 - SHA1 The IKE
configuration is automatic. The VSAT is configured first. While
trying to connect, it will try all IKE options until it reaches
the correct one, only after that it will continue for the IPSec
information
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
Remark: This defines the shared secret key for each peer (VSAT).
There must be a separate
line for every peer.
!
crypto isakmp key 12345678 address 10.10.2.1
!
Remark: The following 4 lines enable the 4 ipsec options for DES,
3DES, MD5, and SHA1 The ipsec configuration must be configured
per VSAT. It will not be automatic. This is why we bind every
crypto map to a specific ipsec transform set.
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
Remark: In the following crypto map we bind a specific peer

(VSAT) with an access list (120) andipsec transform set the match
address command defines the local secure group and remote secure
group for the ipsec tunnel.Every crypto map must have a different
name (11, 12, 13, etc.) There will be one crypto map per peer.
!
crypto map nolan 11 ipsec-isakmp
set peer 10.10.2.1
set transform-set test
match address 120
!
call rsvp-sync
!

November, 2006 109
Remark: We enable the creation of an ipsec tunnel on interface

0/0
!
interface Ethernet0/0
ip address 172.24.4.254 255.255.0.0
half-duplex
crypto map nolan
!
ip address 10.2.2.254 255.255.255.0
half-duplex
!
no ip address
shutdown
half-duplex
!
no ip address
shutdown
half-duplex
!
Remark: Default gateway configuration (DPS is defined as the VPNS
default gateway)
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.24.4.1
ip http server
!
Remark: These access lists define the local and remote secure
groups for every peer (VPNA and VSAT).
!
access-list 120 permit ip host 10.2.2.2 host 10.10.2.1
dial-peer cor custom
!!
line con 0
line aux 0
line vty 0 4
password gilat
login
!
end
Router#
NOTE
Verify that the VPNS configuration does not contain the
default gateway IP line.

November, 2006 110
8.1.1 Router Configuration without Comments
This section contains an example of the VPNS configuration for Cisco router without
comments. This example can be copied to the router as is.
CAUTION
Review the configuration below prior to copying it to the VPNS router.
The router configuration appears on the next page.

November, 2006 111
config t
!
ip subnet-zero
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key 12345678 address 10.10.2.1
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer 10.10.2.1
set transform-set test
match address 120
!
call rsvp-sync
!
ip address 172.24.4.254 255.255.0.0
half-duplex
crypto map nolan
!
ip address 10.2.2.254 255.255.255.0
half-duplex
!
no ip address
shutdown
half-duplex
!
no ip address
shutdown
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.24.4.1
ip http server
!
access-list 120 permit ip host 10.2.2.2 host 10.10.2.1
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
password gilat
login
!
end
!
wr mem
!

November, 2006 112
9. Basic Troubleshooting Procedures
This section describes the following troubleshooting procedures:
Troubleshooting VPNA Installation
General Troubleshooting Procedures
Using VPNS Debugger
9.1 Troubleshooting VPNA Installation
After completing the installation and configuration of the VPNA and VPNS at the
Customer’s site and VSATs at the Central Hub site, the engineer should perform the
following basic troubleshooting procedures:
1. Verify that the VPN LED on the VSAT Front panel is green. The VPN LED
turns on when the VPN network is fully configured and after the VSAT is reset.
During normal operation, the VPN LED should be on indicating that the VPN
tunnel is operational.
Figure 89: VPN LED on the VSAT Front Panel
2. Issue a ping command from the VSAT to the VPNA and VPNS application
interface.
3. Issue a ping command from the VSAT to the Data Server at the Customer’s Site.
4. Perform FTP download/upload from the VSAT to the Data Server at the
Customer’s Site.
9.2 General Troubleshooting Procedures
This section provides a brief description of the VPNA general troubleshooting

procedures:
VPNA Flash boot mode and NMS Commit command

November, 2006 113
− This issue is relevant only when VPNA is operating in the VPNA Flash boot
mode. When VPNA is operating in the VPNA Automatic Flash boot mode,
the recommended mode, this issue is not relevant.
− When VPNA is operating in the Flash boot mode and is connected to the
SkyEdge NMS, the NMS Commit command will not export the VPNA
Config.xml file to the VPNA. In this case, the user should load the VPNA
Configuration file manually to the VPNA device as described in Sections
5.8 and 5.9.
VPNA upgrade from version 2.x.y.z to a higher version
− When upgrading VPNA from version 2.x.y.x to a higher version, verify that
the Booter version is also 2.x.x.x.
− For a detailed procedure on the VPNA upgrade from version 2.x.y.z and
higher, refer to the Upgrading VPNA from Version 0.2.x.y.z to a Higher
Version guide (DC-414710).
VPNA Configuration File
− The Config.xml (otherwise known as Config or XML) file is the VPNA

configuration file that is created by configuring VPNA on the SkyEdge
NMS and issuing the Commit command (as described in Section 3.7
Committing VPNA Configuration and Creating VPNA Config.xml File).
VPNA_x.w.y.z_Template.xml
− The VPNA_x.w.y.z_Template.xml file is included in the VPNA pack file.

The VPNA_x.w.y.z_Template.xml file is not the VPNA Configuration file
and should not be uploaded to the VPNA Flash bank under any
circumstances.
The bootchange command in the VPNA Manual mode
− In the non-redundant VPNA setups, the inet on ethernet parameter (part of

the bootchange command) should be set to the VPNA Virtual IP address
as it appears in the General parameters section of the VPNA Configuration
file. The default value is 172.23.123.123.

November, 2006 114
− In the redundant VPNA setups, the inet on ethernet parameter (part of the
bootchange command) should be set to the VPNA Private IP address as it
appears in the Redundancy parameters section of the VPNA Configuration
file. The default Private IP address for the first VPNA card is 172.17.4.2
and 172.17.4.3 for the second VPNA card.
− For a detailed procedure, refer to Section 5.5 Configuring VPNA IP

Addresses.
The ferase user flash command
− If for any reason the command ferase user_flash (not the

ferase_user_flashX, where X is a number [1..4]) was executed, it will be
necessary to reinstall VPNA, please refer to Gilat Technical Support for
further information.
9.3 Using VPNS Debugger
This section explains how to use the VPNS debugger for SkyEdge VPN tunnels
To switch on the VPNS debugger tool:
1. Open the VPNS console.
2. Enter the enable mode.
3. In the enable mode, type debug crypto ipsec.
Result: The Crypto IPSEC debugging is on message is displayed.
4. In the enable mode, type debug crypto isakmp
Result: The Crypto ISAKMP debugging is on message is displayed.
5. In the enable mode, type debug crypto routing.
Result: The Crypto Routing debugging is on message is displayed.
VPNS#debug crypto ipsec

Crypto IPSEC debugging is on
VPNS#debug crypto isakmp
Crypto ISAKMP debugging is on
VPNS #debug crypto routing
Crypto Routing debugging is on
Figure 90: Switching on VPNS Debugger

November, 2006 115
Result: The VPNS debugger tool is switched on. All VPNS activities will be
tracked on the screen until the debugger is switched off.
Nov 1 08:51:58.209: ISAKMP (0:0): received packet from 10.10.3.1 dport

500 sport 500 Global (N) NEW SA
Nov 1 08:51:58.209: ISAKMP: Found a peer struct for 10.10.3.1, peer port
500
Nov 1 08:51:58.209: ISAKMP: Locking peer struct 0x652DAA5C, IKE refcount
1 for crypto_isakmp_process_block
Nov 1 08:51:58.209: ISAKMP: local port 500, remote port 500
Nov 1 08:51:58.209: insert sa successfully sa = 64C4E8DC
Nov 1 08:51:58.209: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH
Nov 1 08:51:58.209: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State
= IKE_R_MM1
Nov 1 08:51:58.213: ISAKMP:(0:0:N/A:0): processing SA payload. message
ID = 0
Nov 1 08:51:58.213: ISAKMP:(0:0:N/A:0):Looking for a matching key for
10.10.3.1 in default
Nov 1 08:51:58.213: ISAKMP:(0:0:N/A:0): : success
Nov 1 08:51:58.213: ISAKMP:(0:0:N/A:0):found peer pre-shared key
matching 10.10.3.1
Nov 1 08:51:58.213: ISAKMP:(0:0:N/A:0): local preshared key found
Figure 91: Excerpt from the VPNS Debugger
To switch off the VPNS debugger tool:
1. At the enable, prompt type no debug all.
Result: The All possible debugging has been turned off message is displayed.
VPNS #no debug all

All possible debugging has been turned off
2. The VPNS debugger tool is switched off.

November, 2006 116
10. Appendix A - VPNA Boot Modes
Only one Boot mode can be operational at any time. The default Boot mode after
installation is Manual. The other modes determine where the VPNA stores its files
and the actions required to ensure access to these files. After completing the
installation the VPNA boot mode should be set to Automatic Flesh.
VPNA boot modes are as follows:
Automatic External: The Booter downloads the operational software, loads it in

memory, and executes it. The VPNA program downloads the configuration file.
The user must specify the Server IP address and the full path name of the files to
be downloaded. An FTP/TFTP Server connected to the same LAN as the VPNA
control port must be available on another PC.
Manual: When the Booter stops, the user can modify configuration parameters.
Automatic Flash: The Booter reads operational software from the active
operational flash bank, loads it in memory, and executes it. The VPNA
application reads the configuration file from the active configuration flash bank.
The user must specify the active operational and configuration flash banks and
must upload the operational and configuration files to flash via http (Web) or
TFTP/FTP (CLI). This is the default VPNA boot mode.
Bootp: The Booter receives the VPNA control IP address via a BOOTP request
and continues as described in Automatic External mode. The Server IP address
and the file paths are in the BOOTP reply and are loaded automatically. This
mode is usually not available at the customer site.

November, 2006 117
11. Appendix B - Switching to the VPNA Manual Boot Mode via the Web
To configure the VPNA to operate in Manual mode:

1. On the Laptop connected to the VPNA, open the VPNA SkyManage page.
2. Type the VPNA Management IP address as the URL address:

Result: The SkyManage VPNA Configuration page is displayed.
3. Push the VPNA Power button. If the VPNA is already powered on, reboot the
VPNA as described in Section 5.11 Rebooting VPNA.
Result: The VPNA starts its power-up sequence and the SkyManage VPNA
Configuration page is updated.
Figure 92: Welcome to Gilat VPNA Configuration
4. The SkyManage VPNA Status page provides information about the VPNA status.
After the VPNA is switched on, it enters the Flash Boot mode as shown in
Figure 92.
The Operation time parameter indicates how long the VPNA has been in the
current operation mode. The Countdown (sec) till boot loads operational
software indicates how long it will take until the boot mode loads completely. For
more information about the VPNA Status page, refer to Section 7.1.1 VPNA
Status.
5. Click Stop before the Countdown timer expires.

November, 2006 118
Result: The Auto boot process has been stopped message is displayed.
Figure 93: Stopping Auto VPNA Boot Process
6. The VPNA switches to the Manual Boot mode as can be seen in the VPNA Status
page.
Figure 94: Checking VPNA Status

November, 2006 119
12. Appendix C – Selecting Automatic Flash Boot Mode from the VPNA Console
This section describes how to select VPNA boot mode manually via the VPNA
console. This procedure should be used only if an error was received during the
programming boot mode procedure as described in
Section 5.10 Selecting Automatic Flash Boot Mode from the Web.
To select VPNA boot mode manually:
1. On the Laptop, open the VPNA console connection.
2. At the VPNA-BOOTER> prompt, type mode9flash and press Enter.
Result: The VPNA-BOOTER> prompt is redisplayed.
3. At the VPNA-BOOTER> prompt, type reset and press Enter.
VPNA-BOOTER> mode flash ↵

VPNA-BOOTER> reset ↵
cli_func: Resetting VPNA Booter...
Result: The VPNA card is reset. The VPNA<CPA> prompt is displayed after
the VPNA power-up sequence is completed.

November, 2006 120

SkyEdge VPN Configuration and Management - 1106 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SkyEdge VPN Configuration and Management - 1106 PDF

Загружено:

Авторское право:

Доступные форматы

Virtual Private Network Configuration and Management

Document No. DC-1085-40

Gilat Satellite Networks Ltd.

1. Purpose of this Document .............................................................................................1

3. Configuring VPNA at the SkyEdge Hub ......................................................................14

4. Configuring VSAT VPN Parameters ............................................................................40

SE VPN Configuration and Management

5. Installing VPNA at the Data Center .............................................................................50

6. Configuring VPNA via the Web Interface ....................................................................73

SE VPN Configuration and Management

7.4 VPNA Redundancy Commands ...........................................................................107

8. Cisco VPN Server Configuration ...............................................................................108

9. Basic Troubleshooting Procedures ..........................................................................113

10. Appendix A - VPNA Boot Modes ...............................................................................117

SE VPN Configuration and Management

1. Purpose of this Document

 Introduction – Provides a brief overview of the VPN technology, IPSec

 Configuring VPNA at the SkyEdge Hub – Provides a detailed description of the

 Configuring VSAT VPN Parameters – Provides a detailed description of the

 Installing VPNA at the Data Center – Provides a step-by-step description of the

 Cisco VPN Server Configuration – Provides a sample configuration of the VPNS

 Basic Troubleshooting – Describes basic procedures that can be performed after

SE VPN Configuration and Management

The procedures described in this document should be performed by trained technical

2.1 General Overview of the IPSec Framework

A Virtual Private Network (VPN) uses an IPSec (Internet Protocol Security)

 Confidentiality – The ability to prevent other parties from viewing or

 Encryption – The method used to achieve the best available confidentiality

SE VPN Configuration and Management

2.2 SkyEdge VPN System Components

The EVPN system uses the following components:

 An Embedded VPN client that resides in each SkyEdge VSAT.

SE VPN Configuration and Management

2.2.1 SkyEdge VPN Network Topology

Figure 1 presents a typical VPN configuration in a SkyEdge network.

Figure 1: General View of the VPN Site-to-Site Topology

2.2.2 Inbound Data Path

SE VPN Configuration and Management

In systems without NAT:

In systems with NAT:

SE VPN Configuration and Management

2.2.3 Outbound Data Path

 The VPNA receives the IP Packet and sends an Acknowledgement message to

 The VPNA forwards the packet to the VPNS.

 The VSAT forwards the IP packet to the PC.

SE VPN Configuration and Management

2.2.4 VPN Acceleration Device (VPNA)

Figure 2: VPNA Machine Chassis

Figure 3: VPNA Front Panel

SE VPN Configuration and Management

Figure 4: VPNA Rack

2.3 SkyEdge VPN Main Features

 The VSAT with EVPN supports Split Tunneling

− The user is granted or denied permission to enter a VPN tunnel based on

 Specific configuration for each Site-to-Site connection

− Up to 3 Destination networks and Subnet masks

− Remote Peer address

SE VPN Configuration and Management

− VPN authentication method – Shared Secret

− All traffic is routed through the tunnel

2.3.1 VPN Authentication Method

VPN authentication is accomplished by using a pre-shared secret – a predefined key

2.3.2 VPN Management and Control

Introduction – Provides a brief overview of the VPN technology, IPSec

Configuring VPNA at the SkyEdge Hub – Provides a detailed description of the

Configuring VSAT VPN Parameters – Provides a detailed description of the

Installing VPNA at the Data Center – Provides a step-by-step description of the

Cisco VPN Server Configuration – Provides a sample configuration of the VPNS

Basic Troubleshooting – Describes basic procedures that can be performed after

Confidentiality – The ability to prevent other parties from viewing or

Encryption – The method used to achieve the best available confidentiality

An Embedded VPN client that resides in each SkyEdge VSAT.

The VPNA receives the IP Packet and sends an Acknowledgement message to

The VPNA forwards the packet to the VPNS.

The VSAT forwards the IP packet to the PC.

The VSAT with EVPN supports Split Tunneling

Specific configuration for each Site-to-Site connection

Standby VPNA realizes it lost connection to Active VPNA on CONTROL LAN.

System Spreadsheet Configuration

Copying VPNA Software Pack Files to the Repository Directory

Defining VPNA on the NMS

Configuring VPNA Parameters

Configuring VPNA Redundant Parameters

Committing VPNA Configuration and Creating VPNA Config.xml File

Rebooting VPNA from the NMS

Configuring VPNA NAT Parameters

Copying the VPNA Operational and Configuration Files to an External Device

A Configuration parameters file. This file is produced by Gilat technical

Read Community String – Public