{{ secondMenu.name }}
The Advanced page contains Tunnel Route, Multicast Services, Schedules, Third-Party Auth Server, RIP, and Client Certificate tabs.
8.10.4.4.1.1Tunnel Route
Network Secure allows you to configure routes between VPN tunnels to easily connect multiple VPNs (software/hardware) to form a mesh VPN network.
You can click Add on the Tunnel Route tab to add a tunnel route. The Add Tunnel Route dialog box appears, as shown in the following figure.
Scenario: Tunnel routes are applied to the following five scenarios:
Branch-to-Branch: If both branch devices B and C are connected to HQ device A, you can configure a tunnel route to enable communication between branch devices B and C via HQ device A.
Branch-to-HQ: If branch device C is connected to secondary HQ device B, you can configure a tunnel route to enable communication between branch device C and primary HQ device A via secondary HQ device B.
Branch-to-Internet via HQ: If branch device B has no outbound interface to the internet but is connected to HQ device A, you can configure a tunnel route to allow intranet users of branch device B to access the internet via HQ device A.
Backup Across HQs: It is assumed that branch device C can access a business system C via either HQ device A or B. Generally, branch device C accesses the business system C via HQ device A. When branch device C is disconnected from HQ device A, it can access the business system C via HQ device B.
Custom: In other scenarios, you can configure tunnel routes based on your business requirements.
For example, Branch-to-Branch is selected. Click Next.
The parameters are described as follows:
Src Subnet: Set source IP ranges and netmasks for the tunnel route.
Dst Subnet: Set destination IP ranges and netmasks for the tunnel route.
Intermediate Device: Select a VPN tunnel for the tunnel route. For example, a VPN connection is established between devices A and B by using user "A". If device A wants to access device C via device B, the VPN tunnel for device A is user "A".
Click OK to enable the tunnel route.
1. When branch-to-internet via an intermediate device is enabled, the remote VPN branch device must be deployed in gateway mode, and the local device can be deployed in either gateway or single-arm mode.
2. Before you create a tunnel route, make sure that a VPN user has been created for the VPN device on the VPN Users page or a VPN connection has been created for the VPN device on the VPN Connection page.
3. Options for Intermediate Device include users with Concurrent Login disabled when templates were configured for them on the VPN Users page and users configured on the VPN Connection page (excluding those with duplicate names or disabled).
8.10.4.4.1.2Multicast Services
Sangfor devices support transmission for multicast services across tunnels to adapt to VoIP and video conference apps. The IP range and port range available for multicast services are 224.0.0.1-239.255.255.255 and 1-65535, respectively. You can define multicast services on the Multicast Services tab, as shown in the following figure.
Click Add to enter the Add Multicast Service page. In IP Range, click Add, and the Add IP Range dialog box will appear. You can set an IP range and a port range for the multicast service, as shown in the following figure.
After defining the multicast service, go to the VPN Users page and click Add. In the Add VPN User dialog box, click Add for Select Template. In the Add Template dialog box, select Enable for Multicast Service and add multicast services, as shown in the following figure.
8.10.4.4.1.3Schedules
You can define common schedules and apply them to intranet services when you add a template on the VPN Users page. The schedules work based on the current system time on the device, as shown in the following figure.
On the Schedules tab, click Add. The Schedule dialog box appears, as shown in the following figure.
Set the schedule name to test and select time segments. The time segments highlighted in blue are effective, and others are not. Click OK.
On the VPN Users page, click More and choose Templates. In the Templates dialog box, click Add. In the next Templates dialog box, select the schedule for Intranet Services, as shown in the following figure.
8.10.4.4.1.4Third-Party Auth Server
LDAP Server
The VPN service of Sangfor devices supports third-party LDAP authentication. If you want to enable third-party LDAP authentication, configure information about the third-party LDAP server on the LDAP Server page, including Server IP, Server Port, and Admin Password, as shown in the following figure.
Click Show More next to Advanced and configure the advanced options as required, as shown in the following figure.
RADIUS Server
The VPN service of Sangfor devices supports third-party LDAP authentication. If you want to enable third-party RADIUS authentication, configure information about the third-party RADIUS server on the RADIUS Server page, including Server IP, Server Port, Shared Key, and Protocol, as shown in the following figure.
RIP
You can enable Routing Information Protocol (RIP) to allow a Sangfor device to advertise routing information to other routers so that routing information on intranet routers can be dynamically updated, as shown in the following figure.
The parameters are described as follows:
Enable RIP: Specify whether to enable dynamic route updates based on RIP. If you check Enable RIP, the Sangfor device will advertise information about the peer device that has established a VPN connection to the local device to the specified intranet router. The routing tables of other devices are updated, and a route from the VPN peer device to the Sangfor device is added. If the VPN connection fails, the router is instructed to delete the route.
IP Address: Enter the IP address of the router to which route updates will be advertised.
Update Interval: The interval for route updates. The Sangfor device will trigger a route update when the route changes. In this case, this parameter does not take effect.
Verification Required: Specify whether a password is required for exchanging RIP packets.
8.10.4.4.1.5Client Certificate
The certificate authentication system based on hardware features is one of Sangfor's patented inventions. Sangfor devices also use this technology for authentication among VPN nodes. The client certificate of a Sangfor device is an encrypted certificate generated based on the hardware features of the device. The client certificate is unique and unforgeable because of the uniqueness of the device's hardware features. The hardware features are verified so that only the specified device is authorized to access the network. This helps avoid security risks.
You can click Client Certificate to generate a client certificate and store it on your local computer, as shown in the following figure.
Send the client certificate to the HQ device administrator. When you add a VPN user, the HQ device administrator can select the client certificate for authentication and bind the user to the client certificate.
{{ $t('index.defaultHeader.chromeBrowserTip') }}