One of the most common methods used to connect to Travelport's host systems (Apollo, Galileo and Galileo IDS) is via a site to site VPN. Travelport refers to this as a a customer managed VPN (formerly"un-managed VPN") because Travelport does not provide the internet connection, nor does it provide or manage the router or firewall used to establish the VPN to the Apollo or Galileo host systems.
Requirements
- Broadband Internet connection. Figure 8K of bandwidth for every 20 people accessing Travelport's Apollo or Galileo host systems.
- Router or Firewall capable of supporting a site to site VPN using a pre-shared key. The device you choose must support the following;
- IPSec VPN
- A pre-shared key (supplied after contract signing)
- 3DES encryption
- ESP encapsulation
- SHA1 secure hash algorithm (1024 bit)
- Diffie-Hellman Group 2 for the key exchange
- Aggressive Mode for most SOHO routers
- Main Mode for higher end firewalls and routers
- Disable PFS
- Phase 1 Lifetime = 86400
- Phase 2 Lifetime = 86400 <-- note, this setting may not be available in all routers/firewalls
- isakmp keepalives 180 60 ( for Cisco FOS 6.3.x)
- or
- isakmp keepalive threshold 180 retry 10 (for Cisco FOS 7.x and above)
- Note, some routers/firewalls will only allow you to enable keepalives without a setting.
- And, in most cases, Policy NAT.
- Must have read and agreed to the conditions outlined in the Un-Managed VPN Support Agreement.
What is Policy NAT and why would you use this.
Some background may help here.
In order to avoid IP addressing conflicts, Travelport assigns private, non-routable IP addresses to the mainframe sessions we provide our customers. Typically Travelport assigns a small 27-bit subnet (255.255.255.224). Travelport's customers are welcome to use this subnet for their LAN IP addressing.
If the Travelport subnet is used for the LAN addressing, then Policy NAT is not used. in this case, many inexpensive SOHO (small office, home office) routers such as the Linksys RV042 and NETGEAR FSV338 routers can be used for your site to site VPN to Travelport. Sample configurations for a limited number of this type of router are available here.. Contact your local Travelport technical representative if you are considering this option.
If the subnet assigned by Travelport is not used for the LAN addressing, then the router or firewall used MUST support what Cisco refers to as "Policy NAT". Policy NAT means that while the IP addresses on the LAN may be something like 192.168.1.x, network traffic sent to Travelport will appear to come from the subnet Travelport assigned to their customer. In the example below, the office LAN is using 192.168.1.x, but to Travelport, it appears as if the customer is using IP addresses between 10.192.46.129 and 10.192.46.128.
What does Policy NAT look like?
For the drawing which goes with the sample configurations below, click here. This drawing is best viewed using Internet Explorer v7.0. You can pan and scroll the document with this browser version. Other browsers will display the page properly, but without these additional features.
Sample configurations of Policy NAT using Cisco equipment.
Keep in mind, these examples were done using current FOS or IOS software. The version # is included at the top of each example.
Caveats
- It's not possible for Travelport to provide sample configurations of Policy NAT for every brand and model or router or firewall.
- Travelport employees cannot do the router or firewall configuration for our customers.
- Ii you elect to connect to Travelport's systems using an "un-managed VPN", you must work with the technical support people for the particular router or firewall you select.
- While the sample configurations included here are from working routers and firewalls, the Travelport subnet in the examples have been changed to non-working numbers. Substitute the subnet Travelport assigns you for the IP addressing shown in the examples, and substitute your own LAN subnet for the 192.168.1.x addresses in the examples.
- Travelport assumes no responsibility, explicit or implied for any problems you may have configuring your routers or firewalls. We recommend you either have qualified staff or hire qualified people to perform the configuration work.
- While Galileo Desktop will work with port address translation or "global NAT", the device running Galileo's Print Manager software MUST have a one-to-one static NAT relationship between it's real LAN IP address and a Travelport assigned IP address.
Frequently Asked Questions or "FAQ".
When should you consider this type of connection?
You should consider this solution if you;
- For any office location where you have five or more employees who will access Travelport's systems
- if you have multiple branch offices, you should use this type of connection at the office where your accounting system is located.
- Any time you are using a Terminal Server or Citrix Server to run Galileo Desktop software
- When you are using a server with Galileo's XML Selcect API
Can I use non-Cisco equipment such as SonicWALL, WatchGuard, LINUX or other VPN devices for the customer end of the site to site VPN?
Yes, but keep in mind, whatever hardware you choose, it is up to you to configure the device. Travelport cannot provide assistance other than what is shown in this document.
How many customers does Travelport have using this solution?
At the beginning of 2009, there were just under 2,000 sites around the world using this type of connection.
Is this solution suitable for very large offices?
Yes, Remember for every 20 people using Galileo Desktop to access Apollo or Galileo only about 8K of bandwidth is used.. Galileo IDS and Travelport's XML Select products, and Cornerstone's QC products are "robotics" and may require more bandwidth. If you have a truly large organization, consider backup solutions such a second VPN to Travelport from a second site, using multiple ISPs, etc. Discuss the use of these products with your local Travelport support staff prior to implementing an "un-managed VPN" solution