background image

Under Status, the word Connected should appear if the connection is success-
ful.  The other fields reflect the information that you entered on the VPN screen
to make the connection.  

If Disconnected appears under Status, as shown in Figure 6-20, some problem
exists that prevents the creation of the tunnel.  Make sure that all of your wiring
is securely connected.   Double-check all the values you entered on the VPN
screen to make sure they are correct.  If the other end of the tunnel is some dis-
tance from you (e.g., in another city, etc.), call to make sure that the settings on
that end of the tunnel are correct as well.

If, for any reason, you experience a temporary disconnection, the connection will
be re-established as long as the settings on both ends of the tunnel stay the same. 

Figure 6-20

EtherFast

®

Cable/DSL VPN Router with 4-Port 10/100 Switch

The  Inbound SPI and Outbound SPI fields are different, however.   The
Inbound SPI value set here must match the Outbound SPI value at the other end
of the tunnel.  The Outbound SPI here must match the Inbound SPI value at the
other end of the tunnel.  In the example (see Figure 6-18), the Inbound SPI and
Outbound SPI values shown would be opposite on the other end of the tunnel.
Only numbers can be used in these fields. After you click the Apply button,
hexadecimal characters (series of letters and numbers) are displayed in the
Inbound SPI and Outbound SPI fields.

Once you are satisfied with all your settings, click the Apply button.  If you
make any mistakes, clicking the Cancel button will exit the screen without sav-
ing any changes, provided that you have not already clicked the Apply button.

After the VPN device is set up at the other end of the tunnel, you may click the
Connect button to use the tunnel.  This assumes that both ends of the tunnel
have a physical connection to each other (e.g., over the Internet, physical
wiring, etc.).  After clicking the Connect button, click the Summary button.  If
the connection is made, the screen shown in Figure 6-19 will appear:

Figure 6-18

Figure 6-19

Instant Broadband

®

Series

33

32

Summary of Contents for BEFVP41 - EtherFast Cable/DSL VPN Router

Page 1: ...Instant Broadband Series EtherFast Cable DSL VPN Router with 4 Port 10 100 Switch Use this guide to install BEFVP41 User Guide ...

Page 2: ...SYS DOES NOT OFFER REFUNDS FOR ANY PRODUCT Linksys makes no warranty or representation expressed implied or statuto ry with respect to its products or the contents or use of this documentation and all accompanying software and specifically disclaims its quality performance mer chantability or fitness for any particular purpose Linksys reserves the right to revise or update its products software or...

Page 3: ...r Network 12 Configuring Your PCs to Connect to the Cable DSL VPN Router 12 Configuring the Cable DSL VPN Router 14 Chapter 6 The Cable DSL VPN Router s Web based Utility 19 Logging into the Web based Utility 19 Setup 20 VPN 25 Password 27 Status 28 DHCP 40 Log 42 Help 43 Filters 46 Forwarding 49 Dynamic Routing 51 Static Routing 52 DMZ Host 54 MAC Address Cloning 55 Appendix A Troubleshooting 56 ...

Page 4: ...set up and use making the Instant Broadband EtherFast Cable DSL VPN Router the perfect solution for your broadband needs Full IPSec Virtual Private Network VPN capability Supports 56 Bit DES and 168 Bit 3DES Encryption Algorithms Supports MD5 and SHA Authentication Supports IKE Key Management Hardware Security Co Processor Inside Supports Up to 70 Simultaneous Tunnels Compatible with other IPSec V...

Page 5: ...uch as the Internet Tools for just this kind of activity such as protocol analyzers and network diagnostic tools are often built into operating systems and allow the data to be viewed in clear text 3 Man in the middle attacks Once the hacker has either sniffed or spoofed enough information he can now perform a man in the middle attack This attack is performed when data is being transmitted from on...

Page 6: ...er the two routers create a VPN tunnel encrypting and decrypting data As VPNs utilize the Internet distance is not a factor Using the VPN the telecommuter now has a secure connection to the central office s network as if he were physically connected Figure 2 1 Computer using VPN client software that supports IPSec to VPN Router The following is an example of a computer to VPN Router VPN See Figure...

Page 7: ...set Button and hold it down until the red Diag LED on the front panel turns on and off completely This will restore factory defaults and clear all of the Router s set tings including the IP addresses you entered The Reset Button is located on the Router s rear panel Figure 3 2 Chapter 3 Getting to Know the EtherFast Cable DSL VPN Router with 4 Port 10 100 Switch The rear panel of the VPN Router sh...

Page 8: ...ress You will need that address during the Router s con figuration Dynamic IP Addresses A dynamic IP address is an IP address that is automatically assigned to a client station computer printer etc in aTCP IP network Dynamic IP addresses are typically assigned by a DHCP server which can be a computer on the network or another piece of hardware such as the Router A dynamic IP address may change eve...

Page 9: ...manually assign permanent IP addresses to every device on your network DHCP software typically runs in servers and is also found in network devices such as routers Once you are sure that you have the above values on hand you can begin the installation and setup of the VPN Router 1 Power everything down including your PCs your Cable or DSL modem and the Router 2 Connect a network cable from one of ...

Page 10: ...re 5 2 Chapter 5 Configuring Your Network You must now configure your other PCs to accept the IP addresses that the VPN Router will provide 1 Click the Start button Select Settings and open the Control Panel 2 Double click the Network icon 3 In the Configuration window shown in Figure 5 1 select the TCP IP pro tocol line that has been associated with your network card adapter If there is no TCP IP...

Page 11: ... IP Address and 255 255 255 0 for the Subnet Mask Leave these settings alone Configuring the Cable DSL VPN Router Note If the TCP IP protocol is not configured on your PC go to Appendix F Installing the TCP IP Protocol for TCP IP installation instructions now Figure 5 3 Figure 5 4 4 The Router supports six connection types DHCP obtain an IP automati cally PPPoE Static IP RAS and PPTP These types a...

Page 12: ...th the Setup tab proceed to step 5 17 Instant Broadband Series 16 Static IP If your ISP says that you are connecting through a static or fixed IP address from your ISP perform these steps A Select Static IP as the WAN Connection Type Shown in Figure 5 6 B Enter the IP Address C Enter the Subnet Mask D Enter the Gateway Address E Enter the DNS in the 1 2 and or 3 fields You need to enter at least o...

Page 13: ...he settings you change on a page click the Apply button and then click the Continue button To cancel any values you ve entered on any page click the Cancel button Logging into the Web Based Utility Figure 6 2 Figure 6 1 5 If you haven t already done so click the Apply button and then the Continue button to save your Setup settings Close the web browser 6 Reset the power on your cable or DSL modem ...

Page 14: ...onfigured all of the screen s values Host Name Domain Name These fields allow you to supply a host and domain name for the Router Some ISPs require these names as identifica tion You may have to check with your ISP to see if your Broadband Internet service has been configured with a host and domain name In most cases these fields may be left blank Firmware Version This entry shows the version of t...

Page 15: ...eriod is 30 seconds Figure 6 6 PPPoE Some DSL based ISPs use PPPoE Po i n t t o Po i n t Protocol over Ethernet to establish communications with an end user If you are connected to the Internet through a DSL line check with your ISP to see if they use PPPoE If they do you will have to enable it as shown in Figure 6 5 User Name and Password Enter your ISP s User Name and Password Connect on Demand ...

Page 16: ...re Subnet Mask This is the Router s Subnet Mask as seen by external users on the Internet including your ISP Your ISP will provide you with the Subnet Mask Default Gateway Address Your ISP will provide you with the Default Gateway Address Connect on Demand and Max Idle Time You can configure the Router to cut your connection with your ISP after a specified period of time Max Idle Time If you have ...

Page 17: ...hannel between two endpoints so that the data or information between these endpoints is secure To establish this tunnel select the tunnel you wish to create in the Select Tunnel Entry drop down box It is possible to create up to 70 simultaneous tunnels Then check the box next to Enable to enable the tunnel Once the tunnel is enabled enter the name of the tunnel in the Tunnel Name field This is to ...

Page 18: ...e for a specific computer on the Internet for example vpn myvpnserver com Figure 6 14 Figure 6 15 EtherFast Cable DSL VPN Router with 4 Port 10 100 Switch Under Remote Secure Group you have two additional options Host and Any Host If you select Host for the Remote Secure Group then the Remote Secure Group will be the same as the Remote Security Gateway setting IP Address FQDN Fully Qualified Domai...

Page 19: ... the fields at the other end of the tunnel The example in Figure 6 18 shows some sample entries for both the Encryption and Authentication Key fields Up to 24 alphanumeric characters are allowed to create the Encryption Key Up to 20 alphanumeric characters are allowed to create the Authentication Key 31 Instant Broadband Series Any If you select Any for the Remote Security Gateway as shown in Figu...

Page 20: ...e set here must match the Outbound SPI value at the other end of the tunnel The Outbound SPI here must match the Inbound SPI value at the other end of the tunnel In the example see Figure 6 18 the Inbound SPI and Outbound SPI values shown would be opposite on the other end of the tunnel Only numbers can be used in these fields After you click the Apply button hexadecimal characters series of lette...

Page 21: ... create a security association SA often called the IKE SA After Phase 1 is completed Phase 2 is used to create one or more IPSec SAs which are then used to key IPSec sessions Operation Mode There are two modes Main and Aggressive and they exchange the same IKE payloads in different sequences Main mode is more common however some people prefer Aggressive mode because it is faster Main mode is for n...

Page 22: ...nce numbers as packets arrive ensuring security at the IP packet level Keep Alive Check the box next to Keep Alive to re establish the VPN tunnel connection whenever it is dropped Once the tunnel is initialized this feature will keep the tunnel connected for the specified amount of idle time Unauthorized IP Blocking Check this box to block unauthorized IP addresses Complete the on screen sentence ...

Page 23: ...first available DNS entry is used in most cases DHCP Release Click on the DHCP Release button to delete your PC s cur rent IP address DHCP Renew Click on the DHCP Renew button to replace your PC s current IP address with a new IP address DHCP Client Table Click on the Client Table button to show the current DHCP Client information This information is stored in temporary memory so the list of clien...

Page 24: ...e this blank DHCP Client Table Click on the Client Table button to show the current DHCP Client information This information is stored in temporary memory so the list of clients could disappear When finished click the Apply button and then the Continue button 41 From the DHCP screen shown in Figure 6 25 you can configure the Router as a DHCP Server A DHCP Dynamic Host Configuration Protocol Server...

Page 25: ...shown in Figure 6 26 provides you with a log of all incoming and outgoing URLs or IP addresses for your Internet connection The Log feature provides you with a log of all incoming and outgoing URLs or IP addresses for your Internet connection The Logviewer keeps track of all incoming and outgoing activity that can be saved in a text file The IP address points to the location where Logviewer is run...

Page 26: ...mware version from the Linksys website www linksys com 2 Go to the Help screen 3 Click Upgrade Firmware The page shown in Figure 6 28 will appear 5 Click the Browse button to find the firmware upgrade file that you down loaded from the Linksys website 6 Double click the firmware file you downloaded Click the Upgrade but ton and follow the instructions there To back up the Router s configuration fi...

Page 27: ... the drop down box and at the MAC number prompt enter the 12 digit MAC address you want to filter Click the Apply button followed by the Continue button and then close the window SPI Stateful Packet Inspection This feature checks the state of a packet to verify that the destination IP address matches the source IP of the original request To use the firewall select Enable otherwise select Disable t...

Page 28: ...d then click the Apply button and Continue button To disable IPSec Pass Through select Disable and then click the Apply button and Continue button Using PPTP Pass Through Point to Point Tunneling Protocol is the method used to enable VPN Virtual Private Networking tunnels To enable this feature click on Enable next to PPTP Pass Through and then click Apply and Continue button To disable this featu...

Page 29: ... 2 Choose the protocol by which you transmit TX data on the network 3 Choose the protocol by which the Router receives RX network data 4 Click the Apply button and Continue button to save your changes Dynamic Routing Figure 6 33 Using Port Triggering From the Forwarding screen click the Port Triggering button to open the Port Triggering screen shown in Figure 6 32 Port triggering allows the Router...

Page 30: ...sk deter mines which portion of an IP address is the network portion and which por tion is the host portion In the example above the Network Mask is 255 255 255 0 This determines by using the values 255 that the first three numbers of an network IP address identify this particular network while the last digit from 1 to 254 identifies the specific host Gateway IP This IP address should be the IP ad...

Page 31: ...ysical address 2 Enter those 12 digits into the WAN MAC Address fields and click the Apply button followed by the Continue button This clones your net work adapter s MAC address onto the Router and prevents you from hav ing to call your ISP to change the registered MAC address to the Router s MAC address MAC Address Cloning Figure 6 36 From the DMZ Host screen shown in Figure 6 35 you can allow on...

Page 32: ...omputer if asked 57 Instant Broadband Series 56 Appendix A Troubleshooting Common Problems and Solutions This appendix consists of two parts Common Problems and Solutions and Frequently Asked Questions Provided are possible solutions to problems regard ing the installation and operation of the Router If your situation is described here the problem should be solved by applying the corresponding sol...

Page 33: ...ernet adapter you are using and select the Properties option In the Components checked are used by this connection box highlight Internet Protocol TCP IP and click the Properties button Make sure 58 that Obtain an IP address automatically and Obtain DNS server address automatically are selected Click the OK button in the Internet Protocol TCP IP Properties win dow and click the OK button in the Lo...

Page 34: ... number from 1 to 254 Note that each IP address must be unique within the network 61 Instant Broadband Series C In the command prompt type ping 192 168 1 1 and press the Enter key If you get a reply the computer is communicating with the Router If you do NOT get a reply please check the cable and make sure Obtain an IP address automatically is selected in the TCP IP settings for your Ethernet adap...

Page 35: ...n click the Apply button and then the Continue button 63 Instant Broadband Series Your VPN may require port 500 UDP packets to be passed to the computer that is connecting to the IPSec server Refer to Problem 7 I need to set up online game hosting or use other Internet applications for details Check the Linksys website for more information at www linksys com 6 I need to set up a server behind my R...

Page 36: ... to work If you are having difficulties getting any Internet game server or application to function properly consider exposing one PC to the Internet using DeMilitarized Zone DMZ hosting This option is available when an applica tion requires too many ports or when you are not sure which port services to use Make sure you disable all the forwarding entries if you want to success fully use DMZ hosti...

Page 37: ...esh the screen until you see the login status display as Connected G Click the Apply and Continue buttons to continue If the connection is lost again follow steps E to G to re establish connection 66 15 I can t access my email web or VPN or I am getting corrupted data from the Internet The Maximum Transmission Unit MTU setting may need to be adjusted By default the MTU is set at 1500 Most DSL user...

Page 38: ...bps Ethernet It does of course support 100 Mbps over its auto sensing 10 100 ports 17 The Diag LED stays lit continuously The Diag LED lights up when the device is first powered up Meantime the system will boot up itself and check for proper operation After finishing the checking procedure the LED turns off to show that the system is working fine If the LED remains lit after this time the device i...

Page 39: ... connection and may disrupt your current connection stability Will the Router function in a Macintosh environment Yes but the Router s setup pages are accessible only through Internet Explorer 4 0 or Netscape Navigator 4 0 or higher for Macintosh 71 Instant Broadband Series 70 What is Network Address Translation and what is it used for Network Address Translation NAT translates multiple IP address...

Page 40: ...at Internet Explorer is set to Never dial a con nection For Netscape Navigator click Edit Preferences Advanced and Proxy Make sure that Netscape Navigator is set to Direct connection to the Internet What is DMZ Hosting Demilitarized Zone DMZ allows one IP address com puter to be exposed to the Internet Some applications require multiple TCP IP ports to be open You should set your computer with a s...

Page 41: ...ion actually comes at a lower cost than most VPN endpoint software packages The VPN Router will allow the users on your network to secure their data over the Internet without having to purchase the extra client licenses that other VPN hardware manufacturers and software packages will require With VPN functions handled by the router rather than your PC which software packages would require this fre...

Page 42: ...ws 2000 or Windows XP IP Address 140 111 1 2 User ISP provides IP Address this is only an example Subnet Mask 255 255 255 0 BEFSX41 WAN IP Address 140 111 1 1 User ISP provides IP Address this is only an example Subnet Mask 255 255 255 0 LAN IP Address 192 168 1 1 Subnet Mask 255 255 255 0 Introduction Environment 1 Click the Start button select Run and type secpol msc in the Open field The Local ...

Page 43: ...ences to Windows 2000 and XP Step Two Build Filter Lists 3 The IP Filter List screen should appear as shown in Figure C 4 Enter an appropriate name such as win router for the filter list and de select the Use Add Wizard check box Then click the Add button 4 The Filters Properties screen will appear as shown in Figure C 5 Select the Addressing tab In the Source address field select My IP Address In...

Page 44: ... tab and make sure that win router is highlighted Then click the Add button Figure C 6 8 The IP Filter List screen should appear as shown in Figure C 7 Enter an appropriate name such as router win for the filter list and de select the Use Add Wizard check box Click the Add button 9 The Filters Properties screen will appear as shown in Figure C 8 Select the Addressing tab In the Source address fiel...

Page 45: ...t tab selected as shown in Figure C 9 There should now be a listing for router win and win router Click the OK for WinXP or Close for Win2000 button on the IP Filter List window Figure C 9 Tunnel 1 win router 1 From the IP Filter List tab shown in Figure C 10 click the filter list win router 2 Click the Filter Action tab as in Figure C 11 and click the filter action Require Security radio button T...

Page 46: ...ct Session key Perfect Forward Secrecy and click the OK button 4 Select the Authentication Methods tab shown in Figure C 13 and click the Edit button Figure C 12 Figure C 13 5 Change the authentica tion method to Use this string to protect the key exchange pre shared key as shown in Figure C 14 and enter the preshared key string such as XYZ12345 Click the OK button 6 This new Preshared key will be...

Page 47: ... Type tab as shown in Figure C 17 and click All network connec tions Then click the OK or Close button to finish this rule Figure C 16 Figure C 17 Tunnel 2 router win 9 In the new policy s properties screen shown in Figure C 18 make sure that win router is select and deselect the Use Add Wizard check box Then click the Add button to create the second IP filter 10 Go to the IP Filter List tab and c...

Page 48: ...od Kerberos is selected as shown in Figure C 21 Then click the Edit button Figure C 20 Figure C 21 13 Change the authenti cation method to Use this string to protect the key exchange preshared key and enter the preshared key string such as XYZ12345 as shown in Figure C 22 This is a sample key string Yours should be a key that is unique but easy to remember Then click the OK button 14 This new Pres...

Page 49: ...tion Type tab shown in Figure C 25 and select All network connections Then click the OK for Windows XP or Close for Windows 2000 button to finish Figure C 24 Figure C 25 17 From the Rules tab shown in Figure C 26 click the OK button to return to the secpol screen In the IP Security Policies on Local Computer window shown in Figure C 27 right click the policy named to_router and click Assign A gree...

Page 50: ...elect IP Addr from the pull down menu beside Remote Secure Group Then enter the IP Address for this group This would be the IP Address of the remote endpoint the endpoint on the other side of the tunnel Figure C 28 Step Five Create a Tunnel Through the Web Based Utility Note Further details on this step can be found in the VPN Tab section in Chapter 6 The Cable DSL VPN Router s Web Based Utility 8...

Page 51: ...or receiving mail and accessing the Internet This happens because the Router has not been config ured by your ISP to accept their abbreviated server addresses The solution is to determine the true web addresses behind your ISPs code words You can determine the IP and web addresses of your ISP s servers by pinging them Important If you don t have your ISP s web and e mail IP Addresses you must eith...

Page 52: ...ddress will not 3 Replace your ISP s abbreviated server address with this extended web address in the corresponding Internet application web browser e mail application etc Once you have replaced the brief server address with the true server address the Router should have no problem accessing the Internet through that Internet application Figure E 2 Step One Pinging for an IP Address The first step...

Page 53: ...P IP Installation is complete Figure F 3 Figure F 2 Appendix F Installing the TCP IP Protocol the TCP IP Protocol Follow these instructions to install the TCP IP Protocol on one of your PCs only after a network card has been successfully installed inside the PC These instructions are for Windows 95 98 and Millennium For TCP IP setup under Windows NT 2000 or XP please refer to your Windows document...

Page 54: ...ter cmd Press the Enter key or click the OK button Figure G 3 Figure G 4 Note The MAC address is also called the Adapter Address Appendix G Finding the MAC Address and IP Address for Your Ethernet Adapter This section describes how to find the MAC address for your Ethernet adapter to do either MAC Filtering or MAC Address Cloning for the Router and ISP You can also find the IP address of your comp...

Page 55: ...Figure G 7 Figure G 6 Figure G 7 2 In the command prompt enter ipconfig all Then press the Enter key 3 Write down the Physical Address as shown on your computer screen it is the MAC address for your Ethernet adapter This will appear as a series of letters and numbers The MAC address Physical Address is what you will use for MAC Address Cloning or MAC Filtering The example in Figure G 5 shows the I...

Page 56: ...ikely to require the Internet connection at a particular location It s espe cially useful in education and other environments where users change fre quently Using very short leases DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses 105 Instant Broadband Series Appendix H Glossary 3DES 3DES is a variation on DES that uses a 168 bit key ...

Page 57: ... aspect of computers telecommunica tions and other information technology devices The term arose as a way to dis 107 Instant Broadband Series DHCP supports static addresses for computers containing Web servers that need a permanent IP address DMZ Demilitarized Zone Allows one IP address or computer to be exposed to the Internet Some applications require multiple TCP IP ports to be open You should ...

Page 58: ...om the program you put in it to make it do things The program came to be known as the software Hop The link between two network nodes HTTP HyperText Transport Protocol The communications protocol used to connect to servers on the World Wide Web Its primary function is to estab lish a connection with a Web server and transmit HTML pages to the client browser Hub The device that serves as the centra...

Page 59: ...between source and destination RIP is a distance vector protocol that routine ly broadcasts routing information to its neighboring routers RJ 45 Registered Jack 45 A connector similar to a telephone connector that holds up to eight wires used for connecting Ethernet devices 111 Instant Broadband Series NAT Network Address Translation The translation of an Internet Protocol address IP address used ...

Page 60: ...es care of handling 113 Instant Broadband Series Router Protocol dependent device that connects subnetworks together Routers are useful in breaking down a very large network into smaller subnet works they introduce longer delays and typically have much lower throughput rates than bridges Security Association A group of security settings related to a specific VPN tunnel Server Any computer whose fu...

Page 61: ...wnload means receive URL Uniform Resource Locator The address that defines the route to a file on the Web or any other Internet facility URLs are typed into the browser to access Web pages and URLs are embedded within the pages themselves to pro vide the hypertext links to other pages VPN Virtual Private Network A technique that allows two or more LANs to be extended over public communication chan...

Page 62: ...ROOF OF PURCHASE AND A BARCODE FROM THE PRODUCT S PACKAGING ON HAND WHEN CALLING RETURN REQUESTS CANNOT BE PROCESSED WITHOUT PROOF OF PURCHASE IN NO EVENT SHALL LINKSYS LIABILITY EXCEED THE PRICE PAID FOR THE PRODUCT FROM DIRECT INDIRECT SPECIAL INCIDEN TAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OF THE PRODUCT ITS ACCOMPANYING SOFTWARE OR ITS DOCU MENTATION LINKSYS DOES NOT OFFER REFUNDS ...

Page 63: ... Copyright 2003 Linksys All Rights Reserved http www linksys com ...

Reviews: