background image

VPN 

103 

Subject Name 

This is the name which other organizations will see as 
the Holder (owner) of this Certificate. This should be 
your registered business name or official company 
name.  Generally, all Certificates should have the same 
value in the Subject field. 

Hash Algorithm 

Select the desired option. 

Signature Algorithm 

Select the desired option. RSA is recommended. 

Signature Key 
Length 

Select the desired option. Normally, 1024 bits provides 
adequate security. 

 

3.  Click "Next" to continue to the following screen. 

 

Figure 86: Add Self Certificate (2) 

4.  Check that the data displayed in the 

Certificate Details

 section is correct. This data 

is used to generate the Certificate request. If the data is not correct, click the 
"Back" button and correct the previous screen. 

5.  If the data is correct, copy the text in the 

Data to supply to CA

 panel to the clip-

board. 

6.  Apply for a Certificate: 

• 

Connect to the CA's web site. 

• 

Start the Self Certificate request procedure. 

• 

When prompted for the request data, copy this data (including "-----BEGIN 
CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----") 
from this screen to the CA's form. 

• 

Submit the CA's form. 

• 

If there are no problems, the Certificate will then be issued. 

7.  After obtaining a new Certificate, as described above, you need to upload it VRT-

401. Click the "Next" button to see the screen below. 

Summary of Contents for VRT-401

Page 1: ...Networking Communication Broadband VPN Router VRT 401 User s Manual...

Page 2: ...r s Manual is accurate PLANET dis claims liability for any inaccuracies or omissions that may have occurred Information in this User s Manual is subject to change without notice and does not represent...

Page 3: ...AND STATUS 29 Operation 29 Status Screen 29 Connection Status PPPoE 31 Connection Status PPTP 34 Connection Status Telstra Big Pond 35 Connection Details SingTel RAS 36 Connection Details Fixed Dynami...

Page 4: ...NGS 106 Overview 106 PC Database 107 Remote Administration 111 Routing 112 Firmware Upgrade 116 UPNP 117 APPENDIX A TROUBLESHOOTING 118 Overview 118 General Problems 118 Internet Access 118 APPENDIX B...

Page 5: ...1 using only a single external IP Address The local invalid IP Addresses are hidden from external sources This process is called NAT Network Address Translation DSL Cable Modem Support VRT 401 has a 1...

Page 6: ...ort Switching Hub VRT 401 incorporates a 4 port 10 100BaseT switch making it easy to create or extend your LAN DHCP Server Support Dynamic Host Configuration Protocol provides a dynamic IP address to...

Page 7: ...ailable VRT 401 incorporates protection against DoS attacks to secure your network Rule based Policy Firewall To provide additional protection against mali cious packets you can define your own firewa...

Page 8: ...ponding LAN port Flashing Data is being transmitted or received via the cor responding LAN port 100 On Corresponding LAN port is using 100BaseT Off Corresponding LAN port connection is using 10BaseT o...

Page 9: ...u Power On 3 Keep holding the Reset Button for a few seconds until the RED LED has flashed TWICE 4 Release the Reset Button VRT 401 is now using the factory default values WAN port 10 100BaseT Connect...

Page 10: ...nstallation Diagram 1 Choose an Installation Site Select a suitable place on the network to install VRT 401 Ensure VRT 401 and the DSL Cable modem are powered OFF 2 Connect LAN Cables Use standard LAN...

Page 11: ...t Please note the following points regarding the DMZ port The DMZ port is a normal port not an uplink port PCs connected to the DMZ port are on the same LAN segment as PCs connected to the Hub ports T...

Page 12: ...uired functions To Do this Refer to Configure PCs on your LAN Chapter 4 PC Configuration Check VRT 401 operation and Status Chapter 5 Operation and Status Use any of the following Internet features Ad...

Page 13: ...must be installed and powered ON If VRT 401 s default IP Address 192 168 0 1 is already used by another device the other device must be turned OFF until VRT 401 is allocated a new IP Address during c...

Page 14: ...your PC s IP address is not compatible with VRT 401 s IP Address See next item If your PC is using a fixed IP Address its IP Address must be within the range 192 168 0 2 to 192 168 0 254 to be compat...

Page 15: ...ess button to copy the MAC address from your PC to VRT 401 Common Connection Types Cable Modems Type Details ISP Data required Dynamic IP Address Your IP Address is allo cated automatically when you c...

Page 16: ...ddress is allo cated automatically when you connect to you ISP Usually none However some ISP s may require you to use a particu lar Hostname Domain name or MAC physical address Static Fixed IP Address...

Page 17: ...igation Data Input Use the menu bar on the top of the screen and the Back button on your Browser for navigation Changing to another screen without clicking Save does NOT save any changes you may have...

Page 18: ...e same value as the PCs on that LAN segment DHCP Server If Enabled VRT 401 will allocate IP Addresses to PCs DHCP clients on your LAN when they start up The default and recommended value is Enabled If...

Page 19: ...1 DHCP Server on your LAN Using VRT 401 s DHCP Server This is the default setting The DHCP Server settings are on the LAN screen On this screen you can Enable or Disable VRT 401 s DHCP Server functio...

Page 20: ...d on each PC TCP IP Settings Overview If using default VRT 401 settings and the default Windows TCP IP set tings no changes need to be made By default VRT 401 will act as a DHCP Server automatically p...

Page 21: ...the following Figure 9 IP Address Win 95 Ensure your TCP IP settings are correct as follows Using DHCP To use DHCP select the radio button Obtain an IP Address automatically This is the default Windo...

Page 22: ...administrator can advise you of the IP Ad dress they assigned to VRT 401 Figure 10 Gateway Tab Win 95 98 On the DNS Configuration tab ensure Enable DNS is selected If the DNS Server Search Order list...

Page 23: ...ng TCP IP Settings Windows NT4 0 1 Select Control Panel Network and on the Protocols tab select the TCP IP protocol as shown below Figure 12 Windows NT4 0 TCP IP 2 Click the Properties button to see a...

Page 24: ...act as a DHCP Server Restart your PC to ensure it obtains an IP Address from VRT 401 Specify an IP Address If your PC is already configured check with your network administrator before making the foll...

Page 25: ...dows NT4 0 Add Gateway 2 The DNS should be set to the address provided by your ISP as follows Click the DNS tab On the DNS screen shown below click the Add button under DNS Service Search Order and en...

Page 26: ...VRT 401 User Manual 22 Figure 15 Windows NT4 0 DNS...

Page 27: ...up Connection 2 Right click the Local Area Connection icon and select Properties You should see a screen like the following Figure 16 Network Configuration Win 2000 3 Select the TCP IP protocol for y...

Page 28: ...ur PC to ensure it obtains an IP Address from VRT 401 Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the fol...

Page 29: ...nnection 2 Right click the Local Area Connection and choose Properties You should see a screen like the following Figure 18 Network Configuration Windows XP 3 Select the TCP IP protocol for your netwo...

Page 30: ...ensure it obtains an IP Address from VRT 401 Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the following c...

Page 31: ...work and Internet Connections 2 Select Set up or change your Internet Connection 3 Select the Connection tab and click the Setup button 4 Cancel the pop up Location Information screen 5 Click Next on...

Page 32: ...s Fixed IP Address By default most Unix installations use a fixed IP Address If you wish to continue using a fixed IP Address make the following changes to your configuration Set your Default Gateway...

Page 33: ...eives an incoming connection Refer to Chapter 6 Internet Features for further details Applications that use non standard connections or port numbers may be blocked by VRT 401 s built in firewall You c...

Page 34: ...ask for the IP Address above DHCP Server This shows the status of the DHCP Server function either Enabled or Disabled For additional information about the PCs on your LAN and the IP addresses allocate...

Page 35: ...is different to the hardware address seen by devices on the local LAN IP Address The IP Address of this device as seen by Internet users This address is allocated by your ISP Internet Service Provide...

Page 36: ...on attempt Connecting to remote server Attempting to connect to the ISP s server Remote Server located ISP s Server has responded to connection attempt Start PPP Attempting to login to ISP s Server an...

Page 37: ...rror Invalid or un known packet type The data received from the ISP s Server could not be processed This could be caused by data corruption from a bad link or the Server using a protocol which is not...

Page 38: ...LAN IP Address The IP Address of this device as seen by Internet users This address is allocated by your ISP Internet Service Provider PPTP Status This indicates whether or not the connection is curre...

Page 39: ...te the data on screen Connection Status Telstra Big Pond An example screen is shown below Figure 23 Telstra Big Pond Status Screen Data Telstra Big Pond Screen Connection Physical Address The hardware...

Page 40: ...Connection Log shows status messages relating to the existing connection The Clear Log button will restart the Log while the Re fresh button will update the messages shown on screen Buttons Connect If...

Page 41: ...nctioning as a DHCP client If Enabled the Remaining lease time field indicates when the IP Address allocated by the DHCP Server will expire The lease is automatically renewed on expiry use the Renew b...

Page 42: ...s of this device as seen by Internet users This address is allocated by your ISP Internet Service Provider Network Mask The Network Mask associated with the IP Address above Default Gateway The IP Add...

Page 43: ...n has no effect If the ISP s DHCP Server has NOT allocated an IP Address for VRT 401 this button will say Renew Clicking the Renew button will attempt to re establish the connection and obtain an IP A...

Page 44: ...tures are provided Advanced Internet Communication Applications Special Applications DMZ URL filter Dynamic DNS Virtual Servers Options Advanced Internet Screen Figure 26 Internet Screen This screen a...

Page 45: ...on the advanced menu For each application listed above you can choose a destination PC There is no need to Save after each change you can set the destination PC for each application then click Save Sp...

Page 46: ...or data you receive Outgoing Ports Type Select the protocol TCP or UDP used when you send data to the remote system or service Start Enter the beginning of the range of port numbers used by the applic...

Page 47: ...the DMZ PC The DMZ feature can be Enabled and Disabled on the Advanced Internet screen The DMZ PC is effectively outside the Firewall mak ing it more vulnerable to attacks For this reason you should...

Page 48: ...will be empty Add Filter String To add an entry to the list enter it here and click the Add button An entry may be a Domain name e g www trash com or simply a string e g ads Any URL which contains ANY...

Page 49: ...ust register for the service at http www dyndns org Registration is free Your password will be E mailed to you 2 After registration use the Create New Host option at www dyndns org to re quest your de...

Page 50: ...the User name specified at the www dyndns org Web site when you registered Password Enter your current password for www dyndns org Domain Name Enter your domain name as allocated at www dyndns org The...

Page 51: ...net users to con nect to your servers as illustrated below Figure 30 Virtual Servers IP Address seen by Internet Users Note that in this illustration both Internet users are connecting to the same IP...

Page 52: ...to the uplink port on the hub Virtual Servers Screen The Virtual Servers screen is reached by the Virtual Servers link on the Internet menu An example screen is shown below Figure 31 Virtual Servers...

Page 53: ...tp 203 70 212 52 ftp 203 70 212 52 It is more convenient if you are using a Fixed IP Address from your ISP rather than Dynamic However you can use the Dynamic DNS feature described in the following se...

Page 54: ...f advised to do so by Technical Support Enter a value between 1 and 1500 This device will still auto negotiate with the remote server to set the MTU size The smaller of the 2 values auto negotiated or...

Page 55: ...s Logs Security Options Scheduling Services Admin Login The Admin Login screen allows you to assign a user name and password to VRT 401 Figure 33 Admin Login Screen 1 The default login name is admin C...

Page 56: ...VRT 401 User Manual 52 Figure 34 Password Dialog Enter the User Name and Password you set on the Admin Login screen above...

Page 57: ...desired restrictions on the Default group All PCs are in the Default group unless explicitly moved to another group 2 Set the desired restrictions on the other groups Group 1 Group 2 Group 3 and Group...

Page 58: ...ve group Block all Internet access All traffic via the WAN port is blocked Use this to create the most restrictive group Block selected Services You can select which Services are to block Use this to...

Page 59: ...a sub window where you can view the Access Control log This log shows attempted Internet accesses which have been blocked by the Access Control feature Clear Log Click this to clear and restart the A...

Page 60: ...lt group Access Control Log To check the operation of the Access Control feature an Access Control Log is pro vided Click the View Log button on the Access Control screen to view this log This log sho...

Page 61: ...Security Configuration 57...

Page 62: ...ific traffic But Incorrect configuration may cause serious problems This feature is for advanced administrators only Firewall Rules Screen Click the Firewall Rules option on the Security menu to see a...

Page 63: ...To add a new rule click the Add button and complete the resulting screen See the following section for more details Edit To Edit or modify an existing rule select it and click the Edit button Move Th...

Page 64: ...ption Source IP These settings determine which traffic based on their source IP address is covered by this rule Select the desired option Any All traffic from the source port is covered by this rule S...

Page 65: ...P address and Finish IP ad dress fields You can ignore the Subnet Mask field Subnet address If this option is selected enter the required mask in the Subnet Mask field Services Select the desired Serv...

Page 66: ...VRT 401 log data can also be E mailed to your PC or sent to a Syslog Server Figure 39 Logs Screen Data Logs Screen Enable Logs DoS Attacks If enabled this log will show details of DoS Denial of Ser vi...

Page 67: ...ned by the Send setting Send Select the desired option for sending the log by E mail When log is full The time is not fixed The log will be sent when the log is full which will depend on the vol ume o...

Page 68: ...VRT 401 User Manual 64 Include Select the logs you wish to be included...

Page 69: ...can not use it the service is unavailable This device uses Stateful Inspection technology This system can detect situations where individual TCP IP pack ets are valid but collectively they become a D...

Page 70: ...owed If not checked IPSec connections are blocked Allow PPTP PPTP Point to Point Tunneling Protocol is widely used by VPN Virtual Private Networking programs If checked PPTP connections are allowed If...

Page 71: ...the time for a particular day is blank no action will be performed Define Schedule Screen This screen is accessed by the Scheduling link on the Security menu Figure 41 Define Schedule Screen Data Def...

Page 72: ...any Service you have added Pre defined Services can not be deleted Add New Service Name Enter a descriptive name to identify this service Type Select the protocol TCP UDP ICMP used to the remote syst...

Page 73: ...uttons Delete Delete the selected service from the list Add Add a new entry to the Service list using the data shown in the Add New Service area on screen Cancel Clear the Add New Service area ready f...

Page 74: ...wo SAs one in each direction If IKE Internet Key Exchange is used to generate and exchange keys there are also SA s for the IKE connection as well as the IPsec connection There are two security modes...

Page 75: ...and the first matching policy will be used VPN Configuration The general rule is that each endpoint must have matching Policies as follows Remote VPN ad dress Each VPN endpoint must be configured to i...

Page 76: ...e Router Gateway requires no VPN configuration since it is not acting as a VPN endpoint Client PC to VPN Gateway Figure 44 Client PC to VPN Server In this situation the PC must run appropriate VPN cli...

Page 77: ...t gain secure access to the remote LAN The 2 LANs MUST use different IP address ranges The VPN Policies at each end determine when a VPN tunnel will be established and what systems on the remote LAN c...

Page 78: ...Note that the order of policies is important if you have more than one policy for particu lar traffic In that case the first matching policy for the traffic under consideration will be used Data VPN P...

Page 79: ...te of the selected policy Copy If you wish to create a policy which is similar to an existing policy select the policy and click the Copy button Remember that the new policy must have a different name...

Page 80: ...each remote VPN only 1 policy can be enabled at any time Remote VPN Endpoint The Internet IP address of the remote VPN endpoint Gateway or client Dynamic Select this if the Internet IP address is unkn...

Page 81: ...it would not be forwarded to the Gateway Local IP addresses Type Any no additional data is required Any IP address is acceptable For outgoing connections this allows any PC on the LAN to use the VPN...

Page 82: ...s in the Finish IP address field Subnet address enter the desired IP address in the Start IP address field and the network mask in the Sub net Mask field The remote VPN should have these IP addresses...

Page 83: ...ecurity for the payload data sent through the VPN tunnel Generally you will want to enable both Encryption and Authentication The 3DES algorithm provides greater security than DES but is slower The in...

Page 84: ...ion Select the desired option Initiator Only outgoing connections will be created Incoming connection attempts will be rejected Responder Only incoming connections will be accepted Outgoing traffic wh...

Page 85: ...ection for the hosts initiating the IPSec session but takes slightly longer to complete Aggressive Mode provides no identity protection but is quicker IKE SA Life Time This setting does not have to ma...

Page 86: ...der if used AH is often NOT used If you do enable it ensure the algo rithm selected matches the other VPN endpoint ESP Encryption ESP Encapsulating Security Payload provides security for the payload d...

Page 87: ...43 202 11 13 211 Other endpoint s WAN Internet IP address Local IP addresses Any Any Use a more restrictive definition if possible Remote IP addresses 192 168 1 1 to 192 168 1 254 192 168 0 1 to 192 1...

Page 88: ...1 768 bit Must match IKE SA Life time 28800 28800 Does not have to match Shorter period will be used IKE PFS Disable Disable Must match IPSec SA Parameters IPSec SA Life time 28800 28800 Does not hav...

Page 89: ...P addresses Subnet address 192 168 0 0 255 255 255 0 Allows access to entire LAN Use a more restrictive definition if possible Remote IP addresses 172 16 9 10 For a single client this is the same as t...

Page 90: ...tica tion Enable MD5 Must match client PC ESP encryption Enable DES Must match client PC Windows Client Configuration 1 Select Start Programs Administrative Tools Local Security Policy 2 Right click I...

Page 91: ...6 Deselect the Use Add Wizard checkbox then click Add to view the screen below Figure 57 IP Filter List 7 Type To DUT for the name then click Add to see a screen like the following Since this is the...

Page 92: ...ress is My IP address and the Destination IP address is the address range used on the remote LAN Ensure the Mirrored option is checked 9 Click OK to save your settings and close this dialog Figure 59...

Page 93: ...Properties Filter Action 11 Select Require Security then click the Edit button to view the Require Security Properties screen Figure 61 Require Security Properties 12 Select Negotiate security this s...

Page 94: ...y Properties screen Figure 63 Require Security Properties 14 Ensure the following settings are correct then click OK to return to the Filter Action tab of the Edit Rule Properties screen VPN Setting W...

Page 95: ...el Setting 16 Click the Authentication Methods tab then click the Edit to see the screen like the example below Figure 65 Authentication Method 17 Select Use this string to protect the key exchange pr...

Page 96: ...add the second outgoing rule click Add For the name enter To Win2K then click Add Figure 67 Windows 2000 XP Client to VRT 401 21 Enter the Source IP address and the Destination IP address as shown be...

Page 97: ...VPN 93 Figure 68 Filter Properties Addressing 22 Click OK to save your changes then Close Figure 69 Filter List 23 Ensure the To Win2K filter is selected then click the Filter Action tab...

Page 98: ...Action 24 Select Require Security then click Edit On the Require Security Methods screen below select Negotiate security Figure 71 Security Methods 25 Click the Add button On the resulting Modify Secu...

Page 99: ...click OK again to return to the Filter Action screen 27 Select the Tunnel Setting tab and enter the WAN Internet IP address of this PC 172 10 9 10 in this example Figure 73 Tunnel Setting 28 Select th...

Page 100: ...the key exchange preshared key then enter your preshared key in the field provided 30 Click OK to save your settings then Close to return to the DUT to Win2K Prop erties screen There should now be 2...

Page 101: ...VPN 97 Figure 76 Properties General Tab 32 Click the Advanced button to see the screen below Figure 77 Key Exchange Settings 33 Click the Methods button to see the screen below...

Page 102: ...rithms 35 Select SHA1 for Integrity Algorithm 3DES for Encryption algorithm and Low 1 for the Diffie Hellman Group 36 Click OK to save then OK again and then Close to return to the Local Secu rity Set...

Page 103: ...81 VRT 401 to Windows 2000 Server VRT 401 Configuration This is the same as for the client setup earlier with the exception of the IP address range for the remote endpoint Setting Single Client Server...

Page 104: ...d for both IP Filters the Filter Properties Addressing should be completed as follows Figure 82 Windows 2000 Server Addressing The Source Address should be set to A specific IP Subnet and the IP addre...

Page 105: ...ssuer Name The CA Certification Authority which issued the Certificate Expiry Time The date on which the Certificate expires You should renew the Certificate before it expires Delete button Use this b...

Page 106: ...pload the certificate file to VRT 401 6 Click Back to return to the Trusted Certificate list The new Certificate will appear in the list Adding a Self Certificate This process is different to obtainin...

Page 107: ...the data displayed in the Certificate Details section is correct This data is used to generate the Certificate request If the data is not correct click the Back button and correct the previous screen...

Page 108: ...necessary if using Certificates CRL Certificate Revocation List files show Certificates which have been revoked and are no longer valid Each CA issues their own CRLs It is VERY IMPORTANT to keep your...

Page 109: ...locate the CRL file on your PC Select the file The name will appear in the File to Upload field Click Upload to upload the CRL file to VRT 401 Click Back to return to the CRL list The new CRL will app...

Page 110: ...re PC Database This is the list of PCs shown when you select the DMZ PC Virtual Server or Internet Application This database is main tained automatically but you can add and delete entries for PCs whi...

Page 111: ...CP Clients are automatically added to the database and updated as required By default non Server versions of Windows act as DHCP Clients this setting is called Obtain an IP Address automatically VRT 4...

Page 112: ...ected or not powered On you will not be able to add it Buttons Add This will add the new PC to the list The PC will be sent a ping to determine its hardware address If the PC is not available not conn...

Page 113: ...e control than the standard PC Database screen Figure 91 PC Database Admin Data PC Database Admin Screen Known PCs This lists all current entries Data displayed is name IP Address type The type indica...

Page 114: ...e VRT 401 contact the PC and find its MAC address This is only possible if the PC is connected to the LAN and powered On MAC is Enter the MAC address on the PC The MAC address is also called the Hardw...

Page 115: ...re will prevent the use of a Web Virtual Server on your LAN See Advanced Internet Virtual Servers Current IP Address You must use this IP Address to connect see below This IP Address is allocated by y...

Page 116: ...he following Windows 2000 settings are correct Open Routing and Remote Access In the console tree select Routing and Remote Access server name IP Routing RIP In the Details pane right click the interf...

Page 117: ...rmation Protocol feature of VRT 401 VRT 401 supports RIP 1 only Static Routing Static Routing Table Entries This list shows all entries in the Routing Table The Properties area shows details of the se...

Page 118: ...pdate Update the current Static Routing Table entry using the data shown in the Properties area on screen Delete Delete the current Static Routing Table entry Clear Form Clear all data from the Proper...

Page 119: ...the Gateway IP Address is the address of the intermediate router Static Routing Example Figure 94 Routing Example For VRT 401 s Routing Table For the LAN shown above with 2 routers and 3 LAN segments...

Page 120: ...ct Upgrade on the Other menu You will see a screen like the following Figure 95 Upgrade Firmware Screen To perform the Firmware Upgrade 1 Click the Browse button and navigate to the location of the up...

Page 121: ...then UPnP users can change the configuration If Disabled UPnP users can only view the configuration But currently this restriction only applies to users running Win dows XP who access the Properties v...

Page 122: ...68 0 254 and thus compatible with VRT 401 s default IP Address of 192 168 0 1 Also the Network Mask should be set to 255 255 255 0 to match VRT 401 In Windows you can check these settings by using Con...

Page 123: ...t Use the Special Applications feature to allow the use of Internet applications which do not function correctly If this does solve the problem you can use the DMZ function This should work with almos...

Page 124: ...the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful...

Page 125: ...t 15 of the FCC Rules Operation is subject to the follow ing two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interfere...

Reviews: