Allnet ALL1294VPN Скачать руководство пользователя | Manualshive

Страница: 79 / 140

background image

Broadband VPN Gateway User Guide

IKE Phase 2 (IPsec SA)

IPsec SA Life Time

This setting does not have to match the remote VPN endpoint; the
shorter time will be used. Although measured in seconds, it is
common to use time periods of several hours, such 28,800 seconds.

IPSec PFS

If enabled, PFS (Perfect Forward Security) enhances security by
changing the IPsec key at regular intervals, and ensuring that each
key has no relationship to the previous key. Thus, breaking 1 key
will not assist in breaking the next key.

AH Authentication

AH (Authentication Header) specifies the authentication protocol
for the VPN header, if used.

AH is often NOT used. If you do enable it, ensure the algorithm
selected matches the other VPN endpoint.

ESP Encryption

ESP (Encapsulating Security Payload) provides security for the
payload (data) sent through the VPN tunnel. Generally, you will
want to enable both ESP Encryption and ESP Authentication.

Select the desired method, and ensure the remote VPN endpoint
uses the same method. The "3DES" algorithm provides greater
security than "DES", but is slower.

ESP Authentication

Generally, you should enable ESP Authentication. There is little
difference between the available algorithms. Just ensure each
endpoint use the same setting.

For IKE, configuration is now complete.

•

Click "Next" to view the final screen.

•

On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard.

76

«
...
77
78
79
80
81
...
»

Содержание ALL1294VPN

Страница 1: ...Broadband VPN Router ALL1294VPN Broadband Internet Access 4 Port Switching Hub User s Guide ...

Страница 2: ...CHAPTER 5 OPERATION AND STATUS 32 Operation 32 Status Screen 32 Connection Status PPPoE 34 Connection Status PPTP 36 Connection Status Telstra Big Pond 37 Connection Details SingTel RAS 38 Connection Details Fixed Dynamic IP Address 40 CHAPTER 6 ADVANCED FEATURES 42 Overview 42 Advanced Internet Screen 43 Dynamic DNS Domain Name Server 48 Virtual Servers 50 Access Control 53 Firewall Rules 57 Sche...

Страница 3: ...inistration 123 Routing 124 Security Options 129 Firmware Upgrade 131 UPnP 132 APPENDIX A TROUBLESHOOTING 133 Overview 133 General Problems 133 Internet Access 133 APPENDIX B SPECIFICATIONS 135 Broadband VPN Router 135 FCC Statement 135 CE Marking Warning 136 P N 9560J20130 Copyright 2006 All Rights Reserved Document Version 1 0 All trademarks and trade names are the properties of their respective...

Страница 4: ...ss the Internet through the Broadband VPN Router using only a single external IP Address The local invalid IP Addresses are hidden from external sources This process is called NAT Network Address Translation DSL Cable Modem Support The Broadband VPN Router has a 100BaseT Ethernet port for connecting a DSL or Cable Modem All popular DSL and Cable Modems are supported SingTel RAS and Big Pond Austra...

Страница 5: ... Router incorporates a 4 port 10 100BaseT switching hub making it easy to create or extend your LAN DHCP Server Support Dynamic Host Configuration Protocol provides a dynamic IP address to PCs and other devices upon request The Broadband VPN Router can act as a DHCP Server for devices on your local LAN and WLAN Multi Segment LAN Support LANs containing one or more segments are supported via the Br...

Страница 6: ...l protection against malicious packets you can define your own firewall rules This can also be used to control the Internet services available to LAN users VPN Gateway Features IPSec Support for IPSec standards including IKE and certificates 70 Tunnels Up to 70 VPN tunnels can be created High performance High performance encryption engine maintains high throughput even when using 3DES Microsoft VP...

Страница 7: ...ponding LAN hub port Flashing Data is being transmitted or received via the corresponding LAN hub port 100 On Corresponding LAN hub port is using 100BaseT Off Corresponding LAN hub port connection is using 10BaseT or no active connection WAN On Connection to the modem attached to the WAN Internet port is established Flashing Data is being transmitted or received via the WAN port PPPoE On PPPoE con...

Страница 8: ...On 3 Keep holding the Reset Button for a few seconds until the RED LED has flashed TWICE 4 Release the Reset Button The Broadband VPN Router is now using the factory default values WAN port 10 100BaseT Connect the DSL or Cable Modem here If your modem came with a cable use the supplied cable Otherwise use a standard LAN cable 10 100BaseT LAN connections Use standard LAN cables RJ45 connectors to c...

Страница 9: ...d VPN Router Ensure the Broadband VPN Router and the DSL Cable modem are powered OFF 2 Connect LAN Cables Use standard LAN cables to connect PCs to the Switching Hub ports on the Broadband VPN Router Both 10BaseT and 100BaseT connections can be used simultaneously If required you can connect any LAN port to another Hub Any LAN port on the Broadband VPN Router will automatically function as an Upli...

Страница 10: ...ort is a normal port not an uplink port PCs connected to the DMZ port are on the same LAN segment as PCs connected to the Hub ports They must use the same IP address range PCs connected to the DMZ port are NOT visible to PCs on the hub LAN ports So you cannot use Microsoft networking or other networking protocols to connect to PCs on the DMZ PCs connected to the DMZ port still share the WAN port I...

Страница 11: ...w to locate detailed instructions for the required functions To Do this Refer to Configure PCs on your LAN Chapter 4 PC Configuration Check Broadband VPN Router operation and Status Chapter 5 Operation and Status Use any of the following Internet features Advanced Internet Dynamic DNS Virtual Servers Access Control Firewall Rules Scheduling Services Chapter 6 Advanced Features Use the IPSec VPN fe...

Страница 12: ...n establish a physical connection to the Broadband VPN Router The PC and the Broadband VPN Router must be directly connected using the Hub ports on the Broadband VPN Router or on the same LAN segment The Broadband VPN Router must be installed and powered ON If the Broadband VPN Router s default IP Address 192 168 0 1 is already used by another device the other device must be turned OFF until the B...

Страница 13: ...d it is powered ON You can test the connection by using the Ping command Open the MS DOS window or command prompt window Enter the command ping 192 168 0 1 If no response is received either the connection is not working or your PC s IP address is not compatible with the Broadband VPN Router s IP Address See next item If your PC is using a fixed IP Address its IP Address must be within the range 19...

Страница 14: ... Run the Wizard and on the Cable Modem screen use the Clone MAC address button to copy the MAC address from your PC to the Broadband VPN Router Common Connection Types Cable Modems Type Details ISP Data required Dynamic IP Address Your IP Address is allocated automatically when you connect to you ISP Usually none However some ISP s may require you to use a particular Hostname Domain name or MAC ph...

Страница 15: ...ireless Type Details ISP Data required Dynamic IP Address Your IP Address is allocated automatically when you connect to you ISP Usually none However some ISP s may require you to use a particular Hostname Domain name or MAC physical address Static Fixed IP Address Your ISP allocates a permanent IP Address to you IP Address allocated to you mask and gateway if provided and DNS address Big Pond Cab...

Страница 16: ...ation Data Input Use the menu bar on the top of the screen and the Back button on your Browser for navigation Changing to another screen without clicking Save does NOT save any changes you may have made You must Save before changing screens or your data will be ignored On each screen clicking the Help button will display help for that screen From any help screen you can access the list of all help...

Страница 17: ...e this may be left blank WAN Port MAC Address Also called Network Adapter Address or Physical Address This is a low level identifier as seen from the WAN port Normally there is no need to change this but some ISPs require a particular value often that of the PC initially used for Internet access You can use the Copy from PC button to copy your PC s address into this field the Default button to ins...

Страница 18: ...lows all PCs on your LAN to share the Internet IP address allocated to the WAN port on this Router From the Internet all PCs appear to have the same IP address For normal operation this setting must be ENABLED Disable NAT Disabling NAT will disable Internet access unless all PCs have valid Internet IP addresses If you wish to use this device for Routing ONLY and NOT for Internet access then NAT sh...

Страница 19: ...ior Select the desired option Automatic Connect Disconnect An Internet connection is automatically made when required and disconnected when idle for the time period specified by the Auto disconnect Idle Time out Manual Connect Disconnect You must manually establish and terminate the connection Keep alive maintain connection The connection will never be disconnected by this device If disconnected b...

Страница 20: ...he PCs on that LAN segment DHCP Server If Enabled the Broadband VPN Router will allocate IP Addresses to PCs DHCP clients on your LAN when they start up The default and recommended value is Enabled If you are already using a DHCP Server this setting must be Disabled and the existing DHCP server must be re configured to treat the Broadband VPN Router as the default Gateway See the following section...

Страница 21: ...LAN Using the Broadband VPN Router s DHCP Server This is the default setting The DHCP Server settings are on the LAN screen On this screen you can Enable or Disable the Broadband VPN Router s DHCP Server function Set the range of IP Addresses allocated to PCs by the DHCP Server function You can assign Fixed IP Addresses to some devices while using DHCP provided that the Fixed IP Addresses are NOT ...

Страница 22: ...h PC TCP IP Settings Overview If using the default Broadband VPN Router settings and the default Windows TCP IP settings no changes need to be made By default the Broadband VPN Router will act as a DHCP Server automatically providing a suitable IP Address and related information to each PC when the PC boots For all non Server versions of Windows the default TCP IP setting is to act as a DHCP clien...

Страница 23: ...ing Figure 10 IP Address Win 95 Ensure your TCP IP settings are correct as follows Using DHCP To use DHCP select the radio button Obtain an IP Address automatically This is the default Windows setting Using this is recommended By default the Broadband VPN Router will act as a DHCP Server Restart your PC to ensure it obtains an IP Address from the Broadband VPN Router Using Specify an IP Address If...

Страница 24: ...ministrator can advise you of the IP Address they assigned to the Broadband VPN Router Figure 11 Gateway Tab Win 95 98 On the DNS Configuration tab ensure Enable DNS is selected If the DNS Server Search Order list is empty enter the DNS address provided by your ISP in the fields beside the Add button then click Add Figure 12 DNS Tab Win 95 98 21 ...

Страница 25: ...Checking TCP IP Settings Windows NT4 0 1 Select Control Panel Network and on the Protocols tab select the TCP IP protocol as shown below Figure 13 Windows NT4 0 TCP IP 2 Click the Properties button to see a screen like the one below 22 ...

Страница 26: ...your PC to ensure it obtains an IP Address from the Broadband VPN Router Specify an IP Address If your PC is already configured check with your network administrator before making the following changes 1 The Default Gateway must be set to the IP address of the Broadband VPN Router To set this Click the Advanced button on the screen above On the following screen click the Add button in the Gateways...

Страница 27: ...15 Windows NT4 0 Add Gateway 2 The DNS should be set to the address provided by your ISP as follows Click the DNS tab On the DNS screen shown below click the Add button under DNS Service Search Order and enter the DNS provided by your ISP 24 ...

Страница 28: ...PC Configuration Figure 16 Windows NT4 0 DNS 25 ...

Страница 29: ...d Dial up Connection 2 Right click the Local Area Connection icon and select Properties You should see a screen like the following Figure 17 Network Configuration Win 2000 3 Select the TCP IP protocol for your network card 4 Click on the Properties button You should then see a screen like the following 26 ...

Страница 30: ...btains an IP Address from the Broadband VPN Router Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the following changes Enter the Broadband VPN Router s IP address in the Default gateway field and click OK Your LAN administrator can advise you of the IP Address they assigned to the Broadband VPN Router If t...

Страница 31: ...ork Connection 2 Right click the Local Area Connection and choose Properties You should see a screen like the following Figure 19 Network Configuration Windows XP 3 Select the TCP IP protocol for your network card 4 Click on the Properties button You should then see a screen like the following 28 ...

Страница 32: ... IP Address from the Broadband VPN Router Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the following changes In the Default gateway field enter the Broadband VPN Router s IP address and click OK Your LAN administrator can advise you of the IP Address they assigned to the Broadband VPN Router If the DNS Se...

Страница 33: ...d Internet Connections 2 Select Set up or change your Internet Connection 3 Select the Connection tab and click the Setup button 4 Cancel the pop up Location Information screen 5 Click Next on the New Connection Wizard screen 6 Select Connect to the Internet and click Next 7 Select Set up my connection manually and click Next 8 Check Connect using a broadband connection that is always on and click...

Страница 34: ...anges Fixed IP Address By default most Unix installations use a fixed IP Address If you wish to continue using a fixed IP Address make the following changes to your configuration Set your Default Gateway to the IP Address of the Broadband VPN Router Ensure your DNS Name server settings are correct To act as a DHCP Client recommended The procedure below may vary according to your version of Linux a...

Страница 35: ...ch PC receives an incoming connection Refer to Chapter 6 Internet Features for further details Applications which use non standard connections or port numbers may be blocked by the Broadband VPN Router s built in firewall You can define such applications as Special Applications to allow them to function normally Refer to Chapter 6 Internet Features for further details Some non standard application...

Страница 36: ...e IP Address above DHCP Server This shows the status of the DHCP Server function either Enabled or Disabled For additional information about the PCs on your LAN and the IP addresses allocated to them use the PC Database option on the Advanced menu System Device Name This displays the current name of the Broadband VPN Router Firmware Version The current version of the firmware installed in the Broa...

Страница 37: ...ress The IP Address of this device as seen by Internet users This address is allocated by your ISP Internet Service Provider Network Mask The Network Mask associated with the IP Address above PPPoE Link Status This indicates whether or not the connection is currently established If the connection does not exist the Connect button can be used to establish a connection If the connection currently ex...

Страница 38: ...ver and establish a PPP connection PPP up successfully Able to login to ISP s Server and establish a PPP connection Idle time out reached The connection has been idle for the time period specified in the Idle Time out field The connection will now be terminated Disconnecting The current connection is being terminated due to either the Idle Time out above or Disconnect button being clicked Error Re...

Страница 39: ... this device as seen by Internet users This address is allocated by your ISP Internet Service Provider Connection Status This indicates whether or not the connection is currently established If the connection does not exist the Connect button can be used to establish a connection If the connection currently exists the Disconnect button can be used to break the connection Connection Log Connection ...

Страница 40: ...are address of this device as seen by remote devices This is different to the hardware address seen by devices on the local LAN IP Address The IP Address of this device as seen by Internet users This address is allocated by your ISP Internet Service Provider Connection Status This indicates whether or not the connection is currently established If the connection does not exist the Connect button c...

Страница 41: ...ear Log Delete all data currently in the Log This will make it easier to read new messages Refresh Update the data on screen Connection Details SingTel RAS If using the SingTel RAS access method a screen like the following example will be displayed when the Connection Details button is clicked Figure 25 Connection Details SingTel RAS Data SingTel RAS Screen Internet RAS Plan The RAS Plan which is ...

Страница 42: ... use the Renew button if you wish to manually renew the lease immediately Buttons Release Renew Button will display EITHER Release OR Renew This button is only useful if the IP address shown above is allocated automatically on connection Dynamic IP address If you have a Fixed Static IP address this button has no effect If the ISP s DHCP Server has NOT allocated an IP Address for the Broadband VPN ...

Страница 43: ...er associated with the IP Address above DNS IP Address The IP Address of the Domain Name Server which is currently used DHCP Client This will show Enabled or Disabled depending on whether or not this device is functioning as a DHCP client If Enabled the Remaining lease time field indicates when the IP Address allocated by the DHCP Server will expire The lease is automatically renewed on expiry use...

Страница 44: ...the ISP s DHCP Server If an IP Address has been allocated to the Broadband VPN Router by the ISP s DHCP Server this button will say Release Clicking the Release button will break the connection and release the IP Address Refresh Update the data shown on screen 41 ...

Страница 45: ...use the Broadband VPN Router s Advanced Features Overview The following advanced features are provided Advanced Internet Communication Applications Special Applications Multi DMZ URL filter Dynamic DNS Virtual Servers Access Control Firewall Rules Scheduling Services 42 ...

Страница 46: ...nsparently by the Broadband VPN Router But sometimes it is not clear which PC should receive an incoming connection This problem could arise with the Communication Applications listed on this screen If this problem arises you can use this screen to set which PC should receive an incoming connection as described below Communication Applications Select an Application This lists applications which ma...

Страница 47: ... by the Broadband VPN Router s firewall In this case you can define the application as a Special Application Special Applications Screen This screen can be reached by clicking the Special Applications button on the Advanced Internet screen You can then define your Special Applications You will need detailed information about the application this is normally available from the supplier of the appli...

Страница 48: ...ish fields Using a Special Application Configure the Special Applications screen as required On your PC use the application normally Remember that only one 1 PC can use each Special application at any time Also when 1 PC is finished using a particular Special Application there may need to be a Time out before another PC can use the same Special Application The Time out period may be up to 3 minute...

Страница 49: ...ill display the URL Otherwise it will display the IP Address The URL Filter can be Enabled or Disabled on the Advanced Internet screen URL Filter Screen Click the Configure URL Filter button on the Advanced Internet screen to access the URL Filter screen An example screen is shown below Figure 29 URL Filter Screen Data URL Filter Screen Filter Strings Current Entries This lists any existing entrie...

Страница 50: ...ttons to delete the selected entry or all entries as required Multiple entries can be selected by holding down the CTRL key while selecting On the Macintosh hold the SHIFT key while selecting Add Use this to add the current Filter String to the site list 47 ...

Страница 51: ...tration use the Create New Host option at www dyndns org to request your desired Domain name 3 Enter your data from www dyndns org in the Broadband VPN Router s DDNS screen 4 The Broadband VPN Router will then automatically ensure that your current IP Address is recorded at http www dyndns org 5 From the Internet users will be able to connect to your Virtual Servers or DMZ PC using your Domain nam...

Страница 52: ...d Password Enter your current password for www dyndns org Domain Name Enter your domain name as allocated at www dyndns org The name should consist only of letters and the hyphen dash Using any other characters may cause problems DDNS Status This message is returned by the DDNS Server at www dyndns org Normally this message should be Update successful current IP address was updated on the www dynd...

Страница 53: ... Internet users to connect to your servers as illustrated below Figure 31 Virtual Servers IP Address seen by Internet Users Note that in this illustration both Internet users are connecting to the same IP Address but using different protocols To Internet users all virtual Servers on your LAN have the same IP Address This IP Address is allocated by your ISP This address should be static rather than...

Страница 54: ...d to the LAN hub ports you must add the firewall rule manually Note that the DMZ port is a normal port not an uplink port If connecting to a hub connect to the standard port on the hub Virtual Servers Screen The Virtual Servers screen is reached by the Virtual Servers link on the Internet menu An example screen is shown below Figure 32 Virtual Servers Screen This screen lists a number of pre defin...

Страница 55: ... Virtual Server entry using the data shown in the Properties area on screen Add as new Server Add a new entry to the Virtual Server list using the data shown in the Properties area on screen The entry selected in the list is ignored and has no effect Delete Delete the current Virtual Server entry Note that the pre defined Servers can not be deleted Only Servers you have defined yourself can be del...

Страница 56: ...ed restrictions on the Default group All PCs are in the Default group unless explicitly moved to another group 2 Set the desired restrictions on the other groups Group 1 Group 2 Group 3 and Group 4 as needed 3 Assign PC to the groups as required Restrictions are imposed by blocking Services or types of connections All common Services are pre defined If required you can also define your own Service...

Страница 57: ... create the most restrictive group Block selected Services You can select which Services are to block Use this to gain fine control over the Internet access for a group Block by Schedule If Internet access is being blocked you can choose to apply the blocking only during scheduled times If access is not blocked no Scheduling is possible and this setting has no effect Services This lists all define...

Страница 58: ...the Default group PCs deleted from any other Group will be added to the Default group Access Control Log To check the operation of the Access Control feature an Access Control Log is provided Click the View Log button on the Access Control screen to view this log This log shows attempted Internet accesses which have been blocked by the Access Control function Data shown in this log is as follows D...

Страница 59: ...Broadband VPN Gateway User Guide request was blocked Destination The destination URL or IP address 56 ...

Страница 60: ...d administrators only Firewall Rules Screen Click the Firewall Rules option on the Security menu to see a screen like the following example This example contains two 2 rules for outgoing traffic Since the default rule for outgoing LAN WAN traffic is Allow having an Allow rule for LAN WAN only makes sense in combination with another rule For example the screen below shows a rule blocking all traffi...

Страница 61: ...ng section for more details Edit To Edit or modify an existing rule select it and click the Edit button Move There are 2 ways to change the order of rules Use the up and down indicators on the right to move the selected rule You must confirm your changes by clicking OK If you change your mind before clicking OK click Cancel to reverse your changes Click Move to directly specify a new location for ...

Страница 62: ...option Source IP These settings determine which traffic based on their source IP address is covered by this rule Select the desired option Any All traffic from the source port is covered by this rule Single address Enter the required IP address in the Start IP address field You can ignore the Subnet Mask field Range address If this option is selected you must complete both the Start IP address and...

Страница 63: ...rt IP address and Finish IP address fields You can ignore the Subnet Mask field Subnet address If this option is selected enter the required mask in the Subnet Mask field Services Select the desired Service or Services This determines which packets are covered by this rule based on the protocol TPC or UDP and port number If necessary you can define a new Service on the Services screen by defining ...

Страница 64: ...time for a particular day is blank no action will be performed Define Schedule Screen This screen is accessed by the Scheduling link on the Security menu Figure 37 Define Schedule Screen Data Define Schedule Screen Day Each day of the week can scheduled independently Session 1 Session 2 Two 2 separate sessions or periods can be defined Session 2 can be left blank if not required Start Time Enter t...

Страница 65: ...lete any Service you have added Pre defined Services can not be deleted Add New Service Name Enter a descriptive name to identify this service Type Select the protocol TCP UDP ICMP used to the remote system or service Start Port For TCP and UDP Services enter the beginning of the range of port numbers used by the service If the service uses a single port number enter it in both the Start and Finis...

Страница 66: ...elete Delete the selected service from the list Add Add a new entry to the Service list using the data shown in the Add New Service area on screen Cancel Clear the Add New Service area ready for entering data for a new Service 63 ...

Страница 67: ...o SAs one in each direction If IKE Internet Key Exchange is used to generate and exchange keys there are also SA s for the IKE connection as well as the IPsec connection There are two security modes possible with IPSec Transport Mode the payload data part of the packet is encapsulated through encryption but the IP header remains in the clear unchanged The Broadband VPN Router does NOT support Tran...

Страница 68: ...d the first matching policy will be used VPN Configuration The general rule is that each endpoint must have matching Policies as follows Remote VPN address Each VPN endpoint must be configured to initiate or accept connections to the remote VPN client or Gateway Usually this requires having a fixed Internet IP address However it is possible for a VPN Gateway to accept incoming connections from a r...

Страница 69: ...ires no VPN configuration since it is not acting as a VPN endpoint Client PC to VPN Gateway Figure 40 Client PC to VPN Server In this situation the PC must run appropriate VPN client software in order to connect via the Internet to the Broadband VPN Router Once connected the client PC has the same access to LAN resources as PCs on the local LAN unless restricted by the network administrator IPsec ...

Страница 70: ...gain secure access to the remote LAN The 2 LANs MUST use different IP address ranges The VPN Policies at each end determine when a VPN tunnel will be established and what systems on the remote LAN can be accessed once the VPN connection is established It is possible to have simultaneous VPN connections to many remote sites 67 ...

Страница 71: ... is important if you have more than one policy for particular traffic In that case the first matching policy for the traffic under consideration will be used Data VPN Policies Screen VPN List Policy Name The name of the policy When creating a policy you should select a suitable name Enable This indicates whether or not the policy is currently enabled Use the Enable Disable button to toggle the sta...

Страница 72: ...emember that the new policy must have a different name and there can only be one active enabled policy for each remote VPN endpoint Delete To delete an exiting policy select it and click the Delete button Add New Policy To add a new policy click the Add New Policy button See the following section for details View Log Clicking the View Log button will open a new window and display the VPN log Addin...

Страница 73: ...can be enabled at any time Remote Endpoint Address The Internet IP address of the remote VPN endpoint Gateway or client Dynamic Select this if the Internet IP address is unknown In this case only incoming connections are possible Fixed Select this if the remote endpoint has a fixed Internet IP address Domain Name Select this if the remote endpoint has a domain name Keys Select Manually assigned or...

Страница 74: ...t would not be forwarded to the Gateway Local IP addresses Type Any no additional data is required Any IP address is acceptable For outgoing connections this allows any PC on the LAN to use the VPN tunnel For incoming connections this allows an PC using the remote endpoint to access any PC on your LAN Single address enter an IP address in the Start IP address field Range address enter the starting...

Страница 75: ...ddress in the Finish IP address field Subnet address enter the desired IP address in the Start IP address field and the network mask in the Subnet Mask field The remote VPN should have these IP addresses entered as it s Local addresses 3 Click Next to continue The screen you will see depends on whether you previously selected Manual Key Exchange or IKE Manual Key Exchange Figure 46 VPN Wizard Manu...

Страница 76: ... through the VPN tunnel Generally you will want to enable both Encryption and Authentication The 3DES algorithm provides greater security than DES but is slower Select the key size from the drop down list if AES is selected The in key here must match the out key on the remote VPN and the out key here must match the in key on the remote VPN ESP Authentication Generally you should enable ESP Authent...

Страница 77: ... more common method Remote Identity This setting must match the Local Identity on the remote VPN IP address is the more common method Authentication RSA Signature requires that both VPN endpoints have valid Certificates issued by a CA Certification Authority For Pre shared key enter the same key value in both endpoints The key should be at least 8 characters maximum is 128 characters Note that thi...

Страница 78: ...d IKE SA Life Time This setting does not have to match the remote VPN endpoint the shorter time will be used Although measured in seconds it is common to use time periods of several hours such 28 800 seconds DH Group Select the desired method and ensure the remote VPN endpoint uses the same method The smaller bit size is slightly faster IKE PFS If enabled PFS Perfect Forward Security enhances secu...

Страница 79: ...N header if used AH is often NOT used If you do enable it ensure the algorithm selected matches the other VPN endpoint ESP Encryption ESP Encapsulating Security Payload provides security for the payload data sent through the VPN tunnel Generally you will want to enable both ESP Encryption and ESP Authentication Select the desired method and ensure the remote VPN endpoint uses the same method The 3...

Страница 80: ...ect operation Select a meaningful name Remote Endpoint 205 17 11 43 202 11 13 211 Other endpoint s WAN Internet IP address Local IP addresses Any Any Use a more restrictive definition if possible Remote IP addresses 192 168 1 1 to 192 168 1 254 192 168 0 1 to 192 168 0 254 Address range on other endpoint Use a more restrictive definition if possible Key Exchange IKE IKE Must match IKE SA Parameter...

Страница 81: ...in Mode Must match DH Group Group 1 768 bit Group 1 768 bit Must match IKE SA Life time 28800 28800 Does not have to match Shorter period will be used IKE PFS Disable Disable Must match IPSec SA Parameters IPSec SA Life time 28800 28800 Does not have to match Shorter period will be used IPSec PFS Disabled Disabled Must match AH authentication Disabled Disabled AH is rarely used ESP authentication ...

Страница 82: ...ess Local IP addresses Subnet address 192 168 0 0 255 255 255 0 Allows access to entire LAN Use a more restrictive definition if possible Remote IP addresses 172 16 9 10 For a single client this is the same as the endpoint Key Exchange IKE Must match client PC IKE SA Parameters IKE Direction Responder Only want to accept client connections Local Identity IP address Required Remote Identity IP addr...

Страница 83: ...hentication Enable MD5 Must match client PC ESP encryption Enable DES Must match client PC Windows Client Configuration 1 Select Start Programs Administrative Tools Local Security Policy 2 Right click IP Security Policy on Local Machine and select Create IP Security Policy Figure 51 Windows 2000 XP Local Security Settings 3 Click Next then enter a policy name for example DUT To Win2K then click Ne...

Страница 84: ...n use Two 2 rules are required incoming and outgoing The outgoing rule will be added first 6 Deselect the Use Add Wizard checkbox then click Add to view the screen below Figure 53 IP Filter List 7 Type To DUT for the name then click Add to see a screen like the following 81 ...

Страница 85: ...P address is My IP address and the Destination IP address is the address range used on the remote LAN Ensure the Mirrored option is checked 9 Click OK to save your settings and close this dialog Figure 55 New Rule Properties IP Filter List 10 On the resulting screen above ensure the To DUT filter is selected then click the Filter Action tab to see a screen like the following 82 ...

Страница 86: ...roperties Filter Action 11 Select Require Security then click the Edit button to view the Require Security Properties screen Figure 57 Require Security Properties 12 Select Negotiate security this selects IKE then click Add 83 ...

Страница 87: ...curity Properties screen Figure 59 Require Security Properties 14 Ensure the following settings are correct then click OK to return to the Filter Action tab of the Edit Rule Properties screen VPN Setting Windows Setting IKE enabled Negotiate security AH disabled AH Integrity None ESP encryption Enable DES ESP Confidentially DES ESP authentication Enable MD5 ESP Integrity MD5 84 ...

Страница 88: ...60 Tunnel Setting 16 Click the Authentication Methods tab then click the Edit to see the screen like the example below Figure 61 Authentication Method 17 Select Use this string to protect the key exchange preshared key then enter your preshared key in the field provided 18 Click OK to save your changes and return to the Authentication Methods tab of the Edit Rule Properties screen 85 ...

Страница 89: ...0 To add the second incoming rule click Add For the name enter To Win2K then click Add Figure 63 Windows 2000 XP Client to Broadband VPN Router 21 Enter the Source IP address and the Destination IP address as shown below Since this is the incoming filter the Source IP address is the address range used on the remote LAN and the Destination IP address is My IP address Ensure the Mirrored option is c...

Страница 90: ...VPN Figure 64 Filter Properties Addressing 22 Click OK to save your changes then Close Figure 65 Filter List 23 Ensure the To Win2K filter is selected then click the Filter Action tab 87 ...

Страница 91: ...ter Action 24 Select Require Security then click Edit On the Require Security Methods screen below select Negotiate security Figure 67 Security Methods 25 Click the Add button On the resulting Modify Security Method screen below select High ESP 88 ...

Страница 92: ...ick OK again to return to the Filter Action screen 27 Select the Tunnel Setting tab and enter the WAN Internet IP address of this PC 172 10 9 10 in this example Figure 69 Tunnel Setting 28 Select the Authentication Methods tab and click the Edit button to see the screen below 89 ...

Страница 93: ...otect the key exchange preshared key then enter your preshared key in the field provided 30 Click OK to save your settings then Close to return to the DUT to Win2K Properties screen There should now be 2 IP Filers listed as shown below Figure 71 DUT to Win2K Properties 31 Select the General tab 90 ...

Страница 94: ...VPN Figure 72 Properties General Tab 32 Click the Advanced button to see the screen below Figure 73 Key Exchange Settings 33 Click the Methods button to see the screen below 91 ...

Страница 95: ...thms 35 Select SHA1 for Integrity Algorithm 3DES for Encryption algorithm and Low 1 for the Diffie Hellman Group 36 Click OK to save then OK again and then Close to return to the Local Security Settings screen 37 Right click the DUT to Win2K Policy and select Assign to make your policy active Figure 76 Windows 2000 XP Client to Broadband VPN Router Configuration is now complete 92 ...

Страница 96: ...adband VPN Router to Windows 2000 Server Broadband VPN Router Configuration This is the same as for the client setup earlier with the exception of the IP address range for the remote endpoint Setting Single Client Server Gateway Remote IP addresses 172 16 9 10 For a single client this is the same as the Gateway address Subnet address 11 5 0 0 255 255 0 0 Address range used on the remote LAN 93 ...

Страница 97: ...r both IP Filters the Filter Properties Addressing should be completed as follows Figure 78 Windows 2000 Server Addressing The Source Address should be set to A specific IP Subnet and the IP address and Subnet mask set to the address range used on the Broadband VPN Router s LAN The Destination Address should be set to A specific IP Subnet and the IP address and Subnet mask set to the address range...

Страница 98: ...er Name The CA Certification Authority which issued the Certificate Expiry Time The date on which the Certificate expires You should renew the Certificate before it expires Delete button Use this button to delete a Trusted Certificate Select the checkbox in the Delete column for any Certificates you wish to delete then click the Delete button Self Certificates Name The name you assigned to this Ce...

Страница 99: ...d the certificate file to the Broadband VPN Router 6 Click Back to return to the Trusted Certificate list The new Certificate will appear in the list Adding a Self Certificate This process is different to obtaining a Trusted Certificate The Broadband VPN Router must generate a request for the CA You cannot request a Certificate directly The correct procedure is as follows 1 On the Certificates scr...

Страница 100: ... 2 4 Check that the data displayed in the Certificate Details section is correct This data is used to generate the Certificate request If the data is not correct click the Back button and correct the previous screen 5 If the data is correct copy the text in the Data to supply to CA panel to the clipboard 6 Apply for a Certificate Connect to the CA s web site Start the Self Certificate request proc...

Страница 101: ... a New CRL 1 Obtain the CRL file from your CA 2 Select CRL from the VPN menu You will see a screen like the example below Figure 83 Certificate Revocation Lists 3 Click the Add New CRL button You will see a screen like the following Figure 84 Upload CRL 4 Upload the CRL file Click the Browse button and locate the CRL file on your PC Select the file The name will appear in the File to Upload field ...

Страница 102: ... Status Screen Current VPN SAs Policy Name The name of the VPN Policy which triggered this VPN connection SPI Each SA Security Association has a unique SPI For manual keys this SPI is specified by user input If using IKE the SPI is generated by the IKE negotiation process Type Each SAs Security Association will be either IKE or IPSec VPN Endpoint The IP address of the remote VPN Endpoint Data Tran...

Страница 103: ...er Using Microsoft VPN provides easier setup than using IPSec VPN The following Microsoft VPN configuration screens are provided Server Clients Status Server Setup The Broadband VPN Router incorporates a PPTP Peer to Peer Tunneling Protocol server which is compatible with the VPN Adapter provided with recent versions of Microsoft Windows Remote Windows clients are able to connect to this Server On...

Страница 104: ...The methods are listed with the most secure first least secure last If multiple methods are checked the most secure will be tried first If the remote client does not support this then the other checked methods are tried in order You must enable at least one method Client Database To login to the PPTP Server above using the Microsoft Windows VPN Adapter remote users must be entered in the VPN clien...

Страница 105: ...when they connect The name must not contain spaces punctuation or special characters Login Password Enter the login password The remote user must provide this password when they connect Verify Password Re enter the password above Button Clear Form Use this to prepare the form for a new entry Any existing data will be cleared Add as New User Use this to save the data in the Properties area as a new...

Страница 106: ...atus Screen Server Status Status This indicates whether or not the PPTP VPN Server is enabled Current Connections This indicates the number of remote clients currently logged into the PPTP VPN Server Server Log Server Log This displays details of each connection or connection attempt You can use the Clear Log button to re start the log making new messages easier to read 103 ...

Страница 107: ...figured as described in the following sections It is assumed that remote users have a Broadband not dial up connection to the Internet Windows 98 ME 1 Click Start Settings Dial up Networking 2 Select Make New Connection Figure 89 Windows ME VPN Adapter 3 Type a name for this connection and ensure that Microsoft VPN Adapter is selected Click Next to continue Figure 90 Windows ME VPN Remote Host 4 E...

Страница 108: ...the setting This is the default Internet connection on the Dialing tab Do NOT enable this setting if using Dial up or PPPoE client software Windows ME VPN Dialing Properties To establish a connection 1 Ensure you are connected to the Internet 2 Select Start Settings Dial up Networking 3 Double click the new VPN entry in Dial up Networking 4 Enter your User name and Password as recorded in the Clie...

Страница 109: ...ows 2000 Network Connection 2 Select the VPN option Connect to a private network through the Internet as shown above and click Next Figure 92 Windows 2000 Public Network 3 On the screen above Select Do not dial the initial connection if Internet access is via the LAN If using a PPPoE software client select Automatically dial this initial connection and select the PPPoE connection Click Next to con...

Страница 110: ... the Domain Name or Internet IP address of the Broadband VPN Router you wish to connect to Click Next to continue Figure 94 Windows 2000 Connection Availability 5 Choose whether to allow this connection for everyone or only for yourself as required Click Next to continue 107 ...

Страница 111: ... client database on the Broadband VPN Router 3 You can choose to have Windows remember the password if desired so you do not have to enter it again Changing the connection settings The PPTP VPN Server in the Broadband VPN Router is designed to work with the default Windows settings If necessary you can change the Windows settings by right clicking the VPN connection in Network Connections and sele...

Страница 112: ...tings Network Connections and start the New Connection Wizard Figure 96 Windows XP Network Connection Type 2 Select the option Connect to the network at my workplace as shown above and click Next Figure 97 Windows XP Network Connection 3 On the next screen shown above select the Virtual Private Network connection option Click Next to continue 109 ...

Страница 113: ...ows XP Connection Name 4 Enter a suitable name for this connection Click Next to continue Figure 99 Windows XP Public Network 5 On the screen above select Do not dial the initial connection Click Next to continue Figure 100 Windows XP VPN Server 110 ...

Страница 114: ... then be prompted for the username and password Enter the username and password assigned to you as recorded in the VPN client database on the Broadband VPN Router 3 You can choose to have Windows remember the password if desired so you do not have to enter it again Changing the connection settings The PPTP VPN Server in the Broadband VPN Router is designed to work with the default Windows settings...

Страница 115: ...not necessary to use these screens or change any settings These screens and settings are provided to deal with non standard situations or to provide additional options for advanced users The screens available are Config Files Logs Admin Login Network Diag Options Pc Database Remote Admin Routing Security Options Upgrade Firmware UPnP 112 ...

Страница 116: ...re 102 Config Screen Data Config File Screen Backup Config Use this to download a copy of the current configuration and store the file on your PC Click Download to start the download Restore Config This allows you to restore a previously saved configuration file back to the Wireless Router Click Browse to select the configuration file then click Restore to upload the configuration file WARNING Upl...

Страница 117: ... in the Broadband VPN Router log data can also be E mailed to your PC or sent to a Syslog Server Figure 103 Logs Screen Data Logs Screen Enable Logs DoS Attacks If enabled this log will show details of DoS Denial of Service attacks which have been blocked by the built in Firewall Internet Connections If selected Outgoing Internet connections are logged Normally the Internet Destination will be sho...

Страница 118: ...lect the desired option for sending the log by E mail When log is full The time is not fixed The log will be sent when the log is full which will depend on the volume of traffic Every day Every Monday The log is sent on the interval specified If Every day is selected the log is sent at the time specified If the day is specified the log is sent once per week on the specified day Select the time of ...

Страница 119: ...lt login name is admin Change this to the desired value 2 The default password is blank no password Enter the desired password in the New Password and Verify Password fields 3 Save your changes You will see a login prompt when you connect to the Broadband VPN Router as shown below Figure 105 Password Dialog Enter the User Name and Password you set on the Admin Login screen above 116 ...

Страница 120: ...ently exists you could get a Timeout error In that case wait a few seconds and try again Ping Button After entering the IP address click this button to start the Ping procedure The results will be displayed in the Ping Results pane DNS Lookup Domain name URL Enter the Domain name or URL for which you want a DNS Domain Name Server lookup Note that if the address in on the Internet and no connection...

Страница 121: ...Address of the DNS Domain Name Servers here These DNS will be used only if the primary DNS is unavailable MTU MTU size MTU Maximum Transmission Unit value should only be changed if advised to do so by Technical Support Enter a value between 1 and 1500 This device will still auto negotiate with the remote server to set the MTU size The smaller of the 2 values auto negotiated or entered here will be...

Страница 122: ...tomatically added to the database and updated as required By default non Server versions of Windows act as DHCP Clients this setting is called Obtain an IP Address automatically The Broadband VPN Router uses the Hardware Address to identify each PC not the name or IP address The Hardware Address can only change if you change the PC s network card or adapter This system means you do NOT need to use...

Страница 123: ...connected or not powered On you will not be able to add it Buttons Add This will add the new PC to the list The PC will be sent a ping to determine its hardware address If the PC is not available not connected or not powered On you will not be able to add it Delete Delete the selected PC from the list This should be done in 2 situations The PC has been removed from your LAN The entry is incorrect ...

Страница 124: ... than the standard PC Database screen Figure 109 PC Database Admin Data PC Database Admin Screen Known PCs This lists all current entries Data displayed is name IP Address type The type indicates whether the PC is connected to the LAN PC Properties Name If adding a new PC to the list enter its name here It is best if this matches the PC s hostname 121 ...

Страница 125: ...his to have the Broadband VPN Router contact the PC and find its MAC address This is only possible if the PC is connected to the LAN and powered On MAC Address is Enter the MAC address on the PC The MAC address is also called the Hardware Address Physical Address or Network Adapter Address The Broadband VPN Router uses this to provide a unique identifier for each PC Because of this the MAC address...

Страница 126: ...revent the use of a Web Virtual Server on your LAN See Advanced Internet Virtual Servers Current IP Address You must use this IP Address to connect see below This IP Address is allocated by your ISP But if using a Dynamic IP Address this value can change each time you connect to your ISP So it is better if your ISP allocates you a Fixed IP Address To connect from a remote PC via the Internet 1 Ens...

Страница 127: ...adband VPN Router and ensure the following Windows 2000 settings are correct Open Routing and Remote Access In the console tree select Routing and Remote Access server name IP Routing RIP In the Details pane right click the interface you want to configure for RIP version 2 and then click Properties On the General tab set Outgoing packet protocol to RIP version 2 broadcast and Incoming packet proto...

Страница 128: ...of the Broadband VPN Router The Broadband VPN Router supports RIP 1 only Static Routing Static Routing Table Entries This list shows all entries in the Routing Table The Properties area shows details of the selected item in the list Change any the properties as required then click the Update button to save the changes to the selected entry 125 ...

Страница 129: ...list is ignored and has no effect Update Update the current Static Routing Table entry using the data shown in the Properties area on screen Delete Delete the current Static Routing Table entry Clear Form Clear all data from the Properties area ready for input of a new entry for the Static Routing table Generate Report Generate a read only list of all entries in the Static Routing table Configurin...

Страница 130: ...roadband VPN Router s local router the Gateway IP Address is the address of the intermediate router Static Routing Example Figure 112 Routing Example For the Broadband VPN Router s Routing Table For the LAN shown above with 2 routers and 3 LAN segments the Broadband VPN Router requires 2 entries as follows Entry 1 Segment 1 Destination IP Address 192 168 1 0 Network Mask 255 255 255 0 Standard Cla...

Страница 131: ...er Guide Gateway IP Address 192 168 0 1 Broadband VPN Router s IP Address For Router B s Default Route Destination IP Address 0 0 0 0 Network Mask 0 0 0 0 Gateway IP Address 192 168 1 80 Broadband VPN Router s local router 128 ...

Страница 132: ...ot use it the service is unavailable This device uses Stateful Inspection technology This system can detect situations where individual TCP IP packets are valid but collectively they become a DoS attack Threshold This setting affects the number of half open connections allowed A half open connection arises when a remote client contacts the Server with a connection request but then does not reply t...

Страница 133: ...ions are allowed If not checked IPSec connections are blocked Allow PPTP PPTP Point to Point Tunneling Protocol is widely used by VPN Virtual Private Networking programs If checked PPTP connections are allowed If not checked PPTP connections are blocked Allow L2TP L2TP is a protocol developed by Cisco for VPNs Virtual Private Networks If checked L2TP connections are allowed If not checked L2TP con...

Страница 134: ...pgrade Firmware Screen To perform the Firmware Upgrade 1 Click the Browse button and navigate to the location of the upgrade file 2 Select the upgrade file It s name will appear in the Upgrade File field 3 Click the Start Upgrade button to commence the firmware upgrade The Broadband VPN Router is unavailable during the upgrade process and must restart when the upgrade is completed Any connections ...

Страница 135: ...an change the configuration If Disabled UPnP users can only view the configuration But currently this restriction only applies to users running Windows XP who access the Properties via UPnP e g Right click the Broadband VPN Router in My Network Places and select Properties Allow Internet access to be disabled If checked then UPnP users can disable Internet access via this device If Disabled UPnP u...

Страница 136: ...ess within the range 192 168 0 2 to 192 168 0 254 and thus compatible with the Broadband VPN Router s default IP Address of 192 168 0 1 Also the Network Mask should be set to 255 255 255 0 to match the Broadband VPN Router In Windows you can check these settings by using Control Panel Network to check the Properties for the TCP IP protocol Internet Access Problem 1 When I enter a URL or IP address...

Страница 137: ...he data passing through it so it is not transparent Use the Special Applications feature to allow the use of Internet applications which do not function correctly If this does solve the problem you can use the DMZ function This should work with almost every application but It is a security risk since the firewall is disabled Only one 1 PC can use this feature 134 ...

Страница 138: ...he instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one of the following measures Reo...

Страница 139: ...t 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operation This transmitter must not be co located or operating in conjunction with any other antenna or transmitter CE Marking Warning This is a Class B product In a domest...

Страница 140: ...d The conformity to the above directive is indicated by the CE sign on the device The ALLNET ALL1294VPN Broadband VPN Router conforms to the European Directives 89 336 EEC This equipment meets the following conformance standards EN 55022 1994 A1 1995 A2 1997 Class B EN 61000 3 2 2000 EN 61000 3 3 and EN 55024 1998 This equipment is intended to be operated in all countries This declaration is made ...

Отзывы:

Нет отзывов

Похожие инструкции для ALL1294VPN

DWL-7130AP - xStack - Wireless Access Point

Бренд: D-Link Страницы: 4

Бренд: Karma Страницы: 12

Бренд: Maestro Страницы: 4

Бренд: Mafell Страницы: 162

Бренд: Zhone Страницы: 54

3CRWEASYA73 - 11a 54 Mbps Wireless LAN...

Бренд: 3Com Страницы: 20

MultiModem rCell MTCBA-X-EN2

Бренд: Multitech Страницы: 16

EnOcean TALK MODUL G2

Бренд: Waldmann Страницы: 68

SpeedNet SDR Series

Бренд: S&C Страницы: 16

Бренд: Tenda Страницы: 2

Бренд: STARLINK Страницы: 2

WAP54GP - Wireless-G Access Point

Бренд: Linksys Страницы: 67

Бренд: Aruba Networks Страницы: 2

Бренд: YUNKE CHINA Страницы: 35

Бренд: ezWave Страницы: 64

Бренд: Linksys Страницы: 85

Бренд: 3Com Страницы: 109

Бренд: Zinwell Страницы: 56

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды