background image

 

Page 53 

6: VPN Configuration 

Overview 

  Virtual Private Network (VPN) uses encryption to create the connection between two end points 
(computers or networks). It allows private data to be sent securely over a public network or the 
Internet without the risk of outside intruders gaining unauthorized access. VPN establishes a private 
network that can send data securely between two networks. We call this by creating 

a “tunnel”. A VPN 

tunnel connects the two PCs or networks 

 

Note:

 The VPN Router uses industry standard IPSec encryption. However, due to the variations in 

how manufactures interpret these standards, many VPN products are not interoperable. 
Although the Multi-WAN VPN Router can interoperate with many other VPN products, it is not 
possible for the Multi-WAN VPN Router to provide specific technical support for every other 
product. 

IKE Global Setup 

 

Figure 6-1: IKE Global Setup

 

Содержание NetCon FBR-4000

Страница 1: ...FBR 4000 Multi WAN VPN Router User Manual V1 0...

Страница 2: ...acintosh Clients 18 Linux Clients 18 3 ADVANCED PORT 19 OVERVIEW 19 PORT OPTIONS 19 LOAD BALANCE 21 ADVANCED PPPOE 23 ADVANCED PPTP 25 4 ADVANCED SETUP 27 OVERVIEW 27 HOST IP 28 ROUTING 30 VIRTUAL SER...

Страница 3: ...SETUP 71 SETTINGS ADMIN SETUP 71 EMAIL ALERT 73 SNMP 74 SYSLOG 75 UPGRADE FIRMWARE 77 9 NETWORK INFO 78 OPERATION 78 SYSTEM STATUS 78 Restore Factory Defaults 80 WAN STATUS 81 APPENDIX A SPECIFICATIO...

Страница 4: ...ccess the Internet through the Multi WAN VPN Router by sharing from one 1 up to four 4 Broadband modems and connections High Performance multi ADSL Modem Support The Multi WAN VPN Router has four 4 WA...

Страница 5: ...cified So if your ISP has given you multiple IP addresses you can have multiple DMZ PCs With the Multi WAN VPN Router each DMZ PC has unrestricted 2 way Internet access providing the ability to run pr...

Страница 6: ...unauthorized users from modifying the configuration data and settings HTTP Firmware Upgrade and backup The web management feature allows you to use HTTP upgrade for new firmware and backup system con...

Страница 7: ...s are damaged or missing please contact your dealer immediately Physical Details Front Panel Figure 1 2 Front Panel Front Panel LED indication is as follows Power OFF No Power ON Normal Operation Stat...

Страница 8: ...another hub Reset Button When pressed and released the Multi WAN VPN Router will reboot restart within 1 second It will reset to default when pushed and held for more than 3 seconds Some Status and E...

Страница 9: ...k Mask of 255 255 255 0 DHCP Server is enabled User Name admin Password cleared no password TFTP Download This setting should be used only if your Multi WAN VPN Router becomes unusable and you are att...

Страница 10: ...ade is finished the Multi WAN VPN Router should work normally The factory default settings will be applied Note The supplied Windows TFTP utility also allows you to perform three 3 additional operatio...

Страница 11: ...etwork cables Use standard 10 100BaseT network UTP cables with RJ45 connectors TCP IP network protocol must be installed on all PCs Procedure 1 Configuring the Router for your LAN 1 Use a standard LAN...

Страница 12: ...curity it is highly recommended that you set a password You may do this using the Admin Setup screen 8 After logging in you will see the Administrator Password setup in the Admin Setup screen as shown...

Страница 13: ...nction in the Multi WAN VPN Router must be disabled You will find this setting in the LAN DHCP screen Your DHCP Server must be configured to provide the Multi WAN VPN Router s LAN IP Address as the De...

Страница 14: ...P address even though it has a different IP segment than the LAN segment It can still access the Internet through NAT DHCP Configuration Lease Time This is a finite period of time for a DHCP server to...

Страница 15: ...need to connect the Multi WAN VPN Router to another Hub just use a standard LAN cable to connect any LAN port on the Multi WAN VPN Router to a standard port on another hub Any LAN port on the Multi W...

Страница 16: ...each WAN one by one through the Interface column pull down menu For any of the following situations refer to Chapter 3 Advanced Port Setup for any further configuration which may be required Using mu...

Страница 17: ...p fields Note If using the PPTP connection method enable PPTP Connection select Static IP or Dynamic IP as appropriate according to the IP Address method used by your ISP Address Information This is f...

Страница 18: ...left at the default value Setup of the Multi WAN VPN Router is now complete PCs on your LAN must now be configured See the following section for details 4 Enable Dedicated DMZ Port DMZs allow compute...

Страница 19: ...ndows TCP IP Setup Internet Access To configure your PCs to use the Multi WAN VPN Router for Internet access follow this procedure For Windows 9x 2000 1 Select Start Menu Settings Control Panel Intern...

Страница 20: ...follows Start the AOL for Windows communication software Ensure that it is Version 2 5 3 0 or later This procedure will not work with earlier versions Click the Setup button Select Create Location an...

Страница 21: ...VPN Router as the Gateway and ensure your Name Server settings are correct Ensure you are logged in as root before attempting any changes Fixed IP Address By default most Unix installations use a fix...

Страница 22: ...ing multiple WAN ports It allows you to determine the proportion of WAN traffic sent through each port Advanced PPPoE setup is required if you wish to use multiple sessions on each WAN port It can als...

Страница 23: ...g or not You may change this address if you wish Default is the gateway IP Note This is not used for PPPoE connections Transparent Bridge Option Bridge Mode If set to Enable this WAN port doesn t use...

Страница 24: ...screen is only operational if using Internet connections on multiple WAN ports Figure 3 2 Load Balance Only functional when using two 2 or more WAN ports these settings determine the proportion of tr...

Страница 25: ...ound Robin Continuously repeating sequence Weight Round Robin In sequence with weight placed accordingly Loading Share Enter the percentage of traffic to be sent over each WAN port If one WAN port con...

Страница 26: ...dvanced PPPoE The Advanced PPPoE screen is required in order to use multiple PPPoE sessions on the same WAN port It can also be used to manually connect or disconnect a PPPoE session Figure 3 3 Advanc...

Страница 27: ...ss enter if here Otherwise this field should be left at 0 0 0 0 Assigned Host Name This field is used by a Host to uniquely associate an access concentrator with a particular Host request PPPoE Auto D...

Страница 28: ...Page 25 Advanced PPTP This Advanced PPTP screen is only useful if using the PPTP connection method Figure 3 4 Advanced PPTP...

Страница 29: ...ave a fixed IP address enter if here Otherwise this field should be left at 0 0 0 0 PPTP Auto Dialup Auto Dialup connect on demand If set to Enable a connection will be established whenever outgoing W...

Страница 30: ...owing features are provided in Advanced Setup Host IP Routing Virtual Server Special Application Dynamic DNS Multi DMZ UPnP Setup NAT Setup Advanced Feature This chapter contains details on the config...

Страница 31: ...rent PCs This requires that each PC is identified by using the Host IP screen You do not have to use the Host IP feature to apply the same Block URL settings to all PCs You wish to reserve a particula...

Страница 32: ...ish to associate this PC with a particular PPPoE session All traffic for that PC will then use the selected PPPoE port and session Binding Method Suppose your PC is bound to WAN1 port and you select S...

Страница 33: ...escribed below You also need to configure the other Routers Figure 4 2 Routing Note If there is an entry or entries in the Routing table with an Index of zero 0 these are System entries You cannot mod...

Страница 34: ...interface is only available if NAT Network Address Translation is disabled Metric The number of hops routers to pass through to reach the remote LAN segment The shortest path will be used Routing List...

Страница 35: ...y IP Address 192 168 1 100 Interface LAN Metric 2 Entry 2 Segment 2 Destination IP Address 192 168 3 0 Network Mask 255 255 255 0 Standard Class C Gateway IP Address 192 168 1 100 Interface LAN Metric...

Страница 36: ...20 45 34 Multi WAN VPN Link Balancer Figure 4 4 Virtual Server Note that in this illustration both Internet users are connecting to the same IP Address but using different protocols Connecting to the...

Страница 37: ...Page 34 http my_domain_name dyndns org ftp my_domain_name dyndns org This screen allows you to define your own Server types Figure 4 5 Virtual Server...

Страница 38: ...any WAN port 1 4 or even bind to all WAN ports together LAN Port Range Enter the range of port number used for outgoing traffic from this Server If only a single port is required enter it in both fie...

Страница 39: ...s to Enable or Disable the Special Application as required Name Enter a descriptive name to identify the Special Application Outgoing Protocol Select the protocol used by the application when sending...

Страница 40: ...modify its configuration data by selecting and clicking on a row Using a Special Application on your PC Once the Special Applications screen is configured correctly you can use the application on your...

Страница 41: ...tandard client available at http www dyndns org Other sites may offer the same service but can not be guaranteed to work TZO at http www tzo com 3322 is available in China at http www 3322 org To use...

Страница 42: ...lable in China It is similar to DynDNS User Defined DDNS Server This is the user defined DDNS server If the DDNS provider is other than TZO dyndns org or 3322 Additional Settings These options are ava...

Страница 43: ...g with a particular LAN host There are a maximum 4 WAN ports which can be available Its connection type may change based on your WAN connection type Static DHCP PPPoE PPTP Name Enter a name to assist...

Страница 44: ...PnP Setup UPnP Option If set to Enable UPnP this device will register on the local network You will find that there is an icon showing on the My Network Places in Window XP Each time you add a new ser...

Страница 45: ...Page 42 NAT Setup NAT Network Address Translation is the technology which allows one 1 WAN Internet IP address to be used by multiple LAN users Figure 4 10 NAT Setup...

Страница 46: ...t be translated for special applications you must set state to Enable and input value in port range Alternatively if its port cannot be translated in the specified time period you must set Enable and...

Страница 47: ...received from the WAN port or not Interface Binding Use these settings to ensure that certain traffic is sent by a particular WAN port and thereby a particular ISP account These settings are only use...

Страница 48: ...rver Application IDENT Port Port 113 is associated with the Internet s Identification Authentication service When a client program in your computer contacts a remote server for services such as POP IM...

Страница 49: ...Mask With a subnet mask other than 255 255 255 255 you can make an IP sub network as your destination Protocol Select protocol type used by the traffic you wish to configure Port Range Enter the begin...

Страница 50: ...to run more smoothly This is also applicable for some future applications that may need this mechanism in order to work well Block URL This feature allows you to block access to undesirable Web sites...

Страница 51: ...and click the Select button The screen will update the data for the selected Group URL List Type Block Internet Access If you select Black List It will block the URL that you keep it on Access Item Al...

Страница 52: ...ontrol over the Internet access and applications available to LAN users Five 5 user groups are available and each group can have different access rights assigned to them All PCs users are in the Defau...

Страница 53: ...elected on this screen are blocked You can block known services by using the checkboxes or you may define your own filters ICMP Filters If you enable ICMP Filter that means it will block ICMP request...

Страница 54: ...e number of new sessions has been exceeded Default 65535 session sec Maximum of New Sessions for Host The maximum number of new sessions from the host which is acceptable in the sampling time Any new...

Страница 55: ...select LAN any WAN port or ALL interfaces from which a packet originates Protocol The packet type selected in the above Interface which will be directly processed by this device Foreign Port Range Ent...

Страница 56: ...can send data securely between two networks We call this by creating a tunnel A VPN tunnel connects the two PCs or networks Note The VPN Router uses industry standard IPSec encryption However due to...

Страница 57: ...Security Association lifetime is 28800 seconds When it is expired a new key is re negotiated During the negotiation period the VPN tunnel isn t available Retry Counter This indicates how many times th...

Страница 58: ...ion address must be a single IP address with subnet mask of 255 255 255 255 2 Will you be using the Internet Key Exchange IKE setup or Manual Keying Whichever method is used you must specify each phas...

Страница 59: ...2 policy including the encryption and authentication method Once you have finished the configuration you can press the Connect button to make the VPN connection You can also press the Set Options butt...

Страница 60: ...ws the authentication by using a distinguished name such as an email address or alpha numeric characters Traffic Selector Service Protocol Type You can choose TCP UDP ICMP or GRE protocol as your conn...

Страница 61: ...ESP header Each tunnel must have a unique inbound and outbound SPI and no two tunnels share the same SPI Note that the Inbound SPI must match the other router s outbound SPI AutoKey IKE There are two...

Страница 62: ...he established tunnel and clear all the SA in use inform peer by sending Delete payload Flush Manually clear the established unfinished or in progressing tunnel disregarding current negotiation state...

Страница 63: ...a VPN tunnel provide DPD mechanism Once a dead peer is detected a device will end the connection so it can be re established This is the primary method of VPN failover or backup Detection If set to E...

Страница 64: ...ble all DPD activity of will show up in the VPN log NAT Traversal Feature NAT Traversal NAT T NAT Traversal is a VPN Gateway feature that circumvents IPSec NATing problems It is a more effective solut...

Страница 65: ...load padding of each packet ESP is a key protocol in the IPSec architecture which is designed to provide a mix of security services in IPv4 and IPv6 Allow Full ECN If set to Enable it will allow full...

Страница 66: ...ess the Scan Policies button to copy the IPSec Policy into the Mesh Group Setup web page You also can configure your IPSec Policy on the Mesh Group web page by pressing the Create button To use the VP...

Страница 67: ...ox before you make a VPN load balance connection Delete Button This button can delete one or all IPSec Policies Set Button Once you have enabled disabled the check box you have to press the Set button...

Страница 68: ...Figure 6 6 VPN Logs Data VPN Logs Message Status Time Indicates when the message was created according to system time Priority Indicates the priority level of a message for analysis Undefined Messages...

Страница 69: ...tting up and enabling QoS Figure 7 1 QoS Setup Settings QoS Setup QoS Feature Enable QoS Checkbox allows users enable QoS mechanism If set to enable QoS QoS will allocate Inbound Outbound bandwidth to...

Страница 70: ...lassify the received packets based on the following types for your memory Local Remote Address Port Specify a packet based on Local Remote address or port Address has two types IP address and MAC addr...

Страница 71: ...s 2 From now on you can dispatch the network bandwidth inbound outbound to the WAN ports By default the device dispatches each WAN port for inbound outbound is 6400 kbit sec 51200 8 6400 kbit Sec Howe...

Страница 72: ...plications 4 The total Bandwidth is the WAN port bandwidth that you define on your WAN port previously 5 Guaranteed Bandwidth is the Bandwidth that you specified by your application WWW FTP etc Maximu...

Страница 73: ...anagement Assistant Overview The following advanced features are provided Admin Setup Email Alert SNMP Syslog Upgrade Firmware This chapter contains details of the configuration and use of each of the...

Страница 74: ...d the upgrade must be performed by a PC on the LAN Remote Setup If enabled access to the web based interface is available via the Internet See below for details If not enabled access is only available...

Страница 75: ...lowed by the port number e g HTTP 123 123 123 123 8080 This example assumes that the WAN IP Address is 123 123 123 123 and the port number is 8080 If using the Dynamic DNS feature you can connect usin...

Страница 76: ...the threshold value If enabled an email alert is sent to the administrator Email Alert Configuration Email SMTP Server Address An email sever to which a warning email will be sent if email alert has b...

Страница 77: ...ame The name of this device Physical Location The location of the device Community Community Name This is a password or key used between this device and the management station The administrator manage...

Страница 78: ...ows you to select whether to send the system information to another machine or not Up to three machines can be chosen to send the system log to Message Status Messages are only sent and kept when Keep...

Страница 79: ...om Emergency to Debug The lower the level the more messages will be generated Emergency is the highest priority level and Debug is the lowest Log Priority for Modules By pressing the Expand button sel...

Страница 80: ...m Configuration Save button This will save the system configuration for future use You also can upgrade the firmware by inputting the correct password browsing to the firmware upgrade file and then pr...

Страница 81: ...onfigured operation is automatic However there are some situations where additional Internet configuration may be required Refer to Chapter 4 Advanced Setup for further details System Status Use the S...

Страница 82: ...PN Router gateway MAC Address The MAC physical address of the Multi WAN VPN Router as seen from the Internet LAN Interface IP Address The LAN IP Address of the Multi WAN VPN Router Subnet Mask The Net...

Страница 83: ...ore the factory default settings See below for details Restore Factory Defaults When the Restore Factory Defaults button on the Status screen above is clicked the following screen is displayed Figure...

Страница 84: ...current traffic loading on each WAN port Current Loading The number of current traffic Sessions Bytes and Packets being processed on each WAN port Current Bandwidth The current Download and Upload sp...

Страница 85: ...ter for WAN Packet Filter URL Block Session Limit System Filter Exception QoS Policy Priority set by source and destination IP source and destination MAC address and service types Security Admin passw...

Страница 86: ...For all non Server versions of Windows the default TCP IP setting is to act as a DHCP client If you wish to check your TCP IP settings the procedure is described in the following sections If your LAN...

Страница 87: ...ress If your PC is already configured check with your network administrator before making the following changes If the DNS Server fields are empty select Use the following DNS server addresses and ent...

Страница 88: ...Figure B 4 DNS Tab Win 95 98 Checking TCP IP Settings Windows 2000 1 Select Control Panel Network and Dial up Connection 2 Right click the Local Area Connection icon and select Properties You should s...

Страница 89: ...th your network administrator before making the following changes Enter the Multi WAN VPN Router s IP address in the Default gateway field and click OK Your LAN administrator can advise you of the IP...

Страница 90: ...re B 7 Network Configuration Windows XP 3 Select the TCP IP protocol for your network card 4 Click on the Properties button You should then see a screen like the following Figure B 8 TCP IP Properties...

Страница 91: ...s Use the following IP Address If your PC is already configured check with your network administrator before making the following changes Enter the Multi WAN VPN Router s IP address in the Default gat...

Страница 92: ...rt 1 2 of this device are WAN ports the others are LAN ports Otherwise you have changed Maximum WAN ports Ensure that your PC and the Multi WAN VPN Router are on the same network segment If you don t...

Страница 93: ...ck its settings If you can t connect to it check the LAN and power connections If the Multi WAN VPN Router is configured correctly check your Internet connection DSL Cable modem etc to see if it is wo...

Страница 94: ...interference 2 This device must accept any interference received including interference that may cause undesired operation Tested to comply with FCC Standards for Home or Office use CE Marking Warnin...

Отзывы: