background image

VPN 

97 

 

Figure 76: Properties - General Tab 

32.  Click the "Advanced" button to see the screen below. 

 

Figure 77: Key Exchange Settings 

33.  Click the "Methods" button to see the screen below. 

Содержание VRT-401

Страница 1: ...Networking Communication Broadband VPN Router VRT 401 User s Manual...

Страница 2: ...r s Manual is accurate PLANET dis claims liability for any inaccuracies or omissions that may have occurred Information in this User s Manual is subject to change without notice and does not represent...

Страница 3: ...AND STATUS 29 Operation 29 Status Screen 29 Connection Status PPPoE 31 Connection Status PPTP 34 Connection Status Telstra Big Pond 35 Connection Details SingTel RAS 36 Connection Details Fixed Dynami...

Страница 4: ...NGS 106 Overview 106 PC Database 107 Remote Administration 111 Routing 112 Firmware Upgrade 116 UPNP 117 APPENDIX A TROUBLESHOOTING 118 Overview 118 General Problems 118 Internet Access 118 APPENDIX B...

Страница 5: ...1 using only a single external IP Address The local invalid IP Addresses are hidden from external sources This process is called NAT Network Address Translation DSL Cable Modem Support VRT 401 has a 1...

Страница 6: ...ort Switching Hub VRT 401 incorporates a 4 port 10 100BaseT switch making it easy to create or extend your LAN DHCP Server Support Dynamic Host Configuration Protocol provides a dynamic IP address to...

Страница 7: ...ailable VRT 401 incorporates protection against DoS attacks to secure your network Rule based Policy Firewall To provide additional protection against mali cious packets you can define your own firewa...

Страница 8: ...ponding LAN port Flashing Data is being transmitted or received via the cor responding LAN port 100 On Corresponding LAN port is using 100BaseT Off Corresponding LAN port connection is using 10BaseT o...

Страница 9: ...u Power On 3 Keep holding the Reset Button for a few seconds until the RED LED has flashed TWICE 4 Release the Reset Button VRT 401 is now using the factory default values WAN port 10 100BaseT Connect...

Страница 10: ...nstallation Diagram 1 Choose an Installation Site Select a suitable place on the network to install VRT 401 Ensure VRT 401 and the DSL Cable modem are powered OFF 2 Connect LAN Cables Use standard LAN...

Страница 11: ...t Please note the following points regarding the DMZ port The DMZ port is a normal port not an uplink port PCs connected to the DMZ port are on the same LAN segment as PCs connected to the Hub ports T...

Страница 12: ...uired functions To Do this Refer to Configure PCs on your LAN Chapter 4 PC Configuration Check VRT 401 operation and Status Chapter 5 Operation and Status Use any of the following Internet features Ad...

Страница 13: ...must be installed and powered ON If VRT 401 s default IP Address 192 168 0 1 is already used by another device the other device must be turned OFF until VRT 401 is allocated a new IP Address during c...

Страница 14: ...your PC s IP address is not compatible with VRT 401 s IP Address See next item If your PC is using a fixed IP Address its IP Address must be within the range 192 168 0 2 to 192 168 0 254 to be compat...

Страница 15: ...ess button to copy the MAC address from your PC to VRT 401 Common Connection Types Cable Modems Type Details ISP Data required Dynamic IP Address Your IP Address is allo cated automatically when you c...

Страница 16: ...ddress is allo cated automatically when you connect to you ISP Usually none However some ISP s may require you to use a particu lar Hostname Domain name or MAC physical address Static Fixed IP Address...

Страница 17: ...igation Data Input Use the menu bar on the top of the screen and the Back button on your Browser for navigation Changing to another screen without clicking Save does NOT save any changes you may have...

Страница 18: ...e same value as the PCs on that LAN segment DHCP Server If Enabled VRT 401 will allocate IP Addresses to PCs DHCP clients on your LAN when they start up The default and recommended value is Enabled If...

Страница 19: ...1 DHCP Server on your LAN Using VRT 401 s DHCP Server This is the default setting The DHCP Server settings are on the LAN screen On this screen you can Enable or Disable VRT 401 s DHCP Server functio...

Страница 20: ...d on each PC TCP IP Settings Overview If using default VRT 401 settings and the default Windows TCP IP set tings no changes need to be made By default VRT 401 will act as a DHCP Server automatically p...

Страница 21: ...the following Figure 9 IP Address Win 95 Ensure your TCP IP settings are correct as follows Using DHCP To use DHCP select the radio button Obtain an IP Address automatically This is the default Windo...

Страница 22: ...administrator can advise you of the IP Ad dress they assigned to VRT 401 Figure 10 Gateway Tab Win 95 98 On the DNS Configuration tab ensure Enable DNS is selected If the DNS Server Search Order list...

Страница 23: ...ng TCP IP Settings Windows NT4 0 1 Select Control Panel Network and on the Protocols tab select the TCP IP protocol as shown below Figure 12 Windows NT4 0 TCP IP 2 Click the Properties button to see a...

Страница 24: ...act as a DHCP Server Restart your PC to ensure it obtains an IP Address from VRT 401 Specify an IP Address If your PC is already configured check with your network administrator before making the foll...

Страница 25: ...dows NT4 0 Add Gateway 2 The DNS should be set to the address provided by your ISP as follows Click the DNS tab On the DNS screen shown below click the Add button under DNS Service Search Order and en...

Страница 26: ...VRT 401 User Manual 22 Figure 15 Windows NT4 0 DNS...

Страница 27: ...up Connection 2 Right click the Local Area Connection icon and select Properties You should see a screen like the following Figure 16 Network Configuration Win 2000 3 Select the TCP IP protocol for y...

Страница 28: ...ur PC to ensure it obtains an IP Address from VRT 401 Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the fol...

Страница 29: ...nnection 2 Right click the Local Area Connection and choose Properties You should see a screen like the following Figure 18 Network Configuration Windows XP 3 Select the TCP IP protocol for your netwo...

Страница 30: ...ensure it obtains an IP Address from VRT 401 Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the following c...

Страница 31: ...work and Internet Connections 2 Select Set up or change your Internet Connection 3 Select the Connection tab and click the Setup button 4 Cancel the pop up Location Information screen 5 Click Next on...

Страница 32: ...s Fixed IP Address By default most Unix installations use a fixed IP Address If you wish to continue using a fixed IP Address make the following changes to your configuration Set your Default Gateway...

Страница 33: ...eives an incoming connection Refer to Chapter 6 Internet Features for further details Applications that use non standard connections or port numbers may be blocked by VRT 401 s built in firewall You c...

Страница 34: ...ask for the IP Address above DHCP Server This shows the status of the DHCP Server function either Enabled or Disabled For additional information about the PCs on your LAN and the IP addresses allocate...

Страница 35: ...is different to the hardware address seen by devices on the local LAN IP Address The IP Address of this device as seen by Internet users This address is allocated by your ISP Internet Service Provide...

Страница 36: ...on attempt Connecting to remote server Attempting to connect to the ISP s server Remote Server located ISP s Server has responded to connection attempt Start PPP Attempting to login to ISP s Server an...

Страница 37: ...rror Invalid or un known packet type The data received from the ISP s Server could not be processed This could be caused by data corruption from a bad link or the Server using a protocol which is not...

Страница 38: ...LAN IP Address The IP Address of this device as seen by Internet users This address is allocated by your ISP Internet Service Provider PPTP Status This indicates whether or not the connection is curre...

Страница 39: ...te the data on screen Connection Status Telstra Big Pond An example screen is shown below Figure 23 Telstra Big Pond Status Screen Data Telstra Big Pond Screen Connection Physical Address The hardware...

Страница 40: ...Connection Log shows status messages relating to the existing connection The Clear Log button will restart the Log while the Re fresh button will update the messages shown on screen Buttons Connect If...

Страница 41: ...nctioning as a DHCP client If Enabled the Remaining lease time field indicates when the IP Address allocated by the DHCP Server will expire The lease is automatically renewed on expiry use the Renew b...

Страница 42: ...s of this device as seen by Internet users This address is allocated by your ISP Internet Service Provider Network Mask The Network Mask associated with the IP Address above Default Gateway The IP Add...

Страница 43: ...n has no effect If the ISP s DHCP Server has NOT allocated an IP Address for VRT 401 this button will say Renew Clicking the Renew button will attempt to re establish the connection and obtain an IP A...

Страница 44: ...tures are provided Advanced Internet Communication Applications Special Applications DMZ URL filter Dynamic DNS Virtual Servers Options Advanced Internet Screen Figure 26 Internet Screen This screen a...

Страница 45: ...on the advanced menu For each application listed above you can choose a destination PC There is no need to Save after each change you can set the destination PC for each application then click Save Sp...

Страница 46: ...or data you receive Outgoing Ports Type Select the protocol TCP or UDP used when you send data to the remote system or service Start Enter the beginning of the range of port numbers used by the applic...

Страница 47: ...the DMZ PC The DMZ feature can be Enabled and Disabled on the Advanced Internet screen The DMZ PC is effectively outside the Firewall mak ing it more vulnerable to attacks For this reason you should...

Страница 48: ...will be empty Add Filter String To add an entry to the list enter it here and click the Add button An entry may be a Domain name e g www trash com or simply a string e g ads Any URL which contains ANY...

Страница 49: ...ust register for the service at http www dyndns org Registration is free Your password will be E mailed to you 2 After registration use the Create New Host option at www dyndns org to re quest your de...

Страница 50: ...the User name specified at the www dyndns org Web site when you registered Password Enter your current password for www dyndns org Domain Name Enter your domain name as allocated at www dyndns org The...

Страница 51: ...net users to con nect to your servers as illustrated below Figure 30 Virtual Servers IP Address seen by Internet Users Note that in this illustration both Internet users are connecting to the same IP...

Страница 52: ...to the uplink port on the hub Virtual Servers Screen The Virtual Servers screen is reached by the Virtual Servers link on the Internet menu An example screen is shown below Figure 31 Virtual Servers...

Страница 53: ...tp 203 70 212 52 ftp 203 70 212 52 It is more convenient if you are using a Fixed IP Address from your ISP rather than Dynamic However you can use the Dynamic DNS feature described in the following se...

Страница 54: ...f advised to do so by Technical Support Enter a value between 1 and 1500 This device will still auto negotiate with the remote server to set the MTU size The smaller of the 2 values auto negotiated or...

Страница 55: ...s Logs Security Options Scheduling Services Admin Login The Admin Login screen allows you to assign a user name and password to VRT 401 Figure 33 Admin Login Screen 1 The default login name is admin C...

Страница 56: ...VRT 401 User Manual 52 Figure 34 Password Dialog Enter the User Name and Password you set on the Admin Login screen above...

Страница 57: ...desired restrictions on the Default group All PCs are in the Default group unless explicitly moved to another group 2 Set the desired restrictions on the other groups Group 1 Group 2 Group 3 and Group...

Страница 58: ...ve group Block all Internet access All traffic via the WAN port is blocked Use this to create the most restrictive group Block selected Services You can select which Services are to block Use this to...

Страница 59: ...a sub window where you can view the Access Control log This log shows attempted Internet accesses which have been blocked by the Access Control feature Clear Log Click this to clear and restart the A...

Страница 60: ...lt group Access Control Log To check the operation of the Access Control feature an Access Control Log is pro vided Click the View Log button on the Access Control screen to view this log This log sho...

Страница 61: ...Security Configuration 57...

Страница 62: ...ific traffic But Incorrect configuration may cause serious problems This feature is for advanced administrators only Firewall Rules Screen Click the Firewall Rules option on the Security menu to see a...

Страница 63: ...To add a new rule click the Add button and complete the resulting screen See the following section for more details Edit To Edit or modify an existing rule select it and click the Edit button Move Th...

Страница 64: ...ption Source IP These settings determine which traffic based on their source IP address is covered by this rule Select the desired option Any All traffic from the source port is covered by this rule S...

Страница 65: ...P address and Finish IP ad dress fields You can ignore the Subnet Mask field Subnet address If this option is selected enter the required mask in the Subnet Mask field Services Select the desired Serv...

Страница 66: ...VRT 401 log data can also be E mailed to your PC or sent to a Syslog Server Figure 39 Logs Screen Data Logs Screen Enable Logs DoS Attacks If enabled this log will show details of DoS Denial of Ser vi...

Страница 67: ...ned by the Send setting Send Select the desired option for sending the log by E mail When log is full The time is not fixed The log will be sent when the log is full which will depend on the vol ume o...

Страница 68: ...VRT 401 User Manual 64 Include Select the logs you wish to be included...

Страница 69: ...can not use it the service is unavailable This device uses Stateful Inspection technology This system can detect situations where individual TCP IP pack ets are valid but collectively they become a D...

Страница 70: ...owed If not checked IPSec connections are blocked Allow PPTP PPTP Point to Point Tunneling Protocol is widely used by VPN Virtual Private Networking programs If checked PPTP connections are allowed If...

Страница 71: ...the time for a particular day is blank no action will be performed Define Schedule Screen This screen is accessed by the Scheduling link on the Security menu Figure 41 Define Schedule Screen Data Def...

Страница 72: ...any Service you have added Pre defined Services can not be deleted Add New Service Name Enter a descriptive name to identify this service Type Select the protocol TCP UDP ICMP used to the remote syst...

Страница 73: ...uttons Delete Delete the selected service from the list Add Add a new entry to the Service list using the data shown in the Add New Service area on screen Cancel Clear the Add New Service area ready f...

Страница 74: ...wo SAs one in each direction If IKE Internet Key Exchange is used to generate and exchange keys there are also SA s for the IKE connection as well as the IPsec connection There are two security modes...

Страница 75: ...and the first matching policy will be used VPN Configuration The general rule is that each endpoint must have matching Policies as follows Remote VPN ad dress Each VPN endpoint must be configured to i...

Страница 76: ...e Router Gateway requires no VPN configuration since it is not acting as a VPN endpoint Client PC to VPN Gateway Figure 44 Client PC to VPN Server In this situation the PC must run appropriate VPN cli...

Страница 77: ...t gain secure access to the remote LAN The 2 LANs MUST use different IP address ranges The VPN Policies at each end determine when a VPN tunnel will be established and what systems on the remote LAN c...

Страница 78: ...Note that the order of policies is important if you have more than one policy for particu lar traffic In that case the first matching policy for the traffic under consideration will be used Data VPN P...

Страница 79: ...te of the selected policy Copy If you wish to create a policy which is similar to an existing policy select the policy and click the Copy button Remember that the new policy must have a different name...

Страница 80: ...each remote VPN only 1 policy can be enabled at any time Remote VPN Endpoint The Internet IP address of the remote VPN endpoint Gateway or client Dynamic Select this if the Internet IP address is unkn...

Страница 81: ...it would not be forwarded to the Gateway Local IP addresses Type Any no additional data is required Any IP address is acceptable For outgoing connections this allows any PC on the LAN to use the VPN...

Страница 82: ...s in the Finish IP address field Subnet address enter the desired IP address in the Start IP address field and the network mask in the Sub net Mask field The remote VPN should have these IP addresses...

Страница 83: ...ecurity for the payload data sent through the VPN tunnel Generally you will want to enable both Encryption and Authentication The 3DES algorithm provides greater security than DES but is slower The in...

Страница 84: ...ion Select the desired option Initiator Only outgoing connections will be created Incoming connection attempts will be rejected Responder Only incoming connections will be accepted Outgoing traffic wh...

Страница 85: ...ection for the hosts initiating the IPSec session but takes slightly longer to complete Aggressive Mode provides no identity protection but is quicker IKE SA Life Time This setting does not have to ma...

Страница 86: ...der if used AH is often NOT used If you do enable it ensure the algo rithm selected matches the other VPN endpoint ESP Encryption ESP Encapsulating Security Payload provides security for the payload d...

Страница 87: ...43 202 11 13 211 Other endpoint s WAN Internet IP address Local IP addresses Any Any Use a more restrictive definition if possible Remote IP addresses 192 168 1 1 to 192 168 1 254 192 168 0 1 to 192 1...

Страница 88: ...1 768 bit Must match IKE SA Life time 28800 28800 Does not have to match Shorter period will be used IKE PFS Disable Disable Must match IPSec SA Parameters IPSec SA Life time 28800 28800 Does not hav...

Страница 89: ...P addresses Subnet address 192 168 0 0 255 255 255 0 Allows access to entire LAN Use a more restrictive definition if possible Remote IP addresses 172 16 9 10 For a single client this is the same as t...

Страница 90: ...tica tion Enable MD5 Must match client PC ESP encryption Enable DES Must match client PC Windows Client Configuration 1 Select Start Programs Administrative Tools Local Security Policy 2 Right click I...

Страница 91: ...6 Deselect the Use Add Wizard checkbox then click Add to view the screen below Figure 57 IP Filter List 7 Type To DUT for the name then click Add to see a screen like the following Since this is the...

Страница 92: ...ress is My IP address and the Destination IP address is the address range used on the remote LAN Ensure the Mirrored option is checked 9 Click OK to save your settings and close this dialog Figure 59...

Страница 93: ...Properties Filter Action 11 Select Require Security then click the Edit button to view the Require Security Properties screen Figure 61 Require Security Properties 12 Select Negotiate security this s...

Страница 94: ...y Properties screen Figure 63 Require Security Properties 14 Ensure the following settings are correct then click OK to return to the Filter Action tab of the Edit Rule Properties screen VPN Setting W...

Страница 95: ...el Setting 16 Click the Authentication Methods tab then click the Edit to see the screen like the example below Figure 65 Authentication Method 17 Select Use this string to protect the key exchange pr...

Страница 96: ...add the second outgoing rule click Add For the name enter To Win2K then click Add Figure 67 Windows 2000 XP Client to VRT 401 21 Enter the Source IP address and the Destination IP address as shown be...

Страница 97: ...VPN 93 Figure 68 Filter Properties Addressing 22 Click OK to save your changes then Close Figure 69 Filter List 23 Ensure the To Win2K filter is selected then click the Filter Action tab...

Страница 98: ...Action 24 Select Require Security then click Edit On the Require Security Methods screen below select Negotiate security Figure 71 Security Methods 25 Click the Add button On the resulting Modify Secu...

Страница 99: ...click OK again to return to the Filter Action screen 27 Select the Tunnel Setting tab and enter the WAN Internet IP address of this PC 172 10 9 10 in this example Figure 73 Tunnel Setting 28 Select th...

Страница 100: ...the key exchange preshared key then enter your preshared key in the field provided 30 Click OK to save your settings then Close to return to the DUT to Win2K Prop erties screen There should now be 2...

Страница 101: ...VPN 97 Figure 76 Properties General Tab 32 Click the Advanced button to see the screen below Figure 77 Key Exchange Settings 33 Click the Methods button to see the screen below...

Страница 102: ...rithms 35 Select SHA1 for Integrity Algorithm 3DES for Encryption algorithm and Low 1 for the Diffie Hellman Group 36 Click OK to save then OK again and then Close to return to the Local Secu rity Set...

Страница 103: ...81 VRT 401 to Windows 2000 Server VRT 401 Configuration This is the same as for the client setup earlier with the exception of the IP address range for the remote endpoint Setting Single Client Server...

Страница 104: ...d for both IP Filters the Filter Properties Addressing should be completed as follows Figure 82 Windows 2000 Server Addressing The Source Address should be set to A specific IP Subnet and the IP addre...

Страница 105: ...ssuer Name The CA Certification Authority which issued the Certificate Expiry Time The date on which the Certificate expires You should renew the Certificate before it expires Delete button Use this b...

Страница 106: ...pload the certificate file to VRT 401 6 Click Back to return to the Trusted Certificate list The new Certificate will appear in the list Adding a Self Certificate This process is different to obtainin...

Страница 107: ...the data displayed in the Certificate Details section is correct This data is used to generate the Certificate request If the data is not correct click the Back button and correct the previous screen...

Страница 108: ...necessary if using Certificates CRL Certificate Revocation List files show Certificates which have been revoked and are no longer valid Each CA issues their own CRLs It is VERY IMPORTANT to keep your...

Страница 109: ...locate the CRL file on your PC Select the file The name will appear in the File to Upload field Click Upload to upload the CRL file to VRT 401 Click Back to return to the CRL list The new CRL will app...

Страница 110: ...re PC Database This is the list of PCs shown when you select the DMZ PC Virtual Server or Internet Application This database is main tained automatically but you can add and delete entries for PCs whi...

Страница 111: ...CP Clients are automatically added to the database and updated as required By default non Server versions of Windows act as DHCP Clients this setting is called Obtain an IP Address automatically VRT 4...

Страница 112: ...ected or not powered On you will not be able to add it Buttons Add This will add the new PC to the list The PC will be sent a ping to determine its hardware address If the PC is not available not conn...

Страница 113: ...e control than the standard PC Database screen Figure 91 PC Database Admin Data PC Database Admin Screen Known PCs This lists all current entries Data displayed is name IP Address type The type indica...

Страница 114: ...e VRT 401 contact the PC and find its MAC address This is only possible if the PC is connected to the LAN and powered On MAC is Enter the MAC address on the PC The MAC address is also called the Hardw...

Страница 115: ...re will prevent the use of a Web Virtual Server on your LAN See Advanced Internet Virtual Servers Current IP Address You must use this IP Address to connect see below This IP Address is allocated by y...

Страница 116: ...he following Windows 2000 settings are correct Open Routing and Remote Access In the console tree select Routing and Remote Access server name IP Routing RIP In the Details pane right click the interf...

Страница 117: ...rmation Protocol feature of VRT 401 VRT 401 supports RIP 1 only Static Routing Static Routing Table Entries This list shows all entries in the Routing Table The Properties area shows details of the se...

Страница 118: ...pdate Update the current Static Routing Table entry using the data shown in the Properties area on screen Delete Delete the current Static Routing Table entry Clear Form Clear all data from the Proper...

Страница 119: ...the Gateway IP Address is the address of the intermediate router Static Routing Example Figure 94 Routing Example For VRT 401 s Routing Table For the LAN shown above with 2 routers and 3 LAN segments...

Страница 120: ...ct Upgrade on the Other menu You will see a screen like the following Figure 95 Upgrade Firmware Screen To perform the Firmware Upgrade 1 Click the Browse button and navigate to the location of the up...

Страница 121: ...then UPnP users can change the configuration If Disabled UPnP users can only view the configuration But currently this restriction only applies to users running Win dows XP who access the Properties v...

Страница 122: ...68 0 254 and thus compatible with VRT 401 s default IP Address of 192 168 0 1 Also the Network Mask should be set to 255 255 255 0 to match VRT 401 In Windows you can check these settings by using Con...

Страница 123: ...t Use the Special Applications feature to allow the use of Internet applications which do not function correctly If this does solve the problem you can use the DMZ function This should work with almos...

Страница 124: ...the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful...

Страница 125: ...t 15 of the FCC Rules Operation is subject to the follow ing two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interfere...

Отзывы: