background image

SIEMENS 5890 DSL Router
User’s Guide

Chapter 6  Security Setup

IKE/IPSec Configuration

SIEMENS

84

IKE IPSec Proposals Definition

IKE IPSec Proposals specify how packets will be encrypted/authenticated for the final SA. IPSec uses SAs 
(Security Associations) for making connections between two devices. An SA is an instance of a security policy 
and keying material applied to a data flow. SAs are negotiated between the two connection endpoints and 
contain information on sequence numbering.

An IPSec SA is unidirectional, applying to only one direction of data flow, so a set of SAs is needed for a 
secure connection. For each security protocol used, one SA is needed for each direction (inbound and 
outbound).  

An IPSec connection uses a security protocol (AH or ESP) that authenticates the sender of each data packet.  
Usually, only one security protocol is used for a connection, so the connection would use two SAs (one 
inbound and one outbound). However, it is possible for the same connection to be configured to use both the 
ESP and the AH protocol. In this case, four SAs would be required (one inbound and one outbound for the AH 
protocol, and one inbound and one outbound for the ESP protocol. 

To define a new IKE IPSec proposal:

1. Click 

Create

 next to IKE IPSec Proposals from the Advanced IKE/IPSec Setup page. This displays the IKE 

IPSec Proposal Definition page.

2. In 

IPSec Proposal Name

,

 

enter the logical name for the IKE IPSec Proposal Definition. This name is of no 

importance to the remote IKE peer.

Содержание 5890

Страница 1: ...Part No 107 5890 001 SIEMENS Business Class 5890 DSL Router User s Guide ...

Страница 2: ...iber Networks warrants that the Hardware will be free from defects in materials and workmanship and will perform substantially in compliance with the user documentation relating to the Hardware for a period of one year from the date the original end user received the Hardware 2 Software Siemens Subscriber Networks warrants that the Software will perform substantially in compliance with the end use...

Страница 3: ...r authorizes any authorized service center or any other person or entity to assume for it any other obligation or liability beyond that which is expressly provided for in this Limited Warranty including the provider or seller of any extended warranty or service agreement The Limited Warranty period for Siemens Subscriber Networks supplied attachments and accessories is specifically defined within ...

Страница 4: ...rvices Quality of Service provisioning 3 Dial Backup 3 Routing 3 3 IP Address Translation 3 3 ATM 4 Frame Relay 4 PPP RFC 1661 RFC 2364 4 Security 4 Chapter 2 Installation Installation Requirements 5 Package Contents 5 PC Requirements 5 Network Service Provider Requirements 6 Hardware Installation 7 PC Configuration 8 Windows 98 ME 8 Windows NT 4 9 Windows 2000 10 Windows XP 11 Mac OS 9 x 12 Mac O...

Страница 5: ... User Account 31 User Lookup 32 Secure Mode Configuration 33 Configure the Radius Server 34 Configure the TacPlus Server 35 Management Classes 36 Change Password 37 Access Control 38 Chapter 5 Advanced Setup WAN Selection 40 Remote File Configuration 41 DMZ 42 Router Clock 44 DHCP 45 QoS 47 Differentiated Services Framework 47 Weighted Fair Queuing 47 Configure QoS Policy 49 Reorder QoS Policies 5...

Страница 6: ...ules 78 IKE IPSec Configuration 79 Easy IKE IPSec Setup 80 Advanced IKE IPSec Setup 81 VPN Log On 88 Chapter 7 Monitoring Router System Summary 89 Ethernet Interface Information 90 Remote Connection Information 90 IP Routing Information 91 System Information 91 Diagnostics 92 PPPoE Session 92 Interface Information 93 ATM Statistics 93 Routing Table Information 94 Files Information 94 Memory Usage ...

Страница 7: ...er is shut down Link Yellow Green Off Establishing DSL modem link DSL modem link successful DSL modem link is shut down WAN Green flashing Off WAN traffic detected No current WAN traffic LANT Green flashing Off Transmit traffic detected No current transmit traffic LANR Green flashing Off Receive traffic detected No current receive traffic Connection Function Power Turns power on and off 12VDC 1A M...

Страница 8: ...8 to 95 non condensing Power Requirements US NA 120VAC 60Hz 20W ROW 100 240VAC 50 60Hz 1A Processor MPC859T LAN Interface Built in 5 port 10 100 Base T Ethernet switch with link status LED for each port Auto detect full or half duplex operation Auto detect regular or crossover cable for easy connection to a switch or hub Ports configured individually Port mirroring WAN Interface G SHDSL 2 wire SDS...

Страница 9: ...ackup Failover to external V 90 via console port Web Management Interface User selectable fail restore criteria Optional modem connector DB9 or DB25 Supports L2TP and IPSec tunnel failover Routing TCP IP with RIP1 RFC 1058 RIP1 compatible and RIP2 RFC 1389 or static routing on the LAN or WAN Novell IPX with RIP SAP RFC 1552 DHCP client RFC 2132 DHCP server Automatic assignment of IP address mask d...

Страница 10: ...ion of up to 4 1 STAC LZS RFC 1974 Van Jacobsen header compression RFC 1144 Spoofing and filtering IP RIP IPX RIP SAP Watchdog serialization Automatic IP and DNS assignment RFC 1877 PPP over Ethernet RFC 2516 PPP over ATM RFC 2364 Bridging RFC 1638 IP Routing RFC 1331 IPX Routing RFC 1552 Multiclass extensions to MLPPP RFC 2686 MLPPP RFC 1990 Security Role based management User authentication PAP ...

Страница 11: ...asic PC requirements and have the necessary information from your network Service Provider Package Contents Your package should contain the items listed below If you determine anything to be damaged or missing please contact the dealer from whom the equipment was purchased One Siemens 5890 router One Siemens Documentation CD ROM One AC power cord One RJ 45 Ethernet cable red label One RJ 45 Ethern...

Страница 12: ... Service Provider will provide you with information to configure your router s WAN connection Depending upon the type of service that you ordered you will need some of the items from the following list Contact your Network Service Provider for specific details on the items you should receive DNS address One or more IP addresses and a subnet mask ...

Страница 13: ...net adapter documentation for complete installation instructions Once you verify installation of an Ethernet adapter perform the following procedure to connect the router to your computer To set up the harware connections 1 With the PC powered off connect the Ethernet cable to an Ethernet port on the router 2 Connect the other end of the Ethernet cable to the Ethernet port on the PC 3 Connect your...

Страница 14: ...ect the Operating System installed on the PC connected to the router from the list below and follow the associated procedure Windows 98 ME 1 Click Start Control Panel Network This displays the Configuration tab on the Network window 2 Select TCP IP protocol for your network card 3 Click Properties This displays the TCP IP Properties window 4 Click the IP Address tab 5 Ensure that the Obtain an IP ...

Страница 15: ...ork window 2 Click the Protocols tab 3 Select TCP IP Protocol from the Network Protocols list 4 Click Properties This displays the Microsoft TCP IP Properties window 5 Click the IP Address tab 6 On the IP Address tab select Obtain an IP address from a DHCP server 7 Click OK to close each dialog 8 Restart the PC to ensure it obtains an IP address from the router 9 Configure the router ...

Страница 16: ...ht click Local Area Connections and select Properties This displays the Local Area Connections Properties window 4 Select Internet Protocol TCP IP from the list of components 5 Click Properties This displays the Internet Protocol TCP IP Properties window 6 Ensure that the Obtain an IP address automatically and Obtain DNS server address automatically options are selected 7 Click OK to close each di...

Страница 17: ...ion window 3 Right click Local Area Connection then click Properties This displays the Local Area Connection Properties window 4 Select Internet Protocol TCP IP 5 Click Properties This displays the Internet Protocol TCP IP Properties window 6 Ensure the Obtain an IP address automatically and Obtain DNS server address automatically options are selected 7 Restart the PC to ensure it obtains an IP ad...

Страница 18: ...trol Panels TCP IP This displays the TCP IP Control Panel window 2 Select Ethernet from the Connect via drop down menu 3 Select Using DHCP Server from the Configure drop down menu 4 Complete the fields shown with any information supplied by your service provider 5 Close window and save changes 6 Configure the router ...

Страница 19: ...ences window 2 Double click the Network icon under the Internet Network section This displays the Network window 3 Select Ethernet from the Connect via drop down menu 4 Select Using DHCP Server from the Configure drop down menu 5 Enter any information supplied by your service provider 6 Click Apply Now to save and exit the Network window 7 Configure the router ...

Страница 20: ...g window 2 Click the Adaptor tab 3 Enter any information specified by your service provider in the fields under the appropriate Adapter tab 4 When settings are completed click Accept This displays the Status of the system tab 5 To update the system status ensure that the Activate the changes button is highlighted then click Act Changes 6 Configure the router ...

Страница 21: ...Interface is accessible through most HTML browsers though Internet Explorer 4 0 or Netscape 4 0 and higher are recommended Refer to the Technical Reference Guide for details on managing the router through the CLI Establish Connection To establish a connection from your computer to the router through your Web browser 1 Open your Internet Explorer or Netscape Navigator Web browser 2 In the Address b...

Страница 22: ...entifier DLCI WAN protocol and WAN network settings In the left navigation pane of this page there are configuration diagnostic and status and statistic options for the router In this document these features are grouped according to User Access Control Advanced Router Functions Security and Monitoring Health and Status Use the table below to locate detailed instructions for the desired function To...

Страница 23: ...nd you will need to begin again Select Protocol When you click Easy Setup in the left navigation pane of the Router Information page the WAN Interface page is displayed This page is used to enter and review information about Wide Area Network WAN settings To configure the WAN interface 1 In Data PVC enter the ATM Permanent Virtual Circuit PVC information VPI VCI 2 From the Wan Protocol list select...

Страница 24: ...lowing PPP Networking options Bridging Enabled Forward all traffic for remote hosts that is not routed to the WAN non IP If bridging is enabled you can optionally select Only bridge PPPoE traffic If selected only PPPoE traffic is bridged all other traffic is stopped 3 IP Routing Enabled Route all IP traffic to remote hosts 4 If you enabled IP routing select one of the following methods for configu...

Страница 25: ...iple workstations on your LAN to share a single public IP address All outgoing traffic appears to originate from the router s IP address Block Net BIOS Traffic NetBIOS is a PC networking protocol that can keep network connections open inadvertently To avoid excess connection charges such traffic should be blocked on any metered network service 6 Click Next This displays the Dynamic Host Configurat...

Страница 26: ...he following PPP Networking options Bridging Enabled Forward all traffic for remote hosts that is not routed to the WAN non IP If bridging is enabled you can optionally select Only bridge PPPoE traffic If selected only PPPoE traffic is bridged all other traffic is stopped 3 IP Routing Enabled Route all IP traffic to remote hosts 4 If you enabled IP routing select one of the following methods for c...

Страница 27: ...iple workstations on your LAN to share a single public IP address All outgoing traffic appears to originate from the router s IP address Block Net BIOS Traffic NetBIOS is a PC networking protocol that can keep network connections open inadvertently To avoid excess connection charges such traffic should be blocked on any metered network service 6 Click Next This displays the Dynamic Host Configurat...

Страница 28: ...ust specify how to obtain an IP address and subnet mask This can be one of the following Obtain configuration automatically from Wan using DHCP to have an IP address assigned automatically using DHCP Configure IP Routing manually to assign IP addresses manually If you select this option you must specify an IP Address and Subnet Mask in the appropriate fields 2 If you enabled IP routing optionally ...

Страница 29: ...w to obtain an IP address and subnet mask This can be one of the following Obtain configuration automatically from Wan using DHCP to have an IP address assigned automatically using DHCP Configure IP Routing manually to assign IP addresses manually If you select this option you must specify an IP Address and Subnet Mask in the appropriate fields 2 If you enabled IP routing optionally select one or ...

Страница 30: ...sing PPPoE protocol 2 In Service Name enter the domain name of your network service provider Use as a default for all services 3 In PPPoE Timer enter the number of seconds of inactivity that must elapse before the PPP connection closes This helps to limit connection charges from your service provider during times of inactivity The default entry of permanent will keep the PPP connection open consta...

Страница 31: ...ss and subnet mask This can be one of the following Obtain configuration automatically from Wan using DHCP to have an IP address assigned automatically using DHCP Configure IP Routing manually to assign IP addresses manually If you select this option you must specify an IP Address Subnet Mask and Default Gateway in the appropriate fields Default Gateway assigns the IP address of the next hop route...

Страница 32: ...from Wan using DHCP to have an IP address assigned automatically using DHCP Configure IP Routing manually to assign IP addresses manually If you select this option you must specify an IP Address and Subnet Mask in the appropriate fields 2 If you enabled IP routing optionally select one or more of the following NAT Enabled Network Address Translation NAT allows multiple workstations on your LAN to ...

Страница 33: ...e Domain Name Service Obtain DNS information automatically The DNS server address will be learned when DHCP client requests are placed over the WAN link Configure DNS manually Define DNS server address manually from information you get from your service provider If you select this option provide the following information Domain Name The router s DNS domain name as assigned by your service provider...

Страница 34: ...l Area Network 1 In IP Address enter the network address of the router This address must be globally unique unless NAT has been enabled 2 In Subnet Mask enter the subnet mask to use along with the IP address to determine if specific LAN IP traffic should be forwarded to the WAN 3 Click Save and Reboot The router will reboot with the new configuration settings On completion of the reboot process yo...

Страница 35: ...figure the Radius Server and configure the Tacplus Server Click Home at anytime to return to the Router Information page To access one of these options click its link on the User Management page Use the table below to locate detailed instructions for the desired function User Management Manage user accounts Change Password Change user password Access Control Configure remote access to the router c...

Страница 36: ... following to assign privileges to this user account Select one of the buttons at the top of this page to automatically assign pre set privileges to the user based on common user roles Refer to Management Classes for details on the privileges automatically assigned to each role Manually select the management activity you want to assign to this user account For each management activity class click ...

Страница 37: ...User Management SIEMENS 31 Deleting A User Account To delete a user account 1 Select the name of the account you want to delete in the Select User list on the User Management page then click Delete User 2 When prompted click OK to confirm the account deletion ...

Страница 38: ...y users if you desire If you specify both a primary and secondary database and the user is not found in the primary database the secondary database is searched To configure where user s are authenticated identified 1 Click User Lookup Config on the left navigation pane of the User Management page This displays the User Lookup Configuration page 2 Specify one of the following databases for Primary ...

Страница 39: ...displays the Secure Mode Configuration page 2 Do one of the following for Secure Mode Click the box next to Enabled so a check mark appears This enables secure mode Click the box next to Enabled so there is no check mark This disables secure mode 3 If you enabled secure mode select one of the following for LAN Interface and WAN Interface Trusted A trusted interface does not have to come over an en...

Страница 40: ...rd is hidden using a method based on the RSA Message Digest Algorithm MD5 3 The access request is submitted to the RADIUS server via the network If no response is returned within a length of time the request is re sent a specified number of times The router s RADIUS client can also forward requests to a secondary server in the event that the primary server is down or unreachable Once the RADIUS se...

Страница 41: ... Server Configuration page 2 In Timeout enter the number of seconds to between retry attempts when the Tacplus Server cannot be reached 3 In Retry enter the number of times the Tacplus Server should be contacted before attempting to connect to the secondary server 4 In CACHE Timeout enter the number of seconds that must pass before the user must be authenticated again 5 For Primary and optionally ...

Страница 42: ...pre defined templates that group multiple management classes for a logically defined user type When using the template method Access privileges for WAN LAN and Console are granted by default The following table lists the privileges given to each logically defined user type Super User Mgmt Class read Network System Admin Voice Security Debug Mgmt Class write Network System Admin Voice Security Debu...

Страница 43: ...hanged from the Change Password page To change a user password 1 Click Change Password from the left navigation pane on the Router Information page This displays the Change Password page 2 Enter the new password for the Current User in Enter New Password and New Password again boxes 3 Click Apply to save the new password ...

Страница 44: ...he box next to the method specifies enabled If disabled any access restriction specification is disregarded Telnet Web SNMP 3 For each remote access method selected specify any access restrictions This can be one of the following No access restrictions Remote access method is enabled and not restricted This setting allows access from all hosts Allowed from LAN Limits access to the host from the LA...

Страница 45: ...nfigure QoS which actively manages network resources to sustain service levels for priority applications Routing Table Configuration Configure multiple routing tables for a single host Dial Backup Enable a backup connection to the Internet through an internal V 90 model 5835 only or an external asynchronous modem connected to the Console port ATM Define the level of service for each configured int...

Страница 46: ...ATM or SDSL Frame Relay Be sure to select the DSLAM from the DSLAM drop down menu and the Speed from the Speed drop down menu This can be one of the following Rate You must select a speed in the Rate drop down menu List The rate is selected from the list based on successful connection If one rate is unsuccessful the next rate will be tried and so on until a rate is successful Auto Automode if supp...

Страница 47: ...u wish to assign to the remote connection Typically this is internet for the main connection basic for the PPPoE connection and backup for dial backup connection Spaces are not allowed in the remote name 4 Select the protocol that supports this remote connection from the Protocol drop down menu 5 Enter a PPP User Name and PPP Password These are required for authentication when the remote connectio...

Страница 48: ...ou require this special level of unrestricted access as it leaves your router and network exposed to the Internet with no firewall protection To configure DMZ 1 Click DMZ on the left navigation pane of the Router Information page This displays the DMZ Configuration page 2 Select enable or disable to enable or disable DMZ Port 3 If you selected enable enter the IP Address and Subnet Mask of the DMZ...

Страница 49: ...t a list of network clients that are currently leasing their IP addresses from the pool are shown in Current DHCP Leases List From left to right the following information is presented for each client Client IP The leased IP address assigned to the specific client State Whether the IP address is enabled or disabled Host Name Name of the host leasing the specific IP address Expires mm dd yy Date whe...

Страница 50: ...current date and time on the router 1 Click Router Clock on the left navigation pane of the Router Information page This displays the Current Date and Time page 2 The current date and time from your PC are displayed in the field labeled Current Date and Time To synchronize the date and time on your router with the current date and time displayed click Synchronize Router Clock ...

Страница 51: ... as Windows NT servers If one is detected or if a DHCP server on the WAN has been explicitly specified the router s DHCP server disables itself As a DHCP client by requesting that an IP address be assigned to the WAN side port of the router As a relay by passing through client requests from the LAN side onto the WAN asking for IP address assignment and relaying responses back to the appropriate cl...

Страница 52: ...ess 5 Click Apply Note that a list of network clients that are currently leasing their IP addresses from the pool are shown in Current DHCP Leases List From left to right the following information is presented for each client Client IP The leased IP address assigned to the specific client State Whether the IP address is enabled or disabled Host Name Name of the host leasing the specific IP address...

Страница 53: ...il streaming video voice according to defined policies DiffServ is suited to Metropolitan Area Networks or private networks where control over the infrastructure is guaranteed and differentiated services can be deployed end to end To employ DiffServ each packet of data is tagged with a six bit pattern known as the DiffServ CodePoint DSCP replacing the three IP precedence bits in the ToS byte of th...

Страница 54: ...ws the current settings as well as provides a means to change the current settings 2 Select one of the following from QoS Status to enable or disable QoS On QoS will forward packets and set diffserv marking based on user defined mapping rules and enabled QoS policies Off QoS will forward packets based on pre defined mapping rules and enabled QoS policies 3 To enable or disable marking of the Diffe...

Страница 55: ...on pane of the QoS Configuration page This displays the QoS Policy Setting page 2 Click Create This expands the QoS Policy Setting page To modify or delete an existing policy select the policy in the IP Policy List drop down menu and click Modify or Delete 3 In Policy Name enter a unique name to identify the policy 4 In Status select Enable or Disable to enable or disable the QoS policy Disabled t...

Страница 56: ... checking 9 In Destination Port select one of the following From To Enter the destination port or range of destination ports to match in the destination port check From the drop down menu select the application to match in the destination port check Do not care Disables destination port checking 10 From the Priority drop down menu select the priority to place on this policy if match criteria is me...

Страница 57: ...rop down menu and click Move This expands the QoS Policy Setting page 2 To specify the new location select one of the following to the end Moves the policy to the end of the policy list before policy Select the name of the policy where you want to move the Policy in the policy name drop down menu The policy will be moved to the location immediately preceding the policy specified in before policy 3...

Страница 58: ...address is 192 168 254 10 it checks if that address is within the address range defined for a virtual routing table If it is the virtual routing table is used to route the packet If it is not the default routing table is used instead To configure additional routing tables 1 Click Routing Table Configuration on the left navigation pane of the Router Information page This displays the Routing Table ...

Страница 59: ...to the console port This backup connection can be activated in the event of WAN service interruption During an interruption to the WAN interface connection the router will use the dial backup modem connection while waiting for WAN service to be restored Once the WAN link is active again Dial Backup will automatically switch back to the WAN service This feature may also be useful for a customer who...

Страница 60: ...rface To configure Traffic Shaping 1 Select Traffic Shaping or ATM Traffic Shaping from the left navigation pane of the Router Information page This displays the ATM Traffic Shaping Configuration page 2 Select the interface you want to configure from the Please select an interface drop down menu 3 Click Select This displays another form on the ATM Traffic Shaping Configuration page for the selecte...

Страница 61: ...Variable Bit Rate Used for bursty applications that require service guarantees from the network VBR rt connections are characterized in terms of a Peak Cell Rate Sustained Cell Rate and a Maximum Burst Size Frame Relay traffic can also use VBR nrt Unspecified Bit Rate Used for non real time bursty applications that are tolerant of delay and loss UBR service does not specify service guarantees and ...

Страница 62: ...beling is provided for port identification To manage the switches using the web interface click Switch Management on the left navigation pane of the Router Information page This displays the Switch Status page The Switch Status page provides a graphical representation of the switch port information including connection speed mode and port status and provides links to switch management pages to per...

Страница 63: ...monitoring switch performance When configuring port mirroring you must specify both the port or ports to monitor and the port that will mirror the traffic on the monitored ports To configure port traffic mirroring 1 Click Mirror Capture Configuration from the left navigation pane of the Switch Status page This displays the Switch Mirror Configuration page 2 Under Mirror Port select one or more of ...

Страница 64: ... use to transmit the message to its destination Entries remain in the MAC address table based on the switch age time When the age time expires the port MAC address entry is removed from the switch s MAC address table To configure Switch Age Time 1 Click Aging Time Configuration from the left navigation pane of the Switch Status page This displays the Switch Aging Time Configuration page 2 In Aging...

Страница 65: ...enter CLI commands Refer to the Command Line Interface Guide for available commands To execute a CLI command from the web interface 1 Click Command Line Interface on the left navigation pane of the Router Information window This displays the Execute a CLI command page 2 In the field provided enter the desired command 3 Click Execute The response will be displayed in the Output Window ...

Страница 66: ...left navigation pane of the Router Information window This displays the File Editor page with a list of stored files in the left navigation pane 2 Do one of the following To create a new file enter file text in the editing window and the name of the file in File name using filename txt format then click Save To edit an existing file click the file you want to edit on the left navigation pane This ...

Страница 67: ...nt and a management agent Secure Shell Secure Shell SSH secures network services over an insecure network such as the public Internet Firewall Scripts Secures network and data communications with built in firewall capabilities A firewall is any combination of hardware and software that secures a network and traffic on the network to prevent interception or intrusion Stateful Firewall An IP filteri...

Страница 68: ...reate a NAT table that does the global to local and local to global IP address mapping To confiugre NAT 1 Click NAT on the left navigation pane of the Router Information page This displays the NAT Configuration page 2 In the NAT Passthrough section of this page select Enable or Disable to specify whether or not multiple VPN clients are allowed Enabled multiple VPN clients are allowed disabled only...

Страница 69: ... you are configuring 3 To configure NAT using Easy Setup Select the service you want to configure from the Service drop down menu In IP Address specify the IP address of the local machine Click Add This configures NAT to support the most common network services 4 To configure NAT using Advanced Setup Select a protocol from the Protocol drop down menu Specify a First Port to assign a port number fo...

Страница 70: ...of LAN IP addresses to WAN IP addresses click NAT Host Mapping from the left navigation pane This displays the NAT Host Settings page 2 Select the interface you are configuring from the Interface drop down menu 3 In Beginning LAN IP enter first IP address to map 4 In Ending LAN IP enter last IP address to map 5 In Beginning WAN IP enter first WAN IP address to map to the LAN IP addresses The syste...

Страница 71: ...ection programs management clients Management clients issue requests for management operations on behalf of an administrator or application and receive traps from management agents as well refer to SNMP Configuration Parameters for more details To configure SNMP 1 Click SNMP on the left navigation pane of the Router Information Page This displays the SNMP Configuration page 2 In Community String e...

Страница 72: ...outer You can specify up to four trap managers 7 Click Apply 8 Configure SNMP IP Filter and SNMP Password SNMP IP Filter Activating an IP Filter range will limit SNMP requests to only those that originate from the designated addresses or LAN To activate IP filtering 1 Click SNMP IP Filter from the SNMP Configuration page This displays the SNMP IP Filter Configuration page The current IP filter ran...

Страница 73: ...d An SNMP password is used to authenticate an SNMP Manager Once authenticated SNMP set requests will be performed To set the SNMP Password 1 Click SNMP Password from the SNMP Configuration page This displays the SNMP Password page 2 Enter the New Password and New Password again 3 Click Apply ...

Страница 74: ...te host sends out packets that pretend to come from another trusted host SSH also protects against spoofing on the local network when attempting to deceive posing as the router to the outside IP source routing where a host can pretend that an IP packet comes from another trusted host DNS spoofing where an attacker forges name server records Interception of clear text passwords and other data by in...

Страница 75: ...pe is realized and the client adheres to the server encryption mode If the encryption method is not supported on the client side the connection will fail 4 For MAC select the type of Message Authentication Code to use for the SSH connection 5 For Port select one of the following to specify the port that the SSH server listens on Default Sets the SSH port to the default port of 22 Disable Disables ...

Страница 76: ...e Refer to the section title Key Generator for details on generating the key pair on the router To load the key pair from a source file 1 Click Load Keys on the left navigation pane of the Secure Shell SSH Configuration List page This displays the Load Private and Public Keys from file page 2 Do one of the following Select Public key to load a public key from a file Select Private key to load a pr...

Страница 77: ...omplete When started the user will be redirected to a status page that is refreshed every 60 seconds The status page indicates whether the task is running When the task is no longer running results are displayed Once the task is started you can close this page and the Keygen function will continue You can reopen it anytime by clicking Key Generator Status on the left navigation pane of the Secure ...

Страница 78: ...architecture and requirements of their network Siemens Subscriber Networks cannot be liable for security violations due to inadequate or incorrect firewall configurations To load a firewall script perform the following 1 Click Firewall Scripts on the left navigation pane of the Router Information page This displays the Run a Firewall Script page 2 Select the desired Firewall Strength This can be o...

Страница 79: ... router consists of a set of rules that are examined each time a packet is transmitted or received from the public network It examines the packet s header information and matches it against a set of defined rules If it finds a match the corresponding action is performed If not the packet is accepted The IP filtering firewall provides an adequate level of security but is limited in that it does not...

Страница 80: ...ropped before a message is logged to the console The default value is 200 packets per second 5 In UDP Packet Threshold Setting specify the number of UDP Packets per second that can be received When this number is exceeded the firewall blocks any subsequent UDP packets The default value is 1000 UDP packets per second 6 In ICMP Ping Packet Threshold Setting specify the number of ICMP Ping Packets pe...

Страница 81: ...ne of the Stateful Firewall Configuration page This displays the Firewall Dropped Packet List page 2 Do one of the following Specify the number of dropped packets to view from 1 to 200 Netscape 4 users may have to wait a very long time to get the complete list of 200 displayed Select a smaller value for viewing if this is the case Click Default to view the most recent 200 dropped packets 3 Click A...

Страница 82: ...ket is evaluated the Deny rules are applied first then the Allow rules 2 From the Allow Rule List drop down menu optionally select the list of protocols where the rule is allowed If you do not select an Allow Rule List you must select a Deny Rule List 3 From the Deny Rule List drop down menu optionally select the list of protocols where the rule is denied If you do not select a Deny Rule List you ...

Страница 83: ... for matching the packet source and ICMP Code for matching the packet destination Application Select the application that must match from the Application drop down menu 6 For Source and Destination under Address optionally specify the First IP and Last IP addresses to define the source and destination IP address boundaries to apply to the firewall rule The packet must have a source destination IP ...

Страница 84: ...tateful Firewall Configuration page This displays the Firewall Rule Configuration page 2 Click Delete This expands the Firewall Rule Configuration page 3 Select the rule list s or range of rules you want to delete To delete a single rule only enter a number in the from field When entering a range of rules to be deleted the rule range specified is inclusive of the first and last rules 4 Click Apply...

Страница 85: ... protocol that provides authentication privacy and data integrity IPSec must be supported at both ends of the connection IPSec does not require modification of individual applications or devices for secure data transport Because it does require global IP addresses for all peers Network Address Translation NAT can be used with IPSec To configure IKE IPSec 1 Click IKE IPSec Configuration from the le...

Страница 86: ...al name for an IKE Peer This name is of no importance to the remote IKE peer Choose a name that is meaningful to you 3 In Pre shared Secret enter a case sensitive character string used for authentication This secret can be up to 256 characters with no spaces or non printable characters The pre shared secret must be mutually agreed upon by both parties to the IKE connection 4 In Peer Gateway IP Add...

Страница 87: ... Create button for each category to create new IKE and IPSec definitions This section describes how to perform the following tasks IKE Peers Create IKE peers IKE peers are those devices known to your ADSL Internal Modem as capable of participating in IKE connections IKE Proposals Create IKE proposals IKE I proposals specify how packets will be encrypted authenticated for Phase I IKE IPSec Proposal...

Страница 88: ...hared Secret enter a case sensitive character string used for authentication This secret can be up to 256 characters with no spaces or non printable characters The pre shared secret must be mutually agreed upon by both parties to the IKE connection 4 In Peer Gateway IP Address enter the IP address of the gateway at the remote end of the IKE connection If the remote IKE peer does not have a fixed o...

Страница 89: ...ge MD5 Performs message authentication using Message Digest 5 SHA1 Performs message authentication using Secure Hashing Algorithm 1 default 4 From the Diffie Hellman Oakley Group drop down menu select one of the following Diffie Hellman key generation groups to use during IKE Phase I exchange Group 1 Uses Diffie Hellman Group 1 768 bits Group 2 Uses Diffie Hellman Group 2 1024 bits 5 From the Encr...

Страница 90: ...one SA is needed for each direction inbound and outbound An IPSec connection uses a security protocol AH or ESP that authenticates the sender of each data packet Usually only one security protocol is used for a connection so the connection would use two SAs one inbound and one outbound However it is possible for the same connection to be configured to use both the ESP and the AH protocol In this c...

Страница 91: ...NE Requests no ESP encapsulation MD5 Requests ESP encapsulation and authenticates using Message Digest 5 SHA1 Requests ESP encapsulation and authenticates using Secure Hashing Algorithm 1 4 If you selected ESP authentication select one of the following from the ESP Encryption Type drop down menu to specify the algorithm to use to encrypt ESP IPSec packets DES Encrypts using a 56 bit key 3DES Encry...

Страница 92: ...roposal to be used with this policy The IKE IPSec proposal must be already defined as an IKE IPSec Proposal 5 From the PFS Group drop down menu select one of the following the Diffie Hellman group to use for Perfect Forward Secrecy Perfect Forward Secrecy enhances the security of the key exchange In the event of a key becoming compromised only the data protected by that compromised key becomes vul...

Страница 93: ...ect using this policy 11 In Source Port enter the port that will be the source of TCP UDP traffic under this policy You can specify All ports a port number or an IP application associated with a particular port Because port numbers are TCP and UDP specific a port filter is effective only when the protocol filter is TCP or UDP 12 In Destination Port enter the port that will be the destination of TC...

Страница 94: ... packets providing the level of security required by Virtual Private Networks VPNs To start an IPSec session 1 Click VPN Log On on the left navigation pane of the Router Information page This displays the VPN Log On page 2 For Feature click enable 3 For Available IPSEC tunnels select the tunnel you wish to use for the IPSec session 4 Click Log on corresponding to the tunnel you selected You must k...

Страница 95: ...ew system summary information click System Summary on the left navigation pane of the Router Information page This displays the System Summary page From the System Summary page you can view information for the following Ethernet interface Remote connections IP Routing System System Summary View status and statistical information Diagnostics Run diagnostic programs to determine potential problems ...

Страница 96: ...Click Ethernet Info on the left navigation pane of the System Summary page to display information about the Ethernet interface Remote Connection Information Click Remote Info on the left navigation pane of the System Summary page to display information about remote connections for all entries in the Remote Router database ...

Страница 97: ...mation Click IP Routing Info on the left navigation pane of the System Summary page to display information about the active interfaces in the IP routing table System Information Click System Info on the left navigation pane of the System Summary page to display general information for select system settings ...

Страница 98: ... pane of the Router Information page This displays the Run Diagnostics page From the Run Diagnostics page you can view information for the following PPPoE session Interface information ATM statistics Routing Table information Files information Memory usage List all configuration data TCP IP statistics PPPoE Session Select PPPoE session from the drop down menu and click Execute to display PPPoE ses...

Страница 99: ...Router Diagnostics SIEMENS 93 Interface Information Select Interface information from the drop down menu and click Execute to display interface information ATM Statistics Select ATM Statistics from the drop down menu and click Execute to display ATM statistics ...

Страница 100: ... 94 Routing Table Information Select Routing Table information from the drop down menu and click Execute to display information about the configured routing tables Files Information Select Files information from the drop down menu and click Execute to display files store on the router ...

Страница 101: ...nostics SIEMENS 95 Memory Usage Select Memory usage from the drop down menu and click Execute to display memory usage information List All Configuration Data Select List all configuration data from the drop down menu and click Execute to display configuration information ...

Страница 102: ...SIEMENS 5890 DSL Router User s Guide Chapter 7 Monitoring Router Diagnostics SIEMENS 96 TCP IP Statistics Select TCP IP statistics from the drop down menu and click Execute to display TCP IP information ...

Отзывы: