manualshive.com logo in svg

UTT HiPER 840G, Руководство по продвинутой настройке


Поделиться
Скачать
background image

UTT Technologies 

Chapter 10 VPN 

http://www.uttglobal.com

 

Page 
13913913

 

 

 

 
 

2.   AutoKey (IKE)

 

 

To improve security and lessen the burden on administrators, IPSec supports Internet Key 

Exchange (IKE) protocol. Using IKE protocol, the two IPSec endpoints can automatically 

generate and negotiate keys and security associations. This automatic key management 

method is called 

AutoKey (IKE) 

on the UTT VPN gateway. 

 

At present the UTT VPN gateway supports AutoKey (IKE) based on preshared keys. The 

preshared  key  is  used  as  a  seed  key  to  generate  IPSec  session  keys.  Both  IPSec 

endpoints  should  have  the  same  preshared  key.  With 

AutoKey  (IKE) 

management,  the 

key  distribution  is  the  same  as  that  with  manual  key  management.  However,  once 

distributed, the two endpoints (unlike manual key) will automatically change their session 

keys  at  the  specified  time  interval  using  IKE  protocol.  This  is  done  without  human 

intervention;  therefore,  using 

AutoKey  (IKE) 

method  can  also  reduce management  cost 

and burden. 

 

Often  changing  keys  enhance  security.  However,  changing  keys  increases  traffic 

overhead;  therefore,  to  avoid  reducing  data  transmission  efficiency,  it  is  suggested  that 

you do not choose to change keys too often. 

 

 
 

9.5.1.4   Creating Security Associations (SAs)

 

 

 

The  concept  of  a  Security  Association  (SA)  is  fundamental  to  IPSec.  An  SA  is  a 

relationship  between  two  IPSec  endpoints  that  describes  how  the  endpoints  will  use 

security  services  to  communicate.  Each  SA consists  of  a  set  of  security  parameters  like 

security protocol (ESP or AH), encryption and/or authentication algorithms, session keys, 

SA  lifetime,  and  so  on.  Because  an  IPSec  SA  is  simplex  (unidirectional)  in  nature,  a 

bidirectional communication requires at least two SAs, one in each direction. 

 

In 

Manual  Key 

mode,  negotiations  are  not  required  because  all  the  necessary  SA 

parameters  are  defined  during  the  configuration  of  the  IPSec  tunnel.  In  this  case,  if  the 

UTT VPN gateway receives a packet matching an IPSec security policy, it will encrypt and 

authenticate the packet, and then send it to the remote endpoint through the IPSec tunnel. 

 

In 

AutoKey (IKE) 

mode, the basic operation of IKE can be broken down into two phases: 

 

 

IKE Phase 1 is used to authenticate the two endpoints and negotiate the parameters 

and key material required to establish a secure channel (i.e., IKE SA). The IKE SA is 

then used to protect further IKE exchanges. 

 

 

IKE  Phase  2  is  used  to  negotiate  the  parameters  and  key  material  required  to 

establish IPSec SAs. The IPSec SAs are then used to authenticate and encrypt  the 

user data. 

 

 

1.   IKE Phase 1

 

 

During  IKE  phase  1,  one  or  more  security  proposals  are  exchanged  and  agreed  upon

Содержание HiPER 840G

Страница 1: ...HiPER 840G Gigabit Router Advanced Configuration Guide V1 0 UTT Technologies Co Ltd http www uttglobal com...

Страница 2: ...cording or otherwise or used for any commercial and profit purposes without the express prior written permission of UTT Technologies Co Ltd UTT Technologies Co Ltd has the patents patent applications...

Страница 3: ...ter 1 Product Overview 9 1 1 Product Brief 9 1 2 Key Features 9 1 3 Physical Specification 10 Chapter 2 Hardware Installation 11 2 1 Physical Characteristics 11 2 1 1 Front Panel 11 2 1 2 Rear Panel 1...

Страница 4: ...5 How to Configure Connection Detection Settings 47 5 3 LAN Settings 48 5 4 DHCP Server 49 5 4 1 DHCP Server Settings 49 5 4 2 Static DHCP 51 5 4 3 DHCP Client List 53 5 4 4 Configuration Example for...

Страница 5: ...ment 100 7 2 1 Group Management Policy List 100 7 2 2 Group Management Policy Settings 101 7 2 3 Execution Order of Group Management Policies 103 7 2 4 Priorities of Global and Group Management Polici...

Страница 6: ...1 Backup Configuration 138 10 3 2 Restore Configuration 138 10 3 3 Reset to Factory Defaults 139 10 4 Firmware Upgrade 140 10 5 Remote Access 142 10 6 Scheduled Task 143 10 6 1 Scheduled Task Setting...

Страница 7: ...UTT Technologies Table of Contents http www uttglobal com Page 5 www argo contar com Appendix F Table Index 169...

Страница 8: ...andard which is as follows Radio Button It allows you to choose only one of a predefined set of options Check Box It allows you to choose one or more options Button It allows you to click to perform a...

Страница 9: ...bold font means the menu path to open a page For example Network DHCP Server means that in the Web UI click the first level menu item Network firstly and then click the second level menu item DHCP Ser...

Страница 10: ...Features The Web UI contains two kinds of lists editable list and read only list An editable list is used to add display modify and delete the configuration entries A read only list is used to displa...

Страница 11: ...ed clear the text box and then press Enter key Note that the matching rule is substring matching that is it will search for and display those entries that contain the specified text string Configured...

Страница 12: ...use the administrator account to login to the Gigabit Router s Web UI Note Both the User Name and Password are case sensitive Administrator Password admin LAN IP Address 192 168 1 1 They are the IP a...

Страница 13: ...ter 5 Network This chapter describes how to configure the basic network parameters of the Gigabit Router including WAN How to configure Internet connections and view their configuration and status Loa...

Страница 14: ...to the LAN users based on schedule and to prevent external attacks Domain Filtering How to configure domain filtering feature to block access to the specified websites Attack Prevention How to configu...

Страница 15: ...Technologies service system and enjoy the most intimate and professional services Appendix This guide provides six appendixes including Appendix A How to Configure Your PC How to configure TCP IP set...

Страница 16: ...ations e g Bit Comet Bit Spirit and Thunder Search control the maximum upload and download rate limiting The HiPER 840G supports flexible firewall features like access control and domain filtering to...

Страница 17: ...Supports IP packet filtering based on IP address protocol and TCP UDP port Supports URL and keyword filtering Supports DNS request filtering Supports HTTP remote management Provides the Web User Inter...

Страница 18: ...2 1 describes these LEDs The front panel also offers a Reset button a USB port and 5 ports Table 2 2 describes these ports Figure 2 1 Front Panel of the Gigabit Router 1 LEDs LED Full Name State Desc...

Страница 19: ...esponding port is sending or receiving data Off No link is established on the corresponding port Table 2 1 Description of LEDs on the Front Panel 2 Reset Button If you forget the administrator passwor...

Страница 20: ...used to connect the Gigabit Router to the Internet Table 2 2 Description of Ports on the Rear Panel 2 1 2 Rear Panel As shown in Figure 2 2 the rear panel of the Gigabit Router contains a POWER conne...

Страница 21: ...necting the Gigabit Router to the Internet Connect the network cable provided by the manufacturer from the DSL cable or fiber optic modem to a WAN port of the Gigabit Router or insert your 3G USB mode...

Страница 22: ...steps Step 1 Connect the computer to a LAN port of the Gigabit Router Step 2 Install TCP IP protocol on your computer If it has been installed please ignore it Step 3 Configure TCP IP settings on your...

Страница 23: ...ter and the Gigabit Router connected properly Verify that the LED corresponding to the Gigabit Router s LAN port and the LED on your computer s adapter are lit 2 Is the TCP IP configuration for your P...

Страница 24: ...t Router do the following Open a Web browser enter the Gigabit Router s LAN interface IP address the default is 192 168 1 1 in the address bar and then press Enter key see Figure 3 1 Figure 3 1 Enteri...

Страница 25: ...the forum homepage of the UTT website to participate in product discussions Feedback Click to link to send us your feedback by E mail 2 Main Pane It is the location where you can configure each featu...

Страница 26: ...utomatically Launch the Wizard Again If you select this check box the system don t automatically launch the Setup Wizard the next time you login to the Gigabit Router instead directly open the Welcome...

Страница 27: ...each Internet connection respectively For each Internet access mode the Internet connection settings are different For the WAN1 Internet connection there are three connection types PPPoE Static IP an...

Страница 28: ...ver It specifies the IP address of your ISP s primary DNS server Secondary DNS Server It specifies the IP address of your ISP s secondary DNS server If it is available you may set it Else please leave...

Страница 29: ...address subnet mask and gateway and DNS server addresses from your ISP s DHCP server Back Click to go back to the previous page of the Setup Wizard Cancel Click to revert to the last saved settings E...

Страница 30: ...Name and Password They specify the PPPoE login user name and password provided by your ISP Please ask your ISP if you have any questions Back Click to go back to the previous page of the Setup Wizard...

Страница 31: ...outer to operate properly view system status view interface traffic statistics and restart the Gigabit Router 4 1 Setup Wizard The Start Setup Wizard can help you configure the basic parameters for th...

Страница 32: ...lude connection type status IP address subnet mask MAC address default gateway and DNS server addresses and up time LAN It displays the basic configuration of the LAN inteface which include IP address...

Страница 33: ...y and DNS server addresses and up time APClient It displays the current status and basic configuration of the APClient Internet connection which are the same as those of the 3G Internection connection...

Страница 34: ...gabit Router s interfaces LAN WAN1 3G and APClient have been configured Note If the SVG Viewer plug in isn t installed on your web browser the port traffic chart cannot be displayed properly Please cl...

Страница 35: ...rse Click to toggle the colors of the two lines or filled areas LAN WAN1 APClient and 3G You can select an interface name at the top to view the traffic chart for that interface View Traffic Statistic...

Страница 36: ...Gigabit Router Restart Click to restart the Gigabit Router If you click the Restart button the system will pop up a prompt dialog box see Figure 4 6 Then you can click OK to restart the Gigabit Route...

Страница 37: ...section describes the Network WAN page If you have configured one or more Internet connections in the Start Quick Wizard you can view their configuration and status in this page and modify or delete...

Страница 38: ...he connection There are four cases 1 PPPoE Connection Status For the PPPoE connection there are two kinds of status see Table 5 1 When it is connected it will also display the elapsed time days hours...

Страница 39: ...dress and the connection is established successfully Table 5 3 Description of DHCP Connection Status 4 3G Connection Status For the 3G connection there are two kinds of status see Table 5 4 When it is...

Страница 40: ...ck its Interface hyperlink or icon the related information will be displayed in the setup fields Then modify it and click the Save button Delete an Internet Connection To delete an Internet connection...

Страница 41: ...gure 5 4 Internet Connection List DHCP Connection Renew Click to re obtain an IP address from the ISP s DHCP server The Gigabit Router will automatically release the assigned IP address firstly and th...

Страница 42: ...fic destined for one ISP s servers will be forwarded through this ISP s connection 2 If you want to configure and use an APClient Internet connection please choose APClient Mode as the Operation Mode...

Страница 43: ...subnet mask default gateway and DNS server addresses which are provided by your ISP ISP Policy It specifies the route policy database used for the Interent connection Update Policy Click to update th...

Страница 44: ...to the last saved settings 5 1 2 1 3 PPPoE Internet Connection Settings Figure 5 8 PPPoE Internet Connection Settings Interface It specifies the name of the WAN interface Here please select WAN1 or A...

Страница 45: ...hen it listens for packets destined for the Internet please select this option Dial Mode It specifies the dial mode of the PPPoE Internet connection The default value is Normal mode If the PPPoE conne...

Страница 46: ...etailed information Save Click to save your changes Cancel Click to revert to the last saved settings Note It is strongly recommended that you configure only the 3G USB Modem and ISP of the 3G Interne...

Страница 47: ...r the MAC address with your ISP To configure MAC address clone go to the Network WAN page and then select the MAC Address Clone tab to go to the setup page shown in Figure 5 10 MAC Address CloneFigure...

Страница 48: ...tor an Internet connection by sending detection packets to the specified target IP address Detection Interval It indicates the time interval at which the Gigabit Router periodically sends detection pa...

Страница 49: ...ey will use other normal Internet connections to access the Internet Note If you don t want to monitor an Internet connection please leave its Detection Interval at the default value of 0 5 2 1 2 Load...

Страница 50: ...ll automatically switch back to the primary connection Note During connections switching some user applications such as some online games may be interrupted unexpectedly due to the nature of TCP conne...

Страница 51: ...imary list box is a primary connection Backup It specifies the backup connection group An Internet connection in the Backup list box is a backup connection Select one or more Internet connections in t...

Страница 52: ...oad Balancing List When you have configured load balancing global settings and connection detection settings you can view the related configuration and status in the Load Balancing List Refresh Load B...

Страница 53: ...evice The Gigabit Router will monitor the Internet connection by sending the detection packets to the detection target IP address Bandwidth It specifies the Internet connection s bandwidth which is pr...

Страница 54: ...ncing List page Step 2 Click an Internet connection s Interface hyperlink or icon to go the Connection Detection Settings page Step 3 Configure detection related parameters Detection Target IP Detecti...

Страница 55: ...P Address It specifies the IP address of the LAN interface Subnet Mask It specifies the subnet mask that defines the range of the LAN MAC Address It specifies the MAC address of the LAN interface In m...

Страница 56: ...igure 5 17 DHCP Server Settings Enable DHCP Server It allows you to enable or disable DHCP server If you want to enable DHCP server on the Gigabit Router please select this check box Start IP Address...

Страница 57: ...stens for incoming DNS requests on the LAN interface relays the DNS requests to the current public DNS servers and replies as a DNS resolver to the requesting local computers ISP DNS Server 1 and ISP...

Страница 58: ...tain the same IP address from the DHCP server More specifically each time the specified computer boots and requests its IP address from the Gigabit Router s DHCP server the DHCP server will recognize...

Страница 59: ...e button View Static DHCP Entry s When you have configured one or more static DHCP entries you can view them in the Static DHCP List Modify a Static DHCP Entry To modify a configured static DHCP entry...

Страница 60: ...you can view the static DHCP entry in the Static DHCP List Step 4 To add another static DHCP entry please repeat the above steps Note If you want to delete static DHCP entry s please follow the ways d...

Страница 61: ...global com Page 5454 Refresh Click to view the latest information in the list Note The DHCP Client List only displays the DHCP clients with dynamically assigned IP addresses It doesn t display the DHC...

Страница 62: ...ses is 100 Besides there are two computers that must always have the same IP address one s MAC address is 00 21 85 9B 45 46 and IP address is 192 168 1 15 the other s MAC address is 00 1f 3c 0f 07 f4...

Страница 63: ...on to go to the Static DHCP Settings page see Figure 5 22 enter Server1 in the User Name text box 192 168 1 15 in the IP Address text box and 0021859B4546 in the MAC Address text box and then click th...

Страница 64: ...the MAC Address text box and then click the Save button Figure 5 23 Adding the Static DHCP Entry 2 Example Now you have configured the two static DHCP entries You can view them in the Static DHCP Lis...

Страница 65: ...suspend or terminate your use of some or all network services at any time for any reason The DDNS service providers supported by UTT Technologies Co Ltd currently provide free DDNS services but they m...

Страница 66: ...rg and it allows you to use test 3322 org to access the Gigabit Router IP Address It specifies the IP address mapped to the registered domain name of the Gigabit Router Register Click to register the...

Страница 67: ...ttp www 3322 org to go to this website to register a DDNS account for the Gigabit Router Host Name It specifies the host name of the Gigabit Router It must be identical to the host name that you enter...

Страница 68: ...com cn ddns to go to this website to register a DDNS account for the Gigabit Router Registration Number It specifies the registration number of the Gigabit Router Host Name It specifies the host name...

Страница 69: ...example ping avery12345 3322 org If the displayed page is similar to the screenshot below the domain name is resolved to an IP address successfully 58 246 187 126 in this example DDNS is updated succe...

Страница 70: ...allows any local UPnP enabled device to perform a variety of actions including retrieving the public IP address enumerating existing port mappings and adding or removing port mappings By adding a port...

Страница 71: ...rnal Port It displays the service port provided by the local computer Protocol It displays the transport protocol used by the service Remote IP It displays the IP address of the remote computer Extern...

Страница 72: ...r a small group of IP addresses On the Internet there is only a single network device using a single or a small group of public IP addresses but the local computers can use any range of private IP add...

Страница 73: ...ernal IP addresses and a single external IP addresses that is these multiple internal IP addresses will be translated to the same external IP address In this type of NAT to avoid ambiguity in the hand...

Страница 74: ...ch as online game or video conferencing When receiving the requests initiated from outside users the Gigabit Router will directly forward these requests to the specified DMZ host Note When a local com...

Страница 75: ...entry click its Name hyperlink or icon the related information will be displayed in the setup page Then modify it and click the Save button Delete Port Forwarding Entry s There are three ways to delet...

Страница 76: ...are opened for outside users to access Internal IP Address It specifies the IP address of the local computer that provides the service Start Internal Port It specifies the lowest port number of the s...

Страница 77: ...ses a range of consecutive ports you need to specify the Port Count Step 6 Select an interface from the Bind to drop down list as required The port forwarding entry will use the selected interface s I...

Страница 78: ...gure 6 4 NAT Rule List Add a NAT Rule To add a new NAT rule first click the Add button to go to the NAT Rule Settings page next configure it lastly click the Save button View NAT Rule s When you have...

Страница 79: ...e following sections describe the settings of the EasyIP NAT rule and One2One NAT rule respectively see Figure 6 5 and Figure 6 6 6 1 3 2 1 NAT Rule Settings EasyIP Figure 6 5 NAT Rule Settings EasyIP...

Страница 80: ...l IP They specify the internal IP address range of the NAT rule Bind to It specifies the interface to which the NAT rule is bound Save Click to save your changes Cancel Click to revert to the last sav...

Страница 81: ...IP and End Internal IP as required Step 5 Select an interface from the Bind to drop down list as required Step 6 Click the Save button to save the settings You can view the NAT rule in the NAT Rule L...

Страница 82: ...lowing figure Figure 6 7 EasyIP NAT Rule Settings Example Step 2 Enter Example1 in the Name text box Step 3 Select EasyIP from the NAT Type drop down list Step 4 Enter 218 1 21 3 in the External IP te...

Страница 83: ...168 1 0 24 The four local servers IP addresses are from 192 168 1 200 24 to 192 168 1 203 24 2 Analysis Firstly we need to configure a static IP Internet connection on the WAN1 interface in the Netwo...

Страница 84: ...y Step 5 Select WAN1 from the Bind to drop down list Step 6 Click the Save button to save the settings Till now you have finished configuring the NAT rule and you can view it in the NAT Rule List 6 1...

Страница 85: ...er 7 Advanced http www uttglobal com Page 78 Note When a local computer is designated as the DMZ host it loses firewall protection provided by the Gigabit Router The DMZ host can be accessed through a...

Страница 86: ...The computer s IP address can easily be changed to a trusted address but MAC address cannot easily be changed as it is added to the Ethernet card at the factory 6 2 1 2 The Operation Principle of IP...

Страница 87: ...ately to prevent IP spoofing 3 If the sender is an undefined user there are two cases 1 If the Allow Undefined LAN PCs check box is checked the packet will be allowed to pass and then be further proce...

Страница 88: ...ated information will be displayed in the setup page shown in Figure 6 12 Then modify it and click the Save button Figure 6 12 Modifying an IP MAC Binding The Allow check box is used to allow or block...

Страница 89: ...you will be prompted that the operation is not permitted see the following figure Figure 6 13 IP MAC Binding Error Message 6 2 4 IP MAC Binding Settings Figure 6 14 IP MAC Binding Settings Subnet It s...

Страница 90: ...1 You can use the ipconfig all command at the command prompt to find a Windows based computer s IP address and MAC address 2 For an IP MAC address pair entry entered manually there can be one or more...

Страница 91: ...er function modules 6 2 6 Internet Whitelist and Blacklist 6 2 6 1 Introduction to Internet Whitelist and Blacklist Based on IP MAC Binding By utilizing IP MAC binding feature you can flexibly configu...

Страница 92: ...mation Step 3 Clear the Allow Undefined LAN PCs check box to block all the undefined users from accessing the Gigabit Router and Internet For example if you want to allow a local computer with IP addr...

Страница 93: ...ers to access the Gigabit Router and Internet For example if you want to block a local computer with IP address 192 168 1 3 from accessing the Gigabit Router and Internet you can add an IP MAC binding...

Страница 94: ...ol provide a secure network environment The disadvantage of using static routes is that they cannot dynamically adapt to the current operational state of the network When there is a change in the netw...

Страница 95: ...allows you to enable or disable the static route The default value is checked which means the static route is in effect If you want to disable the static route temporarily instead of deleting it pleas...

Страница 96: ...ced Static Route page and click the Add button to go to the setup page Step 2 Specify the Name for the static route and leave the Enable check box checked Step 3 Specify the Destination IP Subnet Mask...

Страница 97: ...ced http www uttglobal com Page 90 Static Route List Step 7 To add another new static route please repeat the above steps Note If you want to delete static route s please follow the ways described in...

Страница 98: ...ol for encapsulating PPP frames in Ethernet frames to provide point to point connection over an Ethernet network 6 4 1 1 PPPoE Stages As specified in RFC 2516 the PPPoE has two distinct stages a disco...

Страница 99: ...ique PPPoE session ID and respond to the client with a PADS packet The PADS packet must contain a service name which indicates the service provided to the client When the discovery stage completes suc...

Страница 100: ...that is available to a PPPoE client Secondary DNS Server It specifies the IP address of the secondary DNS server that is available to a PPPoE client PPP Authentication It specifies the PPP authentica...

Страница 101: ...User Name hyperlink or icon the related information will be displayed in the setup page Then modify it and click the Save button Delete PPPoE Account s There are three ways to delete PPPoE account s...

Страница 102: ...IP Address It specifies a static IP address that is assigned to the user who uses the current PPPoE account It must be a valid IP address within the range of IP addresses assigned by the PPPoE server...

Страница 103: ...displays the PPPoE dial in user s IP address assigned by the PPPoE server MAC Address It displays the PPPoE dial in user s MAC address Online Time It displays the elapsed time since the PPPoE session...

Страница 104: ...easily control and manage the Internet behaviors of the LAN users based on schedule which include allow or block the LAN users from using popular IM e g QQ MSN and P2P applications e g Bit Comet Bit S...

Страница 105: ...en select any single day Monday Tuesday Wednesday Thursday Friday Saturday or Sunday or combinations of days as desired Time It specifies a range of hours and minutes during which the schedule is in e...

Страница 106: ...to 17 00 The configuration steps are the following Step 1 Go to the User Global Management page Step 2 Select the Block MSN and Block BT check boxes Step 3 Define business hours clear the Everyday che...

Страница 107: ...based on schedule For convenience a group can also contain a single user A group management policy is used to control the Internet behaviors of the users in the group which include allow or block thes...

Страница 108: ...y To modify a configured group management policy click its Group Name hyperlink or icon the related information will be displayed in the setup page Then modify it and click the Save button Delete Grou...

Страница 109: ...Max Tx Rate and Max Rx Rate Enter a value in the associated text box If you don t want to limit Max Tx Rate Max Rx Rate please leave the default value of 0 Select an option from the associated drop do...

Страница 110: ...al computer the Gigabit Router will first check it against the access rules next the group management policies lastly the global management policy The first rule or policy that matches the packet is a...

Страница 111: ...ments Group management policy 1 It allows the CEO to access all Internet services Group management policy 2 It blocks the Administration Department s employees from using QQ and MSN Group management p...

Страница 112: ...to go to the Group Management Settings page to create the policy 2 The detailed settings are shown in Figure 7 8 Figure 7 8 Group Management Policy Example Policy 2 Step 4 Click the Add button to go...

Страница 113: ...ttp www uttglobal com Page 10610610 Figure 7 9 Group Management Policy Example Policy 3 Step 5 After you have configured the three policies you can view them in the Group Management List see Figure 7...

Страница 114: ...UTT Technologies Chapter 8 User Management http www uttglobal com Page 10710710 Figure 7 11 Group Management List Example Continue...

Страница 115: ...lock the students from accessing game websites for a family you can only allow your children to access the Internet during the specified period of time for a business you can block the Financial Depar...

Страница 116: ...and schedule 2 URL Filtering The URL filtering rules are used to filter URLs based on keyword in the URL It allows you to filter any web page whose URL contains the specified keyword For example if y...

Страница 117: ...first access rule that matches a packet determines whether the Gigabit Router accepts or drops the packet If the rule s Action is Allow the packet is forwarded If the rule s Action is Deny the packet...

Страница 118: ...ts Name hyperlink or icon the related information will be displayed in the setup page Then modify it and click the Save button Delete Access Rule s There are three ways to delete access rule s 1 To de...

Страница 119: ...u want to disable the rule temporarily instead of deleting it please clear the check box Source IP Range It specifies a range of source IP addresses i e a group of local computers to which the access...

Страница 120: ...the list of common services and their port numbers Dest Port Start and Dest Port End They specify a range of destination ports to which the access rule applies To specify a single port enter the port...

Страница 121: ...ring Here please select URL Filtering Filtering Content It specifies the URL keyword that you want to filter The access rule is used to filter any web pages whose URL contains the specified keyword Yo...

Страница 122: ...clude http 2 The URL filtering rules cannot be used to control users access to other services through a web browser For example to control users access to ftp ftp utt com cn you need to configure an I...

Страница 123: ...Rule List Note 1 The keyword filtering rules only support the Deny action 2 The English keyword is case sensitive 8 1 4 Configuration Examples for Access Rule 8 1 4 1 Example 1 Only Allow a Group of...

Страница 124: ...8 Access Rule List Example 1 Continue Figure 8 9 Access Rule List Example 1 Continue 8 1 4 2 Example 2 Only Block a Group of Users from Accessing Certain Services In this example we want to block a g...

Страница 125: ...www bbc com Access rule 2 It blocks those users from accessing www cnn com Access rule 3 It allows those users to access all Internet services Therein both rule 1 and rule 2 must have a higher priorit...

Страница 126: ...ds We need to create three access rules to meet the requirements Access rule 1 It allows those users to access DNS service during business hours And it is used to ensure that the domain names can be r...

Страница 127: ...e want to allow a group of users IP address range 192 168 1 10 192 168 1 120 to access web service and block them from accessing all other services The exception is that the user with IP address 192 1...

Страница 128: ...Technologies Chapter 9 Firewall http www uttglobal com Page 12112112 Figure 8 16 Access Rule List Example 4 Figure 8 17 Access Rule List Example 4 Continue Figure 8 18 Access Rule List Example 4 Conti...

Страница 129: ...n Filtering Global Settings Enable Domain Filtering It allows you to enable or disable domain filtering If you select the check box to enable domain filtering the domain names in the Domain Name List...

Страница 130: ...them in the Domain Name List and then click the Delete button Delete All To delete all the domain names in the Domain Name List at a time directly click the Delete All button Note 1 The Gigabit Router...

Страница 131: ...vely protect the Gigabit Router against popular DoS DDoS attacks Enable Blaster Prevention It is used to enable or disable blaster virus prevention If you select the check box to enable this feature i...

Страница 132: ...client or server encapsulates the original user packets inside PPP frames before sending them through a PPTP tunnel over the Internet while the peer performs decapsulation firstly and then forward th...

Страница 133: ...information that identifies the specific PPTP tunnel for the data packet GRE is described in RFC 1701 The use of a separate GRE mechanism for PPTP data encapsulation has an interesting side effect for...

Страница 134: ...tual interface for the new tunnel to listen for user data 1 in Figure 9 2 The PPTP client s virtual interface listens for the user packets destined for the remote LAN 3 in Figure 9 2 The PPTP client i...

Страница 135: ...On the Gigabit Router it allows you to choose PAP CHAP or Either as the user authentication mode for a PPTP client It also allows you to choose None which means that no authentication is performed By...

Страница 136: ...MTU it will be fragmented by the original computer before transmission The following two examples describe how to calculate PPTP tunnel MTU Figure 9 3 illustrates the format of the PPTP packet to be...

Страница 137: ...effect If you want to disable the entry temporarily instead of deleting it please clear the check box Tunnel Name It specifies a unique name of the PPTP tunnel It is used to identify multiple tunnels...

Страница 138: ...remote network Tunnel Server IP Domain Name It specifies the IP address or domain name of the remote PPTP L2TP server In most cases you may enter the WAN IP address or domain name of the remote VPN ap...

Страница 139: ...York Now the company wants the head office and branch office to securely communicate with each other over the Internet As shown in Figure 9 8 we will use PPTP to establish a VPN tunnel deploy a HiPER...

Страница 140: ...elopment of network safety standards and protocols various VPN technologies have emerged IPSec VPN is one of the most widely used VPN security technologies today IPSec is a set of open standards and p...

Страница 141: ...UTT Technologies Chapter 10 VPN http www uttglobal com Page 13413413 1 Manual Key Gateway to Gateway IPSec VPN...

Страница 142: ...that both have dynamic IP addresses 9 5 1 1Concepts and Protocols In order for the IPSec tunnel to be established and function properly the two IPSec endpoints must agree on the SAs The IPSec SAs dete...

Страница 143: ...l choose to provide all of the supported security services including data confidentiality data integrity data origin authentication and anti replay for the data which are currently the highest level o...

Страница 144: ...nnel Mode the IPSec AH and or ESP header is appended to the front of the original IP header and then a new IP header is appended to the front of the IPSec header The source and destination IP addresse...

Страница 145: ...e more than 20 parameters that need to be configured at each endpoint Manual key management is feasible for small VPN networks such as a network with a few VPN appliances where the distribution mainte...

Страница 146: ...Associations SAs The concept of a Security Association SA is fundamental to IPSec An SA is a relationship between two IPSec endpoints that describes how the endpoints will use security services to com...

Страница 147: ...ase 1 proposal By default the UTT VPN gateway provides four phase 1 proposals which include 3des md5 group2 3des sha group2 des md5 group2 des sha group2 It also allows you to specify phase 1 proposal...

Страница 148: ...esponder accepts the proposed SA authenticates the initiator and sends a nonce i e random number its IKE identity and its certificates if it is being used Third message The initiator authenticates the...

Страница 149: ...E Phase 2 the two IPSec endpoints also exchange security proposals to determine which security parameters to be used in the IPSec SAs A phase 2 proposal consists of one or two IPSec security protocols...

Страница 150: ...lts in a false connection SAs are normal but the tunnel is disconnected where packets are tunneled to oblivion Therefore it is necessary that either endpoint can detect a dead peer as soon as possible...

Страница 151: ...PSec Settings page to click the Advanced Options hyperlink and then configure the filter parameters including Protocol and Port to define the packets that are protected by IPSec section6 1 2 1 and 6 1...

Страница 152: ...IPSec SAs that is an IPSec tunnel After the IPSec tunnel is established the UTT VPN gateway will do the required IPSec processing e g encryption and or authentication before sending the packet to the...

Страница 153: ...c policy in the SPD 3 3 IKE phase 1 negotiation takes place started by the initiator and the IKE SA is established 4 Refer to section 4 2 1 3 for more information 4 IKE phase 2 negotiation takes place...

Страница 154: ...iate IPSec SAs as required 14 Refer to section 4 2 1 4 for more information Note In Manual Key mode IKE phase 1 and phase 2 negotiations are not required because all the necessary SA parameters are de...

Страница 155: ...n illustrates the format of the IPSec packet to be sent over a static IP or DHCP Internet connection and Figure 11 18 IPSec Packet Format PPPoE Internet Connection illustrates the format of the IPSec...

Страница 156: ...kets IPSec NAT T is designed to solve the problems inherent in using IPSec with NAT During IKE phase 1 negotiation the two IPSec NAT T capable endpoints can automatically determine Whether both of the...

Страница 157: ...m value so you cannot create a new IPSec session Figure 11 20 Viewing IPSec Sessions Limit Related System Log CLI In the Web UI you can go to the Status System Log page view the related system log As...

Страница 158: ...Connection Type It specifies the role of the UTT VPN gateway in the IPSec tunnel establishment The available options are Bidirectional Originate Only and Answer Only Here please select Bidirectional...

Страница 159: ...ubnet IP text box and its mask in the Subnet Mask text box if you want to define a host please enter the IP address of that host in the Subnet IP text box and 255 255 255 255 in the Subnet Mask text b...

Страница 160: ...uthentication for the local UTT gateway is required that is the local UTT gateway should provide its identity information to the remote IPSec endpoint for authentication but the identity authenticatio...

Страница 161: ...s a required parameter Please enter an ID value according to the selected ID Type Local 3 Answer Only Static to Dynamic IPSec VPN If the local UTT VPN gateway has a static IP address and the remote en...

Страница 162: ...PN gateway to authenticate the remote IPSec device ID Value Remote It specifies the identity of the remote IPSec device In this connection type it is an optional parameter Please enter an ID value acc...

Страница 163: ...UTT Technologies Chapter 10 VPN http www uttglobal com Page 19619619 Figure 11 25 IPSec Settings AutoKey IKE Advanced Options Main Mode...

Страница 164: ...re them Exchange Mode It specifies the exchange mode used for IKE phase 1 negotiation The available options are Main and Aggressive If the Connection Type is Bidirectional you should choose Main mode...

Страница 165: ...gateway will periodically send DPD heartbeat messages at the specified time interval set by the Heartbeat Interval to the remote IPSec device to verify its availability Heartbeat Interval It specifies...

Страница 166: ...fty three 6 3 3 1 53 phase 2 proposals supported The details are as follows 1 There are five phase 2 proposals for using ESP encryption only For example the proposal esp des means ESP encryption with...

Страница 167: ...2 proposals in the CLI 9 5 3 IPSec List Figure 11 27 IPSec List After you have finished configuring an IPSec entry you can view its configuration and status information in the IPSec List see Figure 1...

Страница 168: ...L2TP virtual interface it will display the corresponding tunnel s ID Local Subnet It displays the Subnet IP Local you specify in the VPN IPSec IPSec Settings page Connect In the AutoKey IKE mode the...

Страница 169: ...nder Answer Only Static to Dynamic IPSec VPN The local UTT VPN gateway has a static IP address while the remote endpoint another UTT VPN gateway or compatible VPN appliance has a dynamic IP address In...

Страница 170: ...phase 2 proposal is esp aes256 md5 ah sha in addition the preshared key is testing and the IP addresses are as follows The UTT VPN gateway at the head office WAN Interface IP Address 200 200 202 123 2...

Страница 171: ...255 0 Bind to Local WAN1 Subnet IP Local 192 168 16 1 Subnet Mask Local 255 255 255 0 Preshared Key testing P2 Encrypt Auth Algorithms 1 esp aes256 md5 ah sha 3 Viewing the IPSec tunnel status After...

Страница 172: ...s the connection type In this case the local UTT VPN gateway can only act as a responder and both IPSec endpoints should use aggressive mode for phase 1 IKE negotiation Figure 11 30 Network Topology U...

Страница 173: ...168 123 1 24 The UTT VPN gateway at the branch office WAN Interface IP Address Dynamic DHCP LAN Interface IP Address 192 168 16 1 24 1 Configuring the UTT VPN gateway at the head office Go to the VPN...

Страница 174: ...ive 3 Viewing the IPSec tunnel status After you have configured IPSec parameters on both UTT VPN gateways the IPSec tunnel establishment can be triggered manually or by traffic On the UTT VPN gateway...

Страница 175: ...eway to UTT VPN Gateway Answer Only 2 Viewing the UTT VPN gateway at the branch office The following figure shows the configuration and status of the IPSec tunnel on the UTT VPN gateway with a dynamic...

Страница 176: ...gned IP address PPPoE or DHCP and the remote endpoint another UTT VPN gateway or compatible VPN appliance has a static IP address you can choose Originate Only as the connection type In this case the...

Страница 177: ...administrator accounts 10 1 1 Administrator List Figure 10 1 Administrator List Add an Administrator Account To add a new administrator account first click the Add button to go to the setup page next...

Страница 178: ...it 10 1 2 Administrator Settings Figure 10 2 Administrator Settings User Name It specifies a unique login name case sensitive of the administrator Password It specifies a login password case sensitiv...

Страница 179: ...he Internet It is suggested that you choose SNTP to automatically synchronize time in most cases Figure 10 3 System Time Settings Current System Time It displays the Gigabit Router s current date YYYY...

Страница 180: ...r 1 is the primary server the default is 192 43 244 18 and the Server 2 is the first backup server the default is 129 6 15 28 and the Server 3 is the second backup server the default is 0 0 0 0 Save C...

Страница 181: ...a text file on your local computer 10 3 2 Restore Configuration Figure 10 5 Restore Configuration Reset to Factory Defaults before Restore If you select this check box it will reset the Gigabit Router...

Страница 182: ...it Router Note 1 After performing the reset operation you must manually restart the Gigabit Router in order for the default settings to take effect 2 The reset operation will clear all of the Gigabit...

Страница 183: ...ow these steps Step 1 Downloading the latest firmware Click the Download Firmware hyperlink to download the latest firmware from the website of UTT Technologies Co Ltd Note 1 Please select the appropr...

Страница 184: ...10 8 Prompt Dialog Box Firmware Upgrade Note 1 It is strongly recommended that you upgrade the firmware when the Gigabit Router is under light load 2 If you upgrade firmware timely the Gigabit Router...

Страница 185: ...er http 218 21 31 3 8081 in your browser s address bar Remote Management Port It specifies the port number that will be open to outside access The default value is 8081 Interface It specifies the inte...

Страница 186: ...t specifies a unique name of the task Repeat It specifies how often the Gigabit Router will perform the task The available options are Weekly Daily Hourly Minutely Start Time It specifies the time at...

Страница 187: ...led tasks you can view them in the Scheduled Task List Modify a Scheduled Task To modify a configured scheduled task click its User Name hyperlink or icon the related information will be displayed in...

Страница 188: ...ess status the traffic statistics for each interface and system information including the current system time system up time system resources usage information firmware version and system log 11 1 Sys...

Страница 189: ...12 Status Figure 11 2 System Status Wireless Status Wired Status Refer to Section 4 2 1 Wired Status for detailed information Note The Wired Status page and Wireless Status page only display the stat...

Страница 190: ...nt and LAN You can view the traffic statistics for each interface including the number of bytes received and transmitted and the number of packets received and transmitted Clear Click to clear all tra...

Страница 191: ...g System information can help you identify and diagnose the source of current system problems or help you predict potential system problems Figure 11 4 System Information Current System Time It displa...

Страница 192: ...the events that occur in the system such as system startup wireless enabled and so on Refresh Click to view the latest system information Note The CPU and Memory are displayed as a status bar and perc...

Страница 193: ...1 Support As shown in Figure 12 1 it allows you to click each Learn More hyperlink to directly open the corresponding page of the UTT website UTTCare Link to the support page of the UTT website to do...

Страница 194: ...nfiguring TCP IP settings with DHCP The following describes the two ways respectively Method One Manually Configuring TCP IP To configure the TCP IP protocol manually follow these steps 1 On the Windo...

Страница 195: ...following DNS server address option enter the primary DNS server IP address in the Preferred DNS server text box and enter the secondary DNS server IP address in the Alternate DNS server text box opt...

Страница 196: ...e A 0 3 select the Obtain an IP address automatically option and Obtain DNS server address automatically option Figure A 0 3 Internet Protocol TCP IP Properties 5 Click the OK button Now you have fini...

Страница 197: ...15415 c Click Install d Click Protocol and then click Add e Click Have Disk f In the Copy manufacturer s files from box type System_Drive_Letter windows inf and then click OK g In the list of availabl...

Страница 198: ...or the Internet connection you can choose Always On as the Dial Type else you can choose On Demand or Manual as the Dial Type and specify the Idle Timeout to avoid wasting online time due to that you...

Страница 199: ...WAN port of the Gigabit Router Step 3 Configure the Static IP Internet connection related parameters in the Start Setup Wizard or the Network WAN page Step 4 After the Static IP connection is establi...

Страница 200: ...ab and then change the MAC address of the corresponding interface lastly click the Save button Step 4 After the DHCP Internet connection is established successfully you can go to the view its configur...

Страница 201: ...ttings via the Web UI The operation is as follows Go to the Administration Configuration page and then click the Reset button in the Reset to Factory Defaults configuration field lastly manually resta...

Страница 202: ...IP in IP Tunnel Driver TCP 6 Transmission Control Protocol EGP 8 Exterior Gateway Protocol IGP 9 Interior Gateway Protocol PUP 12 PARC Universal Packet Protocol UDP 17 User Datagram Protocol HMP 20 H...

Страница 203: ...time 13 tcp daytime 13 udp qotd 17 tcp Quote of the day qotd 17 udp Quote of the day chargen 19 tcp Character generator chargen 19 udp Character generator ftp data 20 tcp FTP data ftp 21 tcp FTP contr...

Страница 204: ...Protocol Version 2 pop3 110 tcp Post Office Protocol Version 3 sunrpc 111 tcp SUN Remote Procedure Call sunrpc 111 udp SUN Remote Procedure Call auth 113 tcp Identification Protocol uucp path 117 tcp...

Страница 205: ...l https 443 tcp MCom https 443 udp MCom microsoft ds 445 tcp microsoft ds 445 udp kpasswd 464 tcp Kerberos v5 kpasswd 464 udp Kerberos v5 isakmp 500 udp Internet Key Exchange exec 512 tcp Remote Proce...

Страница 206: ...on kerberos adm 749 udp Kerberos administration kerberos iv 750 udp Kerberos version IV kpop 1109 tcp Kerberos POP phone 1167 udp Conference calling ms sql s 1433 tcp Microsoft SQL Server ms sql s 143...

Страница 207: ...logies Appendix D Common Service Ports radacct 1813 udp RADIUS accounting protocol nfsd 2049 udp NFS server knetd 2053 tcp Kerberos de multiplexor man 9535 tcp Remote Man Server http www uttglobal com...

Страница 208: ...onnection Settings WEP Figure 3 13 Setup Wizard APClient Connection Settings WPA PSK WAP2 PSK Figure 3 14 Setup Wizard Wireless Settings Figure 4 1 System Status Wired Status 25 Figure 4 2 System Stat...

Страница 209: ...orwarding List 68 Figure 6 2 Port Forwarding Settings 69 Figure 6 3 Port Forwarding Settings Example 71 Figure 6 4 NAT Rule List 71 Figure 6 5 NAT Rule Settings EasyIP 72 Figure 6 6 NAT Rule Settings...

Страница 210: ...e 1 Continue 117 Figure 8 10 Access Rule List Example 2 118 Figure 8 11 Access Rule List Example 2 Continue 118 Figure 8 12 Access Rule List Example 2 Continue 119 Figure 8 13 Access Rule List Example...

Страница 211: ...ystem Status Wireless Status 146 Figure 11 3 Traffic Statistics 147 Figure 11 4 System Information 148 Figure 12 1 Support 150 Figure A 0 1 Local Area Connection Properties 152 Figure A 0 2 Internet P...

Страница 212: ...3 Factory Default Settings 5 Table 2 1 Description of LEDs on the Front Panel 12 Table 2 2 Description of Ports on the Rear Panel 13 Table 2 3 Description of Components on the Rear Panel 13 Table 5 1...

Отзывы:

Нет отзывов

Похожие инструкции для HiPER 840G

PaloAlto Networks PA-7500 Quick Start Manual preview
PA-7500
Бренд: PaloAlto Networks Страницы: 3
TP-Link TD-8817 Specifications preview
TD-8817
Бренд: TP-Link Страницы: 3
H3C S10500 Series Mpls Configuration Manual preview
S10500 Series
Бренд: H3C Страницы: 400
8level IPG-200 User Manual preview
IPG-200
Бренд: 8level Страницы: 52
Paradyne Hotwire ATM Line Cards 8335 User Manual preview
Hotwire ATM Line Cards 8335
Бренд: Paradyne Страницы: 132
ZyXEL Communications P-660W-T1 v2 User Manual preview
P-660W-T1 v2
Бренд: ZyXEL Communications Страницы: 244
Buffalo AirStation WZR-1166DHP Quick Setup Manual preview
AirStation WZR-1166DHP
Бренд: Buffalo Страницы: 2
Trend Micro IPS Pro-Module-24C-GE-BP-TM Quick Setup Manual preview
IPS Pro-Module-24C-GE-BP-TM
Бренд: Trend Micro Страницы: 3
DCB BROADCAST POLLING FRAD BPF-14 BU Manual preview
BROADCAST POLLING FRAD BPF-14 BU
Бренд: DCB Страницы: 28
Cyclades AlterPath Manager 2500 Installation, Configuration And User Manual preview
AlterPath Manager 2500
Бренд: Cyclades Страницы: 368
Paradyne 1740 SHDSL User Manual preview
1740 SHDSL
Бренд: Paradyne Страницы: 74
Aviosys 9255W User Manual preview
9255W
Бренд: Aviosys Страницы: 77
Buffalo LinkStation 500 User Manual preview
LinkStation 500
Бренд: Buffalo Страницы: 139
Microchip Technology PD-9501-10GCO/AC User'S Installation Manual preview
PD-9501-10GCO/AC
Бренд: Microchip Technology Страницы: 41
Linksys WAG120N Datasheet preview
WAG120N
Бренд: Linksys Страницы: 2
Cayman Systems 2E-W User Manual preview
2E-W
Бренд: Cayman Systems Страницы: 170
N-Tron 304TX-N Specifications preview
304TX-N
Бренд: N-Tron Страницы: 2
Billion BIPAC 7100G Quick Start Manual preview
BIPAC 7100G
Бренд: Billion Страницы: 14

Бренды по названию

Популярные бренды

Загрузить еще бренды