USER GUIDE BUSINESS SERIES 4-Port SSL/IPSec VPN Router Model: RVL200
About This Guide About This Guide Icon Descriptions While reading through the User Guide you may see various icons that call attention to specific items. Below is a description of these icons: NOTE: This check mark indicates that there is a note of interest and is something that you should pay special attention to while using the product. Open Source This product may contain material licensed to you under the GNU General Public License or other open-source software licenses.
Table of Contents Chapter 1: Introduction 1 Introduction to the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction to Virtual Private Networks (VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 VPN Router to VPN Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Setup > One-to-One NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 One-to-One NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Setup > MAC Clone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 MAC Clone . . . . . . . . . . . . . . . . . . . .
Table of Contents QoS > QoS Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 QoS Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 QoS > Queue Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Queue Settings . . . . . . . .
Table of Contents Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Access Rule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Support . . . . . . .
Table of Contents Appendix H: Deployment in an Existing Network 80 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 LAN-to-LAN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 WAN-to-LAN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Appendix M: Multiple VLANs and Subnets 96 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 RVL200 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Basic Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 1 Chapter 1: Introduction Introduction to the Router Thank you for choosing the Linksys 4-Port SSL/IPSec VPN Router. The Router is an advanced Internet-sharing network solution for your small business needs. Like any router, it lets multiple computers in your office share an Internet connection. It features a built-in, 4-port, fullduplex, 10/100 Ethernet switch to connect four computers directly, or you can connect more switches to create as big a network as you need.
Chapter 1 Introduction Home Internet For additional information and instructions about creating your own VPN, visit the Linksys website at www.linksys.com. VPN Router Central Office VPN Router VPN Router to VPN Router Computer (using SSL VPN client software) to VPN Router The following is an example of a computer-to-VPN Router VPN. In her hotel room, a traveling businesswoman connects to her Internet Service Provider (ISP).
Chapter 2 Chapter 2: Product Overview Product Overview Back Panel Front Panel Reset The Reset button can be used in one of two ways, warm reset and reset to factory defaults. • Warm Reset If the Router is having problems connecting to the Internet, press and hold in the Reset button for four seconds using the tip of a pen. This is similar to pressing the power button on your computer to reboot it. The Diag LED will flash slowly during a warm reset.
Chapter 3 Physical Installation There are three ways to place the Router. The first way is to place it horizontally on a surface, so it sits on its four rubber feet. The second way is to stand the Router vertically on a surface. The third way is to mount it on a wall. Horizontal Placement The Router has four rubber feet on its bottom panel. Set the Router on a flat surface near an electrical outlet. WARNING: Do not place excessive weight on top of the Router; too much weight could damage it.
Chapter 3 Installation Cable Connection To connect network devices to the Router, follow these instructions: 1. Before you begin, make sure that all of your hardware is powered off, including the Router, computers, switches, and cable or DSL modem. 2. Connect your cable or DSL modem’s Ethernet cable to the Router’s Internet port. Connect to the Internet Port 3. Power on the cable or DSL modem. 4. Connect one end of an Ethernet network cable to one of the numbered ports on the back of the Router.
Chapter 4 Chapter 4: Advanced Configuration Overview Advanced Configuration 6. Click OK. 7. Click the Security tab. 8. Click Custom Level. 9. Select Enable for Active scripting, Allow paste operations via script, and Scripting of Java applets. For your convenience, use the Router’s web-based utility to set it up and configure it. This chapter will explain all of the functions in this utility.
Chapter 4 7. Select Allow cookies. 8. Select Enable JavaScript. 9. Click Advanced. 10. Select Enable ActiveX. Advanced Configuration How to Access the Web-Based Utility 1. For local access of the Router’s web-based utility, launch your web browser, and enter the Router’s default IP address, 192.168.1.1, in the Address field. Press the Enter key.
Chapter 4 Advanced Configuration Click to Install the Web Cache Cleaner 4. On the Security Warning screen, click Yes. System Summary Click Yes to Install 5. The Web Cache Cleaner will be installed in C:\\ WINDOWS\Downloaded Program Files. Proceed to the rest of this chapter for information about the webbased utility. When you or another user logs out, a Warning screen will appear. It will ask you to confirm that you want to delete the History Item for the Router. Click Yes.
Chapter 4 Advanced Configuration System Up Time This is the length of time in days, hours, and minutes that the Router has been active. The current time and date are also displayed. click Renew to update the DHCP Lease Time or get a new IP address. If the WAN port is set to PPPoE or PPTP, two buttons, Connect and Disconnect, will be available.
Chapter 4 If you have not set up the e-mail server on the Log tab, the message, “E-mail cannot be sent because you have not specified an outbound SMTP server address,” will be displayed. If you have set up the mail server but the log has not been generated due to the Log Queue Length and Log Time Threshold settings, the message, “E-mail settings have been configured,” will be displayed.
Chapter 4 Advanced Configuration subscribers use this connection type.) Your ISP assigns these values. Default Gateway Address Enter the IP address of the default gateway. DNS Server (Required) 1/2 If you select Use the Following DNS Server Addresses, enter your DNS server IP address(es) (enter at least one). Multiple DNS server IP settings are common. In most cases, the first available DNS entry is used.
Chapter 4 Advanced Configuration Keep Alive: Interval If you select the Keep Alive option, the Router will send keep-alive packets as often as you specify. The default Interval is 30 seconds. Keep Alive: Retry Times If you select the Keep Alive option, the Router will send keep-alive packets as many times as you specify. If the Router does not receive a response from the ISP, then the Router will terminate the connection and start sending PADI packets after the Redial Period.
Chapter 4 Advanced Configuration Daylight Saving To use the daylight saving feature, select Enabled. Enter the Month and Day of the start date, and then enter the Month and Day of the end date. NTP Server Enter the URL or IP address of the NTP server. The default is time.nist.gov. Manual Setup > Password Password The User Name is admin; it cannot be changed. Old Password Enter the old password. The default is admin when you first power up the Router. New Password Enter a new password for the Router.
Chapter 4 Click Save Settings to save your change, or click Cancel Changes to undo it. Setup Tab > Forwarding Advanced Configuration If the Service you need is not listed in the menu, click Service Management to add the new service. The Service Management screen appears. The Forwarding screen allows you to set up port range forwarding and port triggering applications.
Chapter 4 Some Internet applications or games use alternate ports to communicate between the server and LAN host. When you want to use these applications, enter the triggering (outgoing) port and alternate incoming port in the Port Triggering table. Then the Router will forward the incoming packets to the LAN host. Application Name Enter the name of the application. Trigger Port Range Enter the starting and ending port numbers of the trigger port range.
Chapter 4 Advanced Configuration UPnP Forwarding Table List Click Refresh to update the on-screen information. Click Close to exit this screen and return to the UPnP screen. On the UPnP screen, click Save Settings to save your changes, or click Cancel Changes to undo them. Setup > One-to-One NAT One-to-One NAT (Network Address Translation) creates a relationship that maps valid external IP addresses to internal IP addresses hidden by NAT.
Chapter 4 Advanced Configuration User Name and Password Enter your DynDNS.org account information. Host Name Enter your host name in the three Host Name fields. For example, if your host name were myhouse. dyndns.org, then myhouse would go into the first field, dyndns would go into the second field, and org would go into the last field. Click Save Settings, and the status of the DDNS function will be updated.
Chapter 4 Advanced Configuration other routers on the network. It determines the route that the network packets take based on the fewest number of hops between the source and the destination. Subnet Mask Enter the subnet mask used on the destination LAN IP domain. For Class C IP domains, the subnet mask is 255.255.255.0. Working Mode Select Gateway mode if the Router is hosting your network’s connection to the Internet.
Chapter 4 Advanced Configuration Unknown MAC Address List To add an IP address and MAC address set to the Static IP list, select Enable, and then click Apply. To add all IP addresses and MAC addresses to the Static IP list, click Select All. To update the on-screen information, click Refresh. To exit this screen and return to the DHCP > Setup screen, click Close. Static IP Address Enter the static IP address. You can enter 0.0.0.0 if you want the Router to assign a static IP address to the device.
Chapter 4 NOTE: To support NetBIOS for DHCP and Virtual Passage clients, the Router uses two methods. (Virtual Passage is an ActiveX-based VPN client that provides full network connectivity for Windows users. It allows remote access to the Router’s network through a secure connection.) First, when the DHCP and Virtual Passage clients receive dynamic IP addresses from the Router, it automatically includes the information of the WINS server to support NetBIOS.
Chapter 4 to configure the Device IP Address and Subnet Mask settings.) • Subnet1-4 The subnet numbers are created according to the VLAN numbers. (The multiple subnets can also be configured on the Setup > Network screen.) • IP Address Enter an IP address. • Subnet Mask Select the appropriate subnet mask. Dynamic IP Range When the IP Address and Subnet Mask settings are configured, the range of IP addresses is displayed.
Chapter 4 Advanced Configuration System Management > Diagnostic > Ping Ping host or IP address Enter the IP address of the device being pinged, and click Go. The test will take a few seconds to complete. When completed, the Router will display the results at the bottom of the screen. The results include this information: status; number of packets transmitted, received, or lost; and round trip time (minimum, maximum, and average).
Chapter 4 from the Restart screen, then the Router will send out your log file before it is reset. Advanced Configuration called RVL200.exp by default, but you may rename it if you wish. This process may take up to a minute. System Management > Port Mirroring Port Mirroring monitors and copies network traffic by transferring copies of incoming and outgoing packets from source ports to a target port. This feature is used as a monitoring, diagnostic, and debugging tool.
Chapter 4 Advanced Configuration Speed Select the port speed, 10M or 100M. Duplex Select the duplex mode, Half or Full. Auto Neg. Select Enable if you want the Router’s ports to auto-negotiate connection speeds and duplex mode; then you will not need to set up speed and duplex settings separately. Click Save Settings to save your changes, or click Cancel Changes to undo them. Port Management > Port Status System Management > IGMP Snooping Status information is displayed for the selected port.
Chapter 4 Advanced Configuration Port Receive Packet Count The number of packets received is displayed. on the interface.) Click Add VLAN to add the single VLAN ID. Port Receive Packet Byte Count The number of packet bytes received is displayed. VLAN ID Range Enter the starting and ending port numbers of the VLAN ID Range. Then click Add Range. Port Transmit Packet Count The number of packets transmitted is displayed.
Chapter 4 Advanced Configuration QoS > Bandwidth Management Quality of Service (QoS) features let you control how the Router manages network traffic. With Bandwidth Management (Layer 3), the Router can provide better service to selected types of network traffic. There are two types of functionality available, and only one type can work at one time. Rate Control functionality is for minimum (guaranteed) bandwidth and maximum bandwidth by service or IP address, while Priority functionality is for services.
Chapter 4 Rate Control Service Select the Service you want. If the Service you need is not listed in the menu, click Service Management to add the new service. The Service Management screen appears. Advanced Configuration Click Add to List, and configure as many rules as you would like, up to a maximum of 100. To delete a rule, select it and click Delete selected application. Click Summary to see a summary of the Rate Control rules. Summary (Rate Control Selected) To change a rule, click Edit.
Chapter 4 Advanced Configuration Summary (Priority Selected) To change a rule, click Edit. To update the list, click Refresh. To return to the Bandwidth Management screen, click Close. On the Bandwidth Management screen, click Save Settings to save your changes, or click Cancel Changes to undo them. QoS > QoS Setup Service Management The QoS Setup screen lets you enable QoS and configure Trust Mode and Class of Service (CoS) settings. Service Name Enter a name. Protocol Select the protocol it uses.
Chapter 4 Advanced Configuration None QoS > Queue Settings If the None option is selected, then the Router prioritizes each packet based on the required level of service for its four LAN ports, using four priority queues with strict or Weighted Round Robin (WWR) queuing. You can use these functions to assign independent priorities for delaysensitive data and best-effort data.
Chapter 4 Advanced Configuration based QoS in Layer 3, the Router can use the priority bits in the Type of Service (ToS) octet to prioritize traffic. If priority bits are used, the ToS octet may contain three bits for IP Precedence or six bits for DSCP service. Firewall > General General QoS > DSCP Settings DSCP Settings DSCP to Queue DSCP This is the DSCP value in the incoming packet. Queue Select the traffic forwarding queue number to which the DSCP priority is mapped.
Chapter 4 NOTE: SSL VPN has higher priority than Port Forwarding when HTTPS is enabled. HTTP To allow HTTP connections for remote management, select Enable. Otherwise, select Disable. Then enter the port number you want to use for remote management (port 80 or 8080 is usually used). Multicast Pass Through This option is disabled by default. IP multicasting occurs when a single data transmission is sent to multiple recipients at the same time.
Chapter 4 Advanced Configuration Time The time interval to which the access rule applies is displayed. Day The days to which the access rule applies is displayed. Click Edit to edit an access rule, and click the Trash Can icon to delete an access rule. If the Access Rules table has multiple pages, select a different page to view from the Jump to drop-down menu. If you want more or fewer entries listed per page, select a different number from the entries per page drop-down menu.
Chapter 4 Advanced Configuration Source Select the Source IP address(es) for the access rule. If it can be any IP address, select Any. If it is one IP address, select Single and enter the IP address. If it is a range of IP addresses, select Range, and enter the starting and ending IP addresses in the Addr. Range Begin and Addr. Range End fields. If the Source is all IP addresses, then enter * in the Addr. Range Begin field. Destination Select the Destination IP address(es) for the access rule.
Chapter 4 Group Name Enter a name for the new group. Show unknown IP/MAC addresses If you do not know a computer’s IP or MAC address, click Show unknown IP/MAC addresses. The Unknown MAC Address List appears. Unknown IP Address List IP Address Select this option to view all LAN IP addresses. IP Address The IP address is displayed. Name Enter a name for the device. Advanced Configuration To delete a group, select it and click Delete selected group on the Content Filter screen.
Chapter 4 Summary Tunnel Used The number of VPN tunnels being used is displayed. Tunnel Available The number of available VPN tunnels is displayed. Tunnel Status Add New Tunnel Click Add New Tunnel to add a Gateway-to-Gateway tunnel. The Mode Choose screen appears. Advanced Configuration Gateway” section for more information. Click the Trash Can icon to delete all of your tunnel settings for each individual tunnel. Tunnel Enabled The number of enabled VPN tunnels is displayed.
Chapter 4 Advanced Configuration FQDN) Authentication, Dynamic IP + Domain Name(FQDN) Authentication, or Dynamic IP + Email Addr.(USER FQDN) Authentication. Follow the instructions for the type you want to use. NOTE: The Local Security Gateway Type you select should match the Remote Security Gateway Type selected on the VPN device at the other end of the tunnel. Local Security Group Type Select the local LAN user(s) behind the Router that can use this VPN tunnel.
Chapter 4 NOTE: The Remote Security Gateway Type you select should match the Local Security Gateway Type selected on the VPN device at the other end of the tunnel. IP Only The default is IP Only. Only the computer with a specific IP address will be able to access the tunnel. Select IP address or IP by DNS Resolved. IP address Select this option if you know the static IP address of the remote VPN device at the other end of the tunnel, and then enter the IP address.
Chapter 4 Subnet The default is Subnet. All computers on the remote subnet will be able to access the tunnel. IP address Enter the IP address. Subnet Mask Enter the subnet mask. The default is 255.255.255.0. IP Range Specify a range of IP addresses within a subnet that will be able to access the tunnel. IP range Enter the range of IP addresses. IPSec Setup In order for any encryption to occur, the two ends of a VPN tunnel must agree on the methods of encryption, decryption, and authentication.
Chapter 4 Advanced Configuration the Authentication Key will be automatically completed with zeroes until it has 40 hexadecimal values. Make sure both ends of the VPN tunnel use the same Authentication Key. Advanced Manual Incoming and Outgoing SPI (Security Parameter Index) SPI is carried in the ESP (Encapsulating Security Payload Protocol) header and enables the receiver and sender to select the SA, under which a packet should be processed.
Chapter 4 Advanced Configuration the Router will disconnect the tunnel so the connection can be re-established. Specify the interval between HELLO/ACK messages (how often you want the messages to be sent). DPD is enabled by default, and the default interval is 10 seconds. Click Save Settings to save your changes, or click Cancel Changes to undo them. IPSec VPN > VPN Pass Through The VPN Pass Through screen allows you to enable or disable passthrough for a variety of VPN methods.
Chapter 4 Generate New Certificate Click this option to generate a new certificate. It will replace the Router’s existing certificate. Export Certificate for Administration The certificate for administration holds the private key and should be stored in a safe place as a backup. Select this option to store your administration certificate as a file. The default filename is RVL200_MMDD_HHMM.pem, which you can rename.
Chapter 4 Advanced Configuration NOTE: If your users are unable to connect via Active Directory, verify the following: 1. The time settings between the Active Directory server and the Router must be synchronized. Kerberos authentication, used by Active Directory to authenticate clients, permits a maximum of a 15-minute time difference between the Windows server and client (the Router). 2. Make sure your Windows server is configured for Active Directory authentication. If you are using a Windows NT 4.
Chapter 4 Advanced Configuration SNMP > Global Parameters Configure the parameters to define the SNMP Engine ID and notification. SSL VPN > Virtual Passage Virtual Passage Client Address Range SNMP > Global Parameters Define the range of IP addresses to assign to incoming Virtual Passage clients. The default is 192.168.1.200 to 192.168.1.210. The Router can support up to five concurrent active users. Range Start Enter the starting IP address of the IP address range.
Chapter 4 Advanced Configuration SNMP > Views Configure this screen to allow or deny access to SNMP features. SNMP > Views IP-MB 1.3.1.2.1.48 • IF-MIB 1.3.6.1.2.1.31 • TCP-MIB 1.3.6.1.2.1.49 • UDP-MIB 1.3.6.1.2.1.50 • SNMPv2-MIB 1.3.6.1.6.3.1 • RCF1213-MIB 1.3.6.1.2.1.1 • SNMP-VIEW-BASED-ACM-MIB 1.3.6.1.6.3.16 • SNMP-COMMUNITY-MIB 1.3.6.1.6.3.18 • SNMP-FRAMEWORK-MIB 1.3.6.1.6.3.10 • SNMP-MPD-MIB 1.3.6.1.6.3.11 • SNMP-USER-BASED-SM-MIB 1.3.6.1.6.3.15 • SNMP-TARGET-MIB 1.3.1.6.3.
Chapter 4 Security Model Select the version of SNMP the group uses: SNMPv1, SNMPv2, or SNMPv3. Security Level This option is available if SNMPv3 is selected for the Security Model. Select No Authentication if no authentication or privacy security levels are specified. Select Authentication if SNMP message origins are authenticated. Select Privacy SNMP messages are authenticated and encrypted.
Chapter 4 Advanced Configuration Select how you want to define the access control of this community. Basic Access Mode This allows both v1 and v2c operation requests. Select Read Only if you want the user to have read-only access to the parameters of the MIB tree with respect to the view name. Select Read Write if you want the user to have read/write access to the parameters of the MIB tree with respect to the view name.
Chapter 4 Advanced Configuration SNMPv3 System Log Select this option if you want to use SNMPv3. Then configure the following: Syslog User Name Enter the name of the user who receives SNMP notifications. Syslog is a standard protocol used to capture information about network activity. The Router supports this protocol and can send its activity logs to an external server. Security Level Select No Authentication if no authentication or privacy security levels are specified.
Chapter 4 Advanced Configuration e-mailed at the same time. The default is Severity0_ Emergency. Time The time of each log event is displayed. You can sort each log by time sequence. Click E-mail Log Now to immediately send the log to the address in the Send E-mail to field. Event-Type The type of log event is displayed. Log Setting Alert Log Syn Flooding Select this option if you want Syn Flooding events to trigger an alert.
Chapter 4 Advanced Configuration 2. Your Internet Service Provider (ISP) may require you to use a host and domain name for your Internet connection. If your ISP requires them, complete the Host Name and Domain Name fields; otherwise leave these blank. Click Next to continue. Click Exit if you want to exit the Setup Wizard. Log > System Statistics Click Refresh to update the statistics. Wizard Use this tab to access two Setup Wizards, the Basic Setup Wizard and the Access Rule Setup Wizard.
Chapter 4 Advanced Configuration 4. Depending on which connection type you have selected, the appropriate screen will appear. Follow the instructions for the appropriate connection type: On the DNS Servers screen, enter the DNS server IP addresses you want to use (you must enter at least one). Obtain an IP automatically Click Next to continue, and proceed to step 5. Click Previous if you want to return to the previous screen. Click Exit if you want to exit the Setup Wizard.
Chapter 4 your Internet access disconnects. The default is 5 minutes. If you select the Keep alive option, the Router will keep the connection alive by sending out a few data packets periodically, so your ISP thinks that the connection is still active. This option keeps your connection active indefinitely, even when it sits idle. The default Redial Period is 30 seconds. Advanced Configuration 2. This screen explains the Access Rules, including the Router’s Default Rules. Click Next to continue.
Chapter 4 4. Select the service you want from the Service pull-down menu. Click Next to continue. Click Previous if you want to return to the previous screen. Click Exit if you want to exit the Setup Wizard. Advanced Configuration 6. Select the appropriate Source Interface: LAN, WAN, or Any from the Interface pull-down menu. Select the Source IP address(es) for this Access Rule. If it can be any IP address, select Any.
Chapter 4 8. Decide when you want this Access Rule to be enforced. Select Always if you want the Access Rule to be always enforced. Click Next to continue. Click Previous if you want to return to the previous screen. Click Exit if you want to exit the Setup Wizard. Advanced Configuration 10. A screen appears to notify you that the settings have been saved. If you want to add another Access Rule, click OK, and the first screen of the Access Rule Setup Wizard will appear.
Chapter 4 Advanced Configuration session. (If you end the session, you will need to re-enter your User Name and Password to log in and then manage the Router.) After you click the Logout tab, a Warning screen appears. It will ask you to confirm that you want to delete the History Item for the Router. (The Web Cache Cleaner will prompt you to delete all temporary Internet files, cookies, and browser history during logout.) Click Yes.
Appendix A Appendix A: Troubleshooting The firmware upgrade has failed. A firmware upgrade takes approximately ten minutes. An error may occur if you powered off the Router, pressed the Reset button, closed the System Management > Firmware Upgrade screen, or disconnected the computer from the Router during the firmware upgrade. Troubleshooting The Router does not have a coaxial port for the cable connection. The Router does not replace your modem.
Appendix B Virtual Passage SSL VPN Client Appendix B: Virtual Passage SSL VPN Client Overview The Router’s SSL VPN Portal includes an ActiveX-based VPN client that provides full network connectivity for Windows users. This client, called the Virtual Passage Client, lets you remotely access the Router’s network through a secure connection. This chapter discusses the Virtual Passage Client for Windows, Mac, and Linux Operating System (OS) users.
Appendix B 13. Deselect (remove the checkmark from) Override automatic cookie handling. Virtual Passage SSL VPN Client 14. Select Use SSL 2.0 and Use SSL 3.0. Internet Explorer > Internet Options > Privacy 14. Click OK. 15. Click OK again. Netscape Communicator > Options > Advanced > Security Netscape Communicator 8.0 or Higher 15. Click OK. 1. Open Netscape Communicator. Make the SSL VPN Portal a Trusted Site (Windows OS) 2. Click Tools. 3. Click Options. 4. Click Site Controls. 5.
Appendix B Login for the SSL VPN Portal (Windows OS) Virtual Passage SSL VPN Client 1. Click the Unlock icon. Follow these instructions to log in: 1. Enter the IP address of the Router, https://, in your web browser. Then press the Enter key. 2. A login screen appears. Enter your user name in the User Name field, and enter your password in the Password field. 3. Click Login. Click the Unlock Icon 2.
Appendix B 3. On the Security Warning screen, click Yes. Virtual Passage SSL VPN Client After the software is installed, you will be notified that the SSL VPN tunnel has been established. Click Yes to Install 4. A second Security Warning screen asks you if you want to install XTunnel, the Virtual Passage application. SSL VPN Tunnel Established An icon appears in the system tray of your computer. Click Install.
Appendix B Windows Vista Usage Virtual Passage SSL VPN Client 3. Click Login. If you use Windows Vista to establish an SSL VPN connection and do not disable the User Account Control (UAC) feature, an error message will display, indicating that Virtual Passage was not installed. Vista Error Message To install Virtual Passage, follow these instructions: 1. Click Start. 2. Select All Programs > Control Panel > User Accounts > Turn User Accounts On or Off. 3.
Appendix B 2. A screen may appear indicating that the certificate cannot be verified. Linksys has confirmed that the certificate is valid. Click Continue. Virtual Passage SSL VPN Client NOTE: If you used Safari or Firefox to establish the SSL VPN connection through HTTP and want to switch to HTTPS to re-establish the SSL VPN connection, you must close your web browser before switching to HTTPS. Removal of the Virtual Passage Client (Mac OS X) Click to Continue 3. On the Warning screen, click Run.
Appendix B Before You Begin (Linux OS) Make sure you have administrative rights on your computer. Then install the freeware, Java Runtime Environment (JRE), on your computer. To download the freeware, visit Java-related websites. If you do not install JRE, a warning message will appear, and you cannot install the Virtual Passage Client. Virtual Passage SSL VPN Client Before you begin, make sure you have administrative rights on your computer. Then follow these instructions: 1. Click the Unlock icon.
Appendix B 4. On the Warning screen, click Run. Click Run Virtual Passage SSL VPN Client 2. After the software is removed, you will be notified. Click OK. Click OK After the software is installed, you will be notified that the SSL VPN tunnel has been established. SSL VPN Tunnel Established To end the SSL VPN connection, click Disconnect. Removal of the Virtual Passage Client (Linux OS) To remove the Virtual Passage Client, follow these instructions: 1.
Appendix C Bandwidth Management Appendix C: Bandwidth Management Overview This appendix explains how to ensure Quality of Service (QoS) on Vonage Voice over Internet Protocol (VoIP) phone service. This example uses Vonage; however, similar instructions will apply to other VoIP services. Creation of New Services Create two Vonage 2. new services, Vonage VoIP and 1. Visit Vonage’s website at http://www.vonage.com. Find out the ports used for Vonage VoIP service. 2.
Appendix C Bandwidth Management Creation of New Bandwidth Management Rules 14. After you have set up the rule, click Add to list. Create four new rules: Vonage VoIP (Upstream), Vonage VoIP (Downstream), Vonage 2 (Upstream), and Vonage 2 (Downstream). 16. Enter the IP address or range you need to control. To include all internal IP addresses, keep the default, 0. 1. On the Bandwidth Management screen, select Vonage VoIP from the Service drop-down menu. 2.
Appendix D Appendix D: Active Directory Server Active Directory Server 7. Select Domain Controller (Active Directory), and then click Next. NOTE: Windows Server 2000 and 2003 support the Active Directory server feature. To configure an Active Directory server: 1. Click the Start button of your Windows computer. 2. Click Settings. 3. Click Control Panel. 4. Double-click Administrative Tools. 5. Click Next. Server Role 8. Click Next. Welcome to the Configure Your Server Wizard 6. Click Next.
Appendix D 9. Click Next. Active Directory Server 11. Select Domain controller for a new domain, and then click Next. Welcome to the Active Directory Installation Wizard Domain Controller Type 10. Click Next. 12. Select Domain in a new forest, and then click Next.
Appendix D 13. Enter a domain name, and then click Next. Active Directory Server 15. Select the folders that will store the Active Directory database and log. Then click Next. New Domain Name 14. Enter a domain NetBIOS name, and then click Next. Database and Log Folders 16. Enter a location for the SYSVOL folder, and then click Next.
Appendix D 17. Select I will correct the problem later by configuring DNS manually (Advanced), and then click Next. Active Directory Server 19. Enter your Administrator password for the Active Directory server. Then enter it again in the Confirm password field. Click Next. DNS Registration Diagnostics 18. Select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems. Then click Next. Directory Services Restore Mode Administrator Password 20. Click Next.
Appendix D Active Directory Server Troubleshooting If your users are unable to connect via Active Directory, check the following: • The time settings between the Active Directory server and the Router must be synchronized. Kerberos authentication, used by Active Directory to authenticate clients, permits a maximum of a 15minute time difference between the Windows server and the client (the Router). • Make sure that your Windows server is configured for Active Directory authentication.
Appendix E Appendix E: User for the Active Directory Server User for the Active Directory Server 7. Enter the user information in the various name fields. Enter a User login name, and select the appropriate domain from the drop-down menu. Then click Next. NOTE: Windows Server 2000 and 2003 support the Active Directory server feature. To create a user for Active Directory: 1. Click the Start button of your Windows computer. 2. Click Settings. 3. Click Control Panel. 4. Double-click Administrative Tools.
Appendix E User for the Active Directory Server 9. Click Finish to create the new user.
Appendix F Appendix F: Internet Authentication Service (IAS) Server Internet Authentication Service (IAS) Server 4. In the Components section, click Networking Services. Click Details. Select Internet Authentication Service. Click OK. Then click Next. NOTE: Windows Server 2000 and 2003 support the IAS server feature. To install an IAS server: 1. Click the Start button of your Windows computer. 2. Click Add or Remove Programs. 3. Click Add/Remove Windows Components. Windows Components 5.
Appendix F 11. Click Next. Internet Authentication Service (IAS) Server 13. To add a policy, click Add. Welcome to the New Remote Access Policy Wizard 12. Select Set up a custom policy, and enter a policy name. Then click Next. Policy Configuration Method Policy Conditions 14. Select Client-IP-Address, and then click Add. Select Attribute 15. Enter an IP address, and then click OK. Enter the Router’s LAN IP address.
Appendix F 16. Make sure a policy has been added, and then click Next. Internet Authentication Service (IAS) Server 18. Click Edit Profile. Profile Policy Conditions 17. Select Grant remote access permission, and then click Next. 19. On the Authentication tab, deselect (remove the checkmark from) Microsoft Encryption Authentication version 2 and Microsoft Encrypted Authentication. Select Unencrypted authentication. Click Apply.
Appendix F 20. On the Encryption tab, select Basic encryption, Strong encryption, Strongest encryption, and No encryption. Internet Authentication Service (IAS) Server 27. Click Internet Authentication Service. Click Apply. Internet Authentication Service 28. Right-click Remote Access Policies, and click New Connection Request Policy. Encryption 21. Click Finish. Connection Request Policies Completing the New Remote Access Policy Wizard 22. Make sure the policy has been added. 23.
Appendix F 29. Click Next. Internet Authentication Service (IAS) Server 31. To add a policy, click Add. Welcome to the New Connection Request Policy Wizard 30. Select A custom policy, and enter a policy name. Then click Next. Policy Configuration Method Policy Conditions 32. Select Client-IP-Address, and then click Add. Select Attribute 33. Enter an IP address, and then click OK. Enter the Router’s LAN IP address.
Appendix F 34. Make sure a policy has been added, and then click Next. Internet Authentication Service (IAS) Server 36. On the Authentication tab, select Authenticate request on this server, and then click OK. Policy Conditions 35. Click Edit Profile. Authentication 37. Click Finish.
Appendix G Lightweight Directory Access Protocol (LDAP) Server Appendix G: Lightweight Directory Access Protocol (LDAP) Server 1. Access the Router’s web-based utility. 2. Click the SSL VPN tab. 3. Click the User Management tab. 4. From the Authentication Type drop-down menu, select LDAP. SSL VPN > User Management 5. In the Server Address field, enter the IP address or domain name of the server. 6.
Appendix H Deployment in an Existing Network Appendix H: Deployment in an Existing Network 4. Remove the checkmark from the Enable DHCP Server setting. Overview 8. In the Static Routing section, enter 0.0.0.0 in the Destination IP field. If you have a current VPN router in your network, you can add the 4-Port SSL/IPSec VPN Router (model number: RVL200), so that the SSL clients can access the existing network resources. 9. Enter 0.0.0.0 in the Subnet Mask field.
Appendix H Deployment in an Existing Network WAN-to-LAN Connection Remote users with 192.168.1.x Virtual Passage IP can access the headquarters’ corporate network using Virtual Passage via the WAN IP of the RV082. Branch Office RV082 RVL200 WAN IP: 192.168.1.2 LAN IP: 192.168.2.1 WAN Headquarters RV082 WAN1 WAN1 WAN2 WAN2 LAN Corporate Network LAN Corporate Network LAN: 192.168.1.100192.168.1.200 RVL200 WAN to RV082 LAN To connect the RVL200 WAN to the RV082 LAN: 1.
Appendix I Gateway-to-Gateway VPN Tunnel Appendix I: Gateway-to-Gateway VPN Tunnel Overview This appendix explains how to configure an IPSec VPN tunnel between two VPN Routers by example. Two computers are used to test the liveliness of the tunnel. Configuration of the RVL200 Follow these instructions for the first VPN Router, designated RVL200. The other VPN Router is designated the RV082. 1. Launch the web browser for a networked computer, designated PC 1. 2. Access the web-based utility of the RVL200.
Appendix I Gateway-to-Gateway VPN Tunnel 10. In the IPSec Setup section, select the appropriate encryption, authentication, and other key management settings. 8. For the Remote Security Gateway Type, select IP address. Enter the RVL200’s WAN IP address in the IP Address field. 11. In the Preshared Key field, enter a string for this key, for example, 13572468. 9. For the Remote Security Group Type, select Subnet. Enter the RVL200’s local network settings in the IP Address and Subnet Mask fields. 10.
Appendix I Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Dynamic IP Address This example assumes the Remote Gateway is using a dynamic IP address. If the Remote Gateway uses a static IP address, refer to “Configuration when the Remote Gateway Uses a Static IP Address.” RV082 Dynamic IP: B.B.B.B with Domain Name: www.abc.com LAN: 192.168.1.1 RVL200 IPSec VPN Settings RVL200 WAN: A.A.A.A LAN: 192.168.5.1 8. For the Remote Security Gateway Type, select IP by DNS Resolved.
Appendix I 7. The WAN IP address (B.B.B.B) of the RV082 will be automatically detected. For the Local Security Group Type, select Subnet. Enter the RV082’s local network settings in the IP Address and Subnet Mask fields. Gateway-to-Gateway VPN Tunnel Configuration when Both Gateways Use Dynamic IP Addresses This example assumes both Gateways are using dynamic IP addresses. If the Remote Gateway uses a static IP address, refer to “Configuration when the Remote Gateway Uses a Static IP Address.
Appendix I Gateway-to-Gateway VPN Tunnel 7. The WAN IP address (B.B.B.B) of the RV082 will be automatically detected. For the Local Security Group Type, select Subnet. Enter the RV082’s local network settings in the IP Address and Subnet Mask fields. RVL200 IPSec VPN Settings 8. For the Remote Security Gateway Type, select IP by DNS Resolved. Enter the RV082’s domain name in the field provided. 9. For the Remote Security Group Type, select Subnet.
Appendix J Appendix J: IPSec NAT Traversal IPSec NAT Traversal Configuration of Scenario 1 In this scenario, Router A is the RVL200 Initiator, while Router B is the RVL200 Responder. Overview Network Address Translation (NAT) traversal is a technique developed so that data protected by IPSec can pass through a NAT. (See NAT 1 and NAT 2 in the diagram.) Since IPSec provides integrity for the entire IP datagram, any changes to the IP addressing will invalidate the data.
Appendix J IPSec NAT Traversal 7. The WAN IP address of Router A will be automatically detected. For the Local Security Group Type, select Subnet. Enter Router A’s local network settings in the IP Address and Subnet Mask fields. Router B’s IPSec VPN Settings 8. For the Remote Security Gateway Type, select IP Only. Enter the WAN IP address of NAT 2 - RV042 in the IP Address field. Router A’s IPSec VPN Settings 8. For the Remote Security Gateway Type, select IP address.
Appendix J IPSec NAT Traversal Configuration of Scenario 2 Configuration of the One-to-One NAT Rules In this scenario, Router B is the RVL200 Initiator, while Router A is the RVL200 Responder. Router B will have the Remote Security Gateway IP address set to a public IP address that is associated with the WAN IP address of Router A, which is behind the NAT. Hence the public IP address (192.168.99.1) must be mapped to the WAN IP address (192.168.11.
Appendix J IPSec NAT Traversal 9. For the Remote Security Group Type, select Subnet. Enter Router A’s local network settings in the IP Address and Subnet Mask fields. 9. For the Remote Security Group Type, select Subnet. Enter Router B’s local network settings in the IP Address and Subnet Mask fields. 10. In the IPSec Setup section, select the appropriate encryption, authentication, and other key management settings. 10.
Appendix K Configuration of Multiple Subnets Appendix K: Configuration of Multiple Subnets RVL200-to-RV042 Configuration Overview RVL200 Configuration The 4-Port SSL/IPSec VPN Router (model number: RVL200) can support multiple subnets. The configuration example shows an RVL200 deploying two routers. Any router can be deployed; however, this example uses the Linksys 10/100 4-Port VPN Router (model number: RV042). To create this configuration, you create two subnets and two static routes on the RVL200.
Appendix K Configuration of Multiple Subnets Setup > Network 4. In the LAN Setting section, select Multiple Subnet. 5. Click Add/Edit. A new screen appears. Setup > Advanced Routing 17. In the Static Routing section, enter 192.168.7.0 in the Destination IP field. 18. Enter 255.255.255.0 in the Subnet Mask field. 19. Enter 192.168.1.2 in the Default Gateway field. 20. Enter 1 in the Hop Count field. 21. Select LAN from the Interface drop-down menu. 22.
Appendix K Configuration of Multiple Subnets 9. Enter 192.168.1.2 in the Default Gateway field. 10. Enter 1 in the Hop Count field. 11. Select WAN1 from the Interface drop-down menu. 12. To create the static route, click Add to list. 13. Click Save Settings. 14. Click the Firewall tab. 15. For the Firewall setting, select Disable. 16. Click Save Settings. RV042 #2 Configuration 1. Launch the web browser for a computer connected one of the Ethernet ports of the RV042 #2. 2.
Appendix L Multiple VLANs with Computers Appendix L: Multiple VLANs with Computers RVL200 Port 4: Trunking Port Overview The 4-Port SSL/IPSec VPN Router (model number: RVL200) can support multiple Virtual Local Area Networks (VLANs). The configuration example shows the Router deploying a Layer 2 managed switch, which deploys three VLANs.
Appendix L Multiple VLANs with Computers 5. Select Enable VLAN. 23. Enter a description in the Description field. 6. Enter 2 in the VLAN ID field. 24. Select Tagged in the Port 4 column. 7. To create VLAN2, click Add VLAN. 25. Click Save Settings. 8. Enter 3 in the VLAN ID field. 9. To create VLAN3, click Add VLAN. 10. Enter 4 in the VLAN ID field. 11. To create VLAN4, click Add VLAN. 12. Click the Port Setting tab. NOTE: All VLANs will be part of the default subnet of the Router.
Appendix M Multiple VLANs and Subnets Appendix M: Multiple VLANs and Subnets 2. To configure the multiple VLANs, refer to “Appendix L: Multiple VLANs with Computers”. 3. Access the web-based utility of the RVL200. (Refer to “Chapter 4: Advanced Configuration” for details.) 4. Click the DHCP tab. 5. Click the Multiple VLANs tab. Overview The 4-Port SSL/IPSec VPN Router (model number: RVL200) can support multiple Virtual Local Area Networks (VLANs) used with multiple subnets.
Appendix M – Subnet Mask Select 255.255.255.0. – Range Start Enter 100. – Range End Enter 149. Multiple VLANs and Subnets 8. For VLAN3, complete the following: – IP Address Enter 192.168.3.1. (This is the default, which you can overwrite.) – Subnet Mask Select 255.255.255.0. – Range Start Enter 100. – Range End Enter 149. 9. For VLAN4, complete the following: – IP Address Enter 192.168.4.1. (This is the default, which you can overwrite.) – Subnet Mask Select 255.255.255.0.
Appendix N Access of Multiple VLANs over a SSL VPN Tunnel Appendix N: Access of Multiple VLANs over a SSL VPN Tunnel Overview 3. At the cmd prompt, enter the following: route add mask 255.255.255.0 Example: route add 192.168.1.201 192.168.3.0 mask 255.255.255.0 4. Press the Enter key.
Appendix O Appendix O: Firmware Upgrade Firmware Upgrade 5. Deselect (remove the checkmark from) Block pop‑ups. Overview This appendix explains how to upgrade the firmware of the Router. Before You Begin If you are using Internet Explorer on Windows XP, disable the pop-up blocking function before you upgrade the Router’s firmware. (This avoids a firmware upgrade failure.) NOTE: Internet Explorer on Windows 2000 and other operating systems do not have this issue. Internet Explorer 6.0 or Higher 1.
Appendix O Firmware Upgrade When you or another user logs out, a Warning screen will appear. It will ask you to confirm that you want to delete the History Item for the Router. Click Yes. Click Yes to Delete History Upgrade the Firmware 1. In the Router’s web-based utility, click the System Management tab. 2. Click the Firmware Upgrade tab. 3. In the Firmware Download section, click Firmware Download from Linksys Web Site. System Management > Firmware Upgrade 4.
Appendix P Battery Replacement Appendix P: Battery Replacement Overview The Router has a lithium battery, type CR2032, on its main circuit board. This battery has an operating life of approximately 1 to 2 years. When the battery loses its charge, the Router cannot update its time setting unless it is connected to an NTP server. WARNING: The lithium battery can explode if it is replaced incorrectly. The battery must be replaced with the same or equivalent type of CR2032 lithium battery.
Appendix Q Appendix Q: Specifications Specifications Specifications Bandwidth Management of WAN (Upstream and Downstream) based on Services (TCP/UDP Ports) Network VLAN Support Supports 16 802.1Q VLANs Model RVL200 DHCP DHCP Server, DHCP Client Standards IEEE 802.3, IEEE 802.3u, IEEE 802.1q, IEEE 802.
Appendix R Appendix R: Warranty Information Limited Warranty Linksys warrants to You that, for a period of one year (the "Warranty Period"), your Linksys Product will be substantially free of defects in materials and workmanship under normal use. Your exclusive remedy and Linksys’ entire liability under this warranty will be for Linksys at its option to repair or replace the Product or refund Your purchase price less any rebates. This limited warranty extends only to the original purchaser.
Appendix S Regulatory Information Appendix S: Regulatory Information Industry Canada Statement FCC Statement 1. This device may not cause interference and This product has been tested and complies with the specifications for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Appendix S User Information for Consumer Products Covered by EU Directive 2002/96/EC on Waste Electric and Electronic Equipment (WEEE) This document contains important information for users with regards to the proper disposal and recycling of Linksys products.
Appendix S Regulatory Information Eesti (Estonian) - Keskkonnaalane informatsioon Euroopa Liidus asuvatele klientidele Français (French) - Informations environnementales pour les clients de l’Union européenne Euroopa Liidu direktiivi 2002/96/EÜ nõuete kohaselt on seadmeid, millel on tootel või pakendil käesolev sümbol , keelatud kõrvaldada koos sorteerimata olmejäätmetega. See sümbol näitab, et toode tuleks kõrvaldada eraldi tavalistest olmejäätmevoogudest.
Appendix S Regulatory Information Lietuvškai (Lithuanian) - Aplinkosaugos informacija, skirta Europos Sąjungos vartotojams Nederlands (Dutch) - Milieu-informatie voor klanten in de Europese Unie Europos direktyva 2002/96/EC numato, kad įrangos, kuri ir kurios pakuotė yra pažymėta šiuo simboliu (įveskite simbolį), negalima šalinti kartu su nerūšiuotomis komunalinėmis atliekomis. Šis simbolis rodo, kad gaminį reikia šalinti atskirai nuo bendro buitinių atliekų srauto.
Appendix S Regulatory Information Português (Portuguese) - Informação ambiental para clientes da União Europeia Slovenčina (Slovene) - Okoljske informacije za stranke v Evropski uniji A Directiva Europeia 2002/96/CE exige que o equipamento que exibe este símbolo no produto e/ou na sua embalagem não seja eliminado junto com os resíduos municipais não separados. O símbolo indica que este produto deve ser eliminado separadamente dos resíduos domésticos regulares.
Appendix T Contact Information Appendix T: Contact Information Linksys Contact Information Website http://www.linksys.com FTP Site ftp.linksys.com Advice Line 800-546-5797 (LINKSYS) Support 800-326-7114 RMA (Return Merchandise 949-823-3000 Authorization) Fax 949-823-3002 NOTE: Details on warranty and RMA issues can be found in the Warranty and Regulatory Information sections of this Guide.
