Table of Contents CHAPTER 1 INTRODUCTION ............................................................................................. 1 Broadband VPN Gateway Features ................................................................................ 1 Package Contents .............................................................................................................. 3 Physical Details ..................................................................................................................
VPN Examples ................................................................................................................. 82 Certificates ..................................................................................................................... 100 CRL ................................................................................................................................ 104 VPN Status ...................................................................................................
1 Chapter 1 Introduction This Chapter provides an overview of the Broadband VPN Gateway's features and capabilities. Congratulations on the purchase of your new Broadband VPN Gateway. The Broadband VPN Gateway is a multi-function device providing the following services: • • • Shared Broadband Internet Access for all LAN users. VPN Gateway for IPSec VPN connections to remote PCs or sites. 4-Port Switching Hub for 10BaseT or 100BaseT connections.
Broadband VPN Gateway User Guide • Virtual Servers. This feature allows Internet users to access Internet servers on your LAN. The required setup is quick and easy. • Multi-DMZ. For each WAN (Internet) IP address allocated to you, one (1) PC on your local LAN can be configured to allow unrestricted 2-way communication with Servers or individual users on the Internet. This provides the ability to run programs which are incompatible with Firewalls. • • Address List.
Introduction Security Features • Password - protected Configuration. Optional password protection is provided to prevent unauthorized users from modifying the configuration data and settings. • NAT Protection. An intrinsic side effect of NAT (Network Address Translation) technology is that by allowing all LAN users to share a single IP address, the location and even the existence of each PC is hidden. From the external viewpoint, there is no network, only a single device - the Broadband VPN Gateway.
Broadband VPN Gateway User Guide Physical Details Front-mounted LEDs Figure 2: Front Panel Power On - Power on. Off - No power. Status (Red) On - Error condition. Off - Normal operation. Blinking - This LED blinks during start up. WAN ports (10/100BaseT) Connect the DSL or Cable Modem here. If your modem came with a cable, use the supplied cable. Otherwise, use a standard LAN cable. LAN Each port has 2 LEDs • • WLAN LED Link/Act • On - Corresponding LAN (hub) port is active.
Introduction Rear Panel Figure 3: Rear Panel WAN port 1/2 (10/100BaseT) Connect the DSL or Cable Modem here. If your modem came with a cable, use the supplied cable. Otherwise, use a standard LAN cable. 10/100BaseT LAN connections Use standard LAN cables (RJ45 connectors) to connect your PCs to these ports. Note: Any LAN port on the Broadband VPN Gateway will automatically function as an "Uplink" port when required. Just connect any port to a normal port on the other hub, using a standard LAN cable.
2 Chapter 2 Installation This Chapter covers the physical installation of the Broadband VPN Gateway. Requirements • Network cables. Use standard 10/100BaseT network (UTP) cables with RJ45 connectors. • TCP/IP protocol must be installed on all PCs. • For Internet Access, an Internet Access account with an ISP, and a Broadband modem (usually, DSL or Cable modem). Procedure Figure 4: Installation Diagram 1.
Installation 5. Check the LEDs • The Power LED should be ON. • The Status LED should blink during start up, then turn Off. If it stays on, there is a hardware error. • For each LAN (PC) connection, the LAN Link/Act LED should be ON (provided the PC is also ON.) • The WAN1 or WAN2 LED should be ON. For more information, refer to Front-mounted LEDs in Chapter 1.
3 Chapter 3 Setup This Chapter provides Setup details of the Broadband VPN Gateway. Overview This chapter describes the setup procedure for: • Internet Access • LAN configuration PCs on your local LAN may also require configuration. For details, see Chapter 4 - PC Configuration. Other configuration may also be required, depending on which features and functions of the Broadband VPN Gateway you wish to use. Use the table below to locate detailed instructions for the required functions.
Setup Use the Microsoft VPN feature: • PPTP Server in the Broadband VPN Gateway. • User and Client setup. • Checking VPN connection Status. Configure or use any of the following: • Configuration File backup and restore.
Broadband VPN Gateway User Guide 3. In the Address box, enter "HTTP://" and the IP Address of the Broadband VPN Gateway, as in this example, which uses the Broadband VPN Gateway 's default IP Address: HTTP://192.168.0.1 If you can't connect If the Broadband VPN Gateway does not respond, check the following: • 4. The Broadband VPN Gateway is properly installed, LAN connection is OK, and it is powered ON.
Setup Home Screen After logging, you will see the Home screen. When you connect in future, you will see this screen when you connect. An example screen is shown below. Figure 6: Home Screen Navigation & Data Input • Use the menu bar on the left of the screen, and the "Back" button on your Browser, for navigation. • Changing to another screen without clicking "Save" does NOT save any changes you may have made. You must "Save" before changing screens or your data will be ignored.
Broadband VPN Gateway User Guide WAN Port Configuration The WAN Port option is on the Setup menu. Figure 7: WAN Port Screen Data - WAN Port Screen WAN Port Settings Connections Normally, this can be left at "Automatic". If the device attached to the WAN Port has problems making a connection, you can select the setting required or preferred by the other device. Connection Type Select the login method used, and enter the required data.
Setup Gateway The address of the router or gateway, as supplied by your ISP. PPPoE Dial-up User Name The User Name (or account name) provided by your ISP. Password Enter the password for the login name above. Hostname Normally, there is no need to change the default name, but if your ISP requests that you use a particular Hostname, enter it here. DNS DNS 1 Enter the IP address of the DNS (Domain Name Server) you wish to use. DNS 2 DNS 2 will be used if the DNS 1 is not available.
Broadband VPN Gateway User Guide Port Options Screen Use the Port Options link on the Setup menu. An example screen is shown below. Figure 8: Port Options Screen Data - Port Options Screen Port Options Symmetric NAT If Enabled, all requests from the same internal IP address and port to a specific destination IP address and port are mapped to a unique external source IP address and port. Compatible NAT The default value is Disabled.
Setup MTU Size • MTU (Maximum Transmission Unit) value should only be changed if advised to do so by Technical Support. • Enter a value between 1 and 1500. • This device will still auto-negotiate with the remote server, to set the MTU size. The smaller of the 2 values (auto-negotiated, or entered here) will be used. PPPoE Connection Automatic Dial-up An Internet connection is automatically made when required, and disconnected when idle for the time period specified by the "Disconnect after Idling".
Broadband VPN Gateway User Guide LAN Port Screen Use the LAN Port link on the main menu to reach the LAN Port screen. An example screen is shown below. Figure 9: LAN Port Screen Data - LAN Port Screen LAN LAN IP Address IP address for the Broadband VPN Gateway, as seen from the local LAN. Use the default value unless the address is already in use or your LAN is using a different IP address range. In the latter case, enter an unused IP Address from within the range used by your LAN.
Setup DHCP What DHCP Does A DHCP (Dynamic Host Configuration Protocol) Server allocates a valid IP address to a DHCP Client (PC or device) upon request. • The client request is made when the client device starts up (boots). • The DHCP Server provides the Gateway and DNS addresses to the client, as well as allocating an IP Address. • The Broadband VPN Gateway can act as a DHCP server. • Windows 95/98/ME and other non-Server versions of Windows will act as a DHCP client.
Broadband VPN Gateway User Guide Load/Backup Screen Use the Load/Backup link on the Setup menu. An example screen is shown below. Figure 10: Load/Back Screen Data - Load/Backup Screen Administration WAN There are 3 modes: 1. If Enable is selected for WAN 1, then choose Backup for WAN 2. 2. If Load Balance is selected for WAN 1, then choose Load Balance for WAN 2. 3. If Backup is selected for WAN 1, then choose Enable for WAN 2.
Setup 19
Chapter 4 PC Configuration 4 This Chapter details the PC Configuration required on the local ("Internal") LAN. Overview For each PC, the following may need to be configured: • TCP/IP network settings • Internet Access configuration Windows Clients This section describes how to configure Windows clients for Internet access via the Broadband VPN Gateway. The first step is to check the PC's TCP/IP settings.
PC Configuration Checking TCP/IP Settings - Windows 9x/ME: 1. Select Control Panel - Network. You should see a screen like the following: Figure 11: Network Configuration 2. 3. Select the TCP/IP protocol for your network card. Click on the Properties button. You should then see a screen like the following. Figure 12: IP Address (Win 95) Ensure your TCP/IP settings are correct, as follows: Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically.
Broadband VPN Gateway User Guide Figure 13: Gateway Tab (Win 95/98) • On the DNS Configuration tab, ensure Enable DNS is selected. If the DNS Server Search Order list is empty, enter the DNS address provided by your ISP in the fields beside the Add button, then click Add.
PC Configuration Checking TCP/IP Settings - Windows NT4.0 1. Select Control Panel - Network, and, on the Protocols tab, select the TCP/IP protocol, as shown below. Figure 15: Windows NT4.0 - TCP/IP 2. Click the Properties button to see a screen like the one below. Figure 16: Windows NT4.0 - IP Address 3. 4. Select the network card for your LAN. Select the appropriate radio button - Obtain an IP address from a DHCP Server or Specify an IP Address, as explained below.
Broadband VPN Gateway User Guide Obtain an IP address from a DHCP Server This is the default Windows setting. Using this is recommended. By default, the Broadband VPN Gateway will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the Broadband VPN Gateway. Specify an IP Address If your PC is already configured, check with your network administrator before making the following changes. 1. The Default Gateway must be set to the IP address of the Broadband VPN Gateway.
PC Configuration Figure 18: Windows NT4.
Broadband VPN Gateway User Guide Checking TCP/IP Settings - Windows 2000: 1. 2. Select Control Panel - Network and Dial-up Connection. Right - click the Local Area Connection icon and select Properties. You should see a screen like the following: Figure 19: Network Configuration (Win 2000) 3. 4. Select the TCP/IP protocol for your network card. Click on the Properties button. You should then see a screen like the following. Figure 20: TCP/IP Properties (Win 2000) 5.
PC Configuration Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the Broadband VPN Gateway will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the Broadband VPN Gateway. Using a fixed IP Address ("Use the following IP Address") If your PC is already configured, check with your network administrator before making the following changes.
Broadband VPN Gateway User Guide Checking TCP/IP Settings - Windows XP 1. 2. Select Control Panel - Network Connection. Right click the Local Area Connection and choose Properties. You should see a screen like the following: Figure 21: Network Configuration (Windows XP) 3. 4. Select the TCP/IP protocol for your network card. Click on the Properties button. You should then see a screen like the following.
PC Configuration Figure 22: TCP/IP Properties (Windows XP) 5. Ensure your TCP/IP settings are correct. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the Broadband VPN Gateway will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the Broadband VPN Gateway.
Broadband VPN Gateway User Guide Checking TCP/IP Settings - Windows Vista 1. From the Start menu, right-click Network, then click Properties. Now, the Network and Sharing Center displays. 2. Under Tasks located on the left-hand side of the window, click Manage network connections. 3. In Network Connections window displays, right click on the correct Local Area Connection, then click Properties. 4. Pop-up window displays that states Windows needs your permission to continue.
PC Configuration 31
Broadband VPN Gateway User Guide Internet Access To configure your PCs to use the Broadband VPN Gateway for Internet access: • Ensure that the DSL modem, Cable modem, or other permanent connection is functional. • Use the following procedure to configure your Browser to access the Internet via the LAN, rather than by a Dial-up connection. For Windows 9x/ME/2000 1. 2. 3. 4. 5. 6. 7. Select Start Menu - Settings - Control Panel - Internet Options. Select the Connection tab, and click the Setup button.
PC Configuration Macintosh Clients From your Macintosh, you can access the Internet via the Broadband VPN Gateway. The procedure is as follows. 1. Open the TCP/IP Control Panel. 2. Select Ethernet from the Connect via pop-up menu. 3. Select Using DHCP Server from the Configure pop-up menu. The DHCP Client ID field can be left blank. 4. Close the TCP/IP panel, saving your settings.
Chapter 5 Operation and Status 5 This Chapter details the operation of the Broadband VPN Gateway and the status screens. Operation Once both the Broadband VPN Gateway and the PCs are configured, operation is automatic. However, there are some situations where additional Internet configuration may be required: • If using Internet-based Communication Applications, it may be necessary to specify which PC receives an incoming connection. Refer to Chapter 6 - Internet Features for further details.
Operation and Status Figure 23: General Status Screen 35
Broadband VPN Gateway User Guide Data - General Status Screen WAN1/2 Connection Method This indicates the current connection method. IP Address This IP Address is allocated by the ISP (Internet Service Provider). Subnet Mask The Subnet Mask associated with the IP Address above. Gateway The IP Address of the remote Gateway or Router associated with the IP Address above. DNS IP Address The IP Address of the Domain Name Server which is currently used.
Operation and Status Show Status Display the usage of the CPU and Memory in a sub-window. Port Status Click the "Port Status" button on the Status Log menu. An example screen is shown below. Figure 24: Port Status Screen Data - Port Status Screen Port Status Network Flow The picture shows the current network flow. Buttons Refresh Update the data on screen. Send Network Log Click this button will send the log to the specified E-mail address.
Broadband VPN Gateway User Guide Event Log An example screen is shown below. Figure 25: Event Log Screen Data - Event Log Screen Event Log Time It displays the time when the event occurred. Event It describes the details of the event. Host It displays the IP Address of the server. Buttons Refresh Update the data shown on screen. Clear Delete all data currently in the Log.
Operation and Status URL Log An example screen is shown below. Figure 26: URL Log Data - URL Log Internet Time It displays the time when the log occurred. Event It describes the address of the URL. PC It displays the IP Address of the PC. Buttons Refresh Update the data shown on screen. Clear Delete all data currently in the Log.
Broadband VPN Gateway User Guide System Log An example screen is shown below. Figure 27: System Log Data - System Log Screen System Log Search Type Select the desired options of search type. Click the “Search” button to see the logs in the following log table. Time It displays the time when the system log occurred. Event It describes the details of the event. Data Packet Description It displays the type, source and destination address of the packet.
Chapter 6 Internet Features 6 This Chapter explains when and how to use the Broadband VPN Gateway's "Internet" Features. Overview The following advanced features are provided.
Broadband VPN Gateway User Guide Address List Click the "Address List" on the Advanced menu to access the screen. An example screen is shown below. Figure 28: Address List Screen Data - Address List Screen Address List Address List This lists any existing entries. If you have not entered any values, this list will be empty. Select All/Cancel Use this to select/deselect all the entries in the list.
Internet Features PC Database The PC Database is used whenever you need to select a PC (e.g. for the "DMZ" PC). It eliminates the need to enter IP addresses. Also, you do not need to use fixed IP addresses on your LAN. PC Database Screen An example PC Database screen is shown below. Figure 29: PC Database • PCs which are "DHCP Clients" are automatically added to the database, and updated as required.
Broadband VPN Gateway User Guide Data - PC Database Screen PC List This lists all current entries. Data displayed is PC Name, MAC Address, IP Address and Certify. Buttons Edit To Edit or modify an existing entry, select it and click the "Edit" button. Delete Delete the selected PC from the list. This should be done in 2 situations: • The PC has been removed from your LAN. • The entry is incorrect. Add This will add the new PC to the list.
Internet Features URL Filter The URL Filter allows you to block access to undesirable Web site. An example screen is shown below. Figure 30: URL Filter Screen Data - URL Filter Screen Filter Strings Current Entries This lists any existing entries. If you have not entered any values, this list will be empty. URL Filter Rule List Select the desired rule from the list. URL Filter Rule Name After the URL Filter Rule is selected, enter the desired name in this field.
Broadband VPN Gateway User Guide Add Key Words To add an entry to the list, enter it here, and click the "Add" button. An entry may be a Domain name (e.g. www.trash.com) or simply a string. (e.g. ads/ ) Any URL which contains ANY entry ANYWHERE in the URL will be blocked. Buttons Delete Selected/Delete All Use these buttons to delete the selected entry or all entries, as required. Multiple entries can be selected by holding down the CTRL key while selecting.
Internet Features Dynamic DNS This free service is very useful when combined with the Virtual Server feature. It allows Internet users to connect to your Virtual Servers using a URL, rather than an IP Address. This also solves the problem of having a dynamic IP address. With a dynamic IP address, your IP address may change whenever you connect, which makes it difficult to connect to you. The Service works as follows: 1. You must register for the service at one of the listed DDNS Service providers. 2.
Broadband VPN Gateway User Guide Data - Dynamic DNS Screen WAN1/2 DDNS Service Select the desired DDNS Service provider. Web Site Button Click this button to open a new window and connect to the Web site for the selected DDNS service provider. DDNS Status • This message is returned by the DDNS Server • Normally, this message should be something like "Update successful" or "IP address updated".
Internet Features Static Routing Overview • If you don't have other Routers or Gateways on your LAN, you can ignore the "Routing" page completely. • If the Broadband VPN Gateway is only acting as a Gateway for the local LAN segment, ignore the "Routing" page even if your LAN has other Routers. • If your LAN has a standard Router (e.g.
Broadband VPN Gateway User Guide Figure 32: Static Routing Screen Data - Static Routing Screen RIP RIP Version Select the desired option from the drop-down list. Static Routing Static Routing Table Entries Properties This list shows all entries in the Routing Table. • The "Properties" area shows details of the selected item in the list. • Change any the properties as required, then click the "Update Route" button to save the changes to the selected entry.
Internet Features Buttons Save Save the RIP setting. This has no effect on the Static Routing Table. Add Route Add a new entry to the Static Routing table, using the data shown in the "Properties" area on screen. The entry selected in the list is ignored, and has no effect. Update Route Update the current Static Routing Table entry, using the data shown in the "Properties" area on screen. Delete Route Delete the current Static Routing Table entry.
Broadband VPN Gateway User Guide Static Routing - Example Figure 33: Routing Example For the Broadband VPN Gateway 's Routing Table For the LAN shown above, with 2 routers and 3 LAN segments, the Broadband VPN Gateway requires 2 entries as follows. Entry 1 (Segment 1) Destination IP Address 192.168.1.0 Network Mask 255.255.255.0 (Standard Class C) Gateway IP Address 192.168.0.100 (Broadband VPN Gateway 's local Router) Interface LAN Metric 2 Entry 2 (Segment 2) Destination IP Address 192.168.
Internet Features Network Mask 0.0.0.0 Gateway IP Address 192.168.1.
Broadband VPN Gateway User Guide QoS Quality of Service (QoS) ensures better service to high-priority service. Figure 34: QoS Screen Data - QoS Screen QoS Setting QoS Method Select the desired option.
Internet Features • • QoS Queue: It displays the queue type. • Priority: Enter the priority value (1~20) of the policy. • Reliability: Select the desired option from the drop-down list. • Speed Limit: Enter the desired values for the inbound and outbound traffic limitation. Based on QoS rules set below • Policy Name: It displays the name for the policy. • Throughput: It displays the information of the traffic. • Queue: Select the desired option. • Enable: Check this to enable this policy.
Chapter 7 Security Configuration 7 This Chapter explains the settings available via the security configuration section of the "Security" menu. Overview The following advanced configurations are provided. • Rules • Schedules • Log Setting • Services • Security • DMZ • E-Mail Rules For normal operation and LAN protection, it is not necessary to use this screen. The Firewall will always block DoS (Denial of Service) attacks.
Security Configuration Data - Rules Screen Outbound/Inbound Connection View Rules for.. Select the desired option; the screen will update and list any current rules. If you have not defined any rules, the list will be empty. Data For each rule, the following data is shown: • Name - The name you assigned to the rule. • Source - The traffic covered by this rule, defined by the source IP address. If the IP address is followed by ...
Broadband VPN Gateway User Guide Define Firewall Rule (Inbound/Outbound) Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below. Figure 36: Define Firewall Rule Data - Define Firewall Rule Screen Name Enter a suitable name for this rule. Port Select the desired port as required. Type This determines the source and destination ports for traffic covered by this rule. Select the desired option.
Security Configuration Dest IP These settings determine which traffic, based on their destination IP address, is covered by this rule. Select the desired option: • Any - All traffic from the source port is covered by this rule. • Single address - Enter the required IP address in the "Start IP address" field". You can ignore the "Subnet Mask" field. • IP Address List - If this option is selected, choose the required option. Services Select the desired Service or Services.
Broadband VPN Gateway User Guide Schedules • Blocking will be performed during the scheduled time (between the "Begin" and "End" times.) • Two (2) separate sessions or periods can be defined. • Times must be entered using a 24 hr clock. • If the time for a particular day is blank, no action will be performed. Schedules Screen This screen is accessed by the Schedules link on the Firewall menu.
Security Configuration Firewall -- Log The Logs record various types of activity on the Broadband VPN Gateway. This data is useful for troubleshooting, but enabling all logs will generate a large amount of data and adversely affect performance. Since only a limited amount of log data can be stored in the Broadband VPN Gateway, log data can also be E-mailed to your PC or sent to a Syslog Server. Figure 38: Log Screen Data - Log Screen Log Log Contents Select the desired option(s), if needed.
Broadband VPN Gateway User Guide Second Server Name/IP Address This is optional. System Log Enable System Log If enabled, log data will be sent to your system log Server. System Log Server Enter the IP address of your System Log Server. Include Select the logs you wish to be included in the data sent to the System Log Server.
Security Configuration Services Services are used in defining traffic to be blocked or allowed by the Firewall Rules features. Many common Services are pre-defined, but you can also define your own services if required. To view the Services screen, select the Services link on the Firewall menu. Figure 39: Services Screen Data - Services Screen Available Services Available Services This lists all defined Services. Delete Button Use this to delete the selected Service from the list.
Broadband VPN Gateway User Guide if not required.
Security Configuration Security This screen allows you to set Firewall and other security-related options. Figure 40: Security Screen Data - Security Screen Firewall Echo ICMP on LAN Port Allow VPN passthrough The ICMP protocol is used by the "ping" and "trace route" programs, and by network monitoring and diagnostic programs. • If checked, the Broadband VPN Gateway will respond to ICMP packets received from the Internet. • If not checked, ICMP packets from the Internet will be ignored.
Broadband VPN Gateway User Guide Maximum Connections per PC Enter the maximum value for the connections of each PC. Maximum Applications per host Enter the maximum value for the applications of each host. Set New Connection(s) not upto: Set the value to control the speed of the internet.
Security Configuration DMZ This feature, if enabled, allows the DMZ computer or computers on your LAN to be exposed to all users on the Internet. • This allows almost any application to be used on the "DMZ PC". • The "DMZ PC" will receive all "Unknown" connections and data. • If the DMZ feature is enabled, you must select the PC to be used as the "DMZ PC". Figure 41: Multi-DMZ To use this feature: • Enable this DMZ. • The WAN IP address field displays the IP address allocated to you by your ISP.
Broadband VPN Gateway User Guide E-Mail Figure 42: E-Mail Screen Data - E-Mail Screen E-Mail Alert Send E-Mail alert If enabled, an E-Mail will be sent immediately if a DoS (Denial of Service) attack is detected. If enabled, the E-mail address information must be provided. Send E-Mail alert… If enabled, an E-Mail will be sent immediately if an application reaches 90% of its limited capacity.
Security Configuration Send Select the desired option for sending the log by E-mail. • When the log is full - The time is not fixed. The log will be sent when the log is full, which will depend on the volume of traffic. • Every day, Every Monday... - The log is sent on the interval specified. • If "Every day" is selected, the log is sent at the time specified. • If the day is specified, the log is sent once per week, on the specified day. • Select the time of day you wish the E-mail to be sent.
Chapter 8 VPN (IPSec) 8 This Chapter describes the VPN capabilities and configuration required for common situations. Overview This section describes the VPN (Virtual Private Network) support provided by your Broadband VPN Gateway. A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network - typically the Internet. This secure connection is called a VPN Tunnel. There are many standards and protocols for VPNs.
Microsoft VPN Note that different vendors use different terms. Generally, the terms "VPN Policy", "IPSec Policy", and "IPSec Proposal" have the same meaning. However, some vendors separate IKE Policies (Phase 1 parameters) from IPSec Policies (Phase 2 parameters). For the Broadband VPN Gateway; each VPN policy contains both Phase 1 and Phase 2 parameters (if IKE is used). Each policy defines: • The address of the remote VPN endpoint • The traffic which is allowed to use the VPN connection.
Broadband VPN Gateway User Guide Common VPN Situations VPN Pass-through Figure 43: VPN Pass-through Here, a PC on the LAN behind the Router/Gateway is using VPN software, but the Router/Gateway is NOT acting as a VPN endpoint. It is only allowing the VPN connection. • The PC software can use any VPN protocol supported by the remote VPN. • The remote VPN Server must support client PCs which are behind a NAT router, and so have an IP address which is not valid on the Internet.
Microsoft VPN Connecting 2 LANs via VPN Figure 45: Connecting 2 VPN Gateways This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN. • The 2 LANs MUST use different IP address ranges. • The VPN Policies at each end determine when a VPN tunnel will be established, and what systems on the remote LAN can be accessed once the VPN connection is established. • It is possible to have simultaneous VPN connections to many remote sites.
Broadband VPN Gateway User Guide VPN Configuration This section covers the configuration required on the Broadband VPN Gateway when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies). Details of using Certificates are covered in a later section. Policies Screen To view this screen, select Policies from the VPN menu. This screen lists all existing VPN policies. If no policies exist, the list will be empty.
Microsoft VPN Move The order in which policies are listed is only important if you have multiple polices for the same remote site. In that case, the first matching policy is used. There are 2 ways to change the order of policies: • Use the up and down indicators on the right to move the selected row. You must confirm your changes by clicking "OK". If you change your mind before clicking "OK", click "Cancel" to reverse your changes.
Broadband VPN Gateway User Guide Adding a New Policy To create a new VPN Policy, click the Add New Policy button on the Policies screen.
Microsoft VPN Figure 47: VPN Wizard - Start Screen 77
Broadband VPN Gateway User Guide General Settings Policy Name Enter a suitable name. This name is not supplied to the remote VPN. It is used only to help you manage the policies. Enable Policy Enable or disable the policy as required. For each remote VPN, only 1 policy can be enabled at any time. Allow NetBIOS Transmission Select the desired option if you require NetBIOS traffic to be transferred through the VPN tunnel. NetBIOS is used by Microsoft (Windows) networking.
Microsoft VPN ESP Encryption ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication. Authentication Algorithm ESP Authentication • The 3DES algorithm provides greater security than DES, but is slower. • If using AES, you must select the Key Size. If using DES or 3DES, this field is ignored. Generally, you should enable ESP Authentication.
Broadband VPN Gateway User Guide ESP Authentication ESP SPI Generally, you should enable ESP Authentication. There is little difference between the available algorithms. Just ensure each endpoint use the same setting. • The "In" key here must match the "Out" key on the remote VPN, and the "Out" key here must match the "In" key on the remote VPN. • Keys can be in ASCII or Hex (0 ~ 9 and A ~ F) • For MD5, the keys should be 32 hex/16 ASCII characters.
Microsoft VPN Authentication Encryption Exchange Mode • RSA Signature requires that both VPN endpoints have valid Certificates issued by a CA (Certification Authority). • For Pre-shared key, enter the same key value in both endpoints. The key should be at least 8 characters (maximum is 128 characters). Note that this key is used for the IKE SA only. The keys used for the IPsec SA are automatically generated. Select the desired method, and ensure the remote VPN endpoint uses the same method.
Broadband VPN Gateway User Guide VPN Examples This section describes some examples of using the Broadband VPN Gateway in common VPN situations. Example 1: Connecting 2 Broadband VPN Gateways In this example, 2 LANs are connected via VPN. Figure 48: Connecting 2 Broadband VPN Gateways Note • The LANs MUST use different IP address ranges. • Both endpoints have fixed WAN (Internet) IP addresses.
Microsoft VPN IKE Authentication algorithm MD5 MD5 Must match IKE Encryption DES DES Must match IKE Exchange mode Main Mode Main Mode Must match DH Group Group 1 (768 bit) Group 1 (768 bit) Must match IKE SA Life time 28800 28800 Does not have to match. Shorter period will be used. IKE PFS Disable Disable Must match IPSec SA Parameters IPSec SA Life time 28800 28800 Does not have to match. Shorter period will be used.
Broadband VPN Gateway User Guide Example 2: Windows 2000/XP Client to LAN In this example, a Windows 2000/XP client connects to the Broadband VPN Gateway and gains access to the local LAN. Figure 49: Windows 2000/XP Client to Broadband VPN Gateway To use 3DES encryption on Windows 2000, you need Service Pack 3 or later installed. Broadband VPN Gateway Configuration Setting Value Notes Name Win Client Name does not affect operation. Select a meaningful name. Remote Endpoint 172.16.9.
Microsoft VPN period will be used. IKE PFS Disable Must match client PC IPSec SA Parameters IPSec SA Life time 28800 Do not have to match. Shorter period will be used. IPSec PFS Disable Must match client PC AH authentication Disabled AH is rarely used ESP authentication Enable/MD5 Must match client PC ESP encryption Enable/DES Must match client PC Windows Client Configuration 1. 2. Select Start - Programs - Administrative Tools - Local Security Policy.
Broadband VPN Gateway User Guide Figure 51: Windows 2000/XP - Policy Properties 6. • Note that no rules are in use. Two 2 rules are required - incoming and outgoing. • The outgoing rule will be added first. Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below. Figure 52: IP Filter List 7. Type "To DUT" for the name, then click "Add" to see a screen like the following.
Microsoft VPN Figure 53: Filter Properties: Addressing 8. Enter the Source IP address and the Destination IP address. • 9. Since this is the outgoing filter, the Source IP address is "My IP address" and the Destination IP address is the address range used on the remote LAN. • Ensure the Mirrored option is checked. Click "OK" to save your settings and close this dialog. Figure 54: New Rule Properties: IP Filter List 10.
Broadband VPN Gateway User Guide Figure 55: New Rule Properties: Filter Action 11. Select Require Security, then click the "Edit" button, to view the Require Security Properties screen. Figure 56: Require Security Properties 12. Select Negotiate security (this selects IKE), then click "Add".
Microsoft VPN Figure 57: Modify Security Method 13. On the resulting screen (above), select High [ESP] then click "OK" to save your changes and return to the Require Security Properties screen. 0 Figure 58: Require Security Properties 14. Ensure the following settings are correct, then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen.
Broadband VPN Gateway User Guide Figure 59: Tunnel Setting 16. Click the Authentication Methods tab, then click the "Edit" to see the screen like the example below. Figure 60: Authentication Method 17. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided. 18. Click "OK" to save your changes and return to the Authentication Methods tab of the Edit Rule Properties screen. 19. Click "Close" to return to the DUT to Win2K properties screen.
Microsoft VPN Figure 61: Windows 2000/XP Client to Broadband VPN Gateway 20. To add the second (incoming) rule, click "Add". For the name, enter "To Win2K", then click "Add". Figure 62: Windows 2000/XP Client to Broadband VPN Gateway 21. Enter the Source IP address and the Destination IP address as shown below. • Since this is the incoming filter, the Source IP address is the address range used on the remote LAN and the Destination IP address is "My IP address". • Ensure the Mirrored option is checked.
Broadband VPN Gateway User Guide Figure 63: Filter Properties: Addressing 22. Click "OK" to save your changes, then "Close". Figure 64: Filter List 23. Ensure the "To Win2K" filter is selected, then click the Filter Action tab.
Microsoft VPN Figure 65: Filter Action 24. Select Require Security, then click "Edit". On the Require Security Methods screen below, select Negotiate security. Figure 66: Security Methods 25. Click the "Add" button. On the resulting Modify Security Method screen below, select High [ESP].
Broadband VPN Gateway User Guide Figure 67: Modify Security Method 26. Click "OK" to save your changes, then click "OK" again to return to the Filter Action screen. 27. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address of this PC (172.16.9.10 in this example). Figure 68: Tunnel Setting 28. Select the Authentication Methods tab, and click the "Edit" button to see the screen below.
Microsoft VPN Figure 69: Authentication Method 29. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided. 30. Click "OK" to save your settings, then "Close" to return to the DUT to Win2K Properties screen. There should now be 2 IP Filers listed, as shown below. Figure 70: DUT to Win2K Properties 31. Select the General tab.
Broadband VPN Gateway User Guide Figure 71: Properties - General Tab 32. Click the "Advanced" button to see the screen below. Figure 72: Key Exchange Settings 33. Click the "Methods" button to see the screen below.
Microsoft VPN 34. Select the first entry, and click the "Edit" button to see the following screen. Figure 74: IKE Security Algorithms 35. Select "SHA1" for Integrity Algorithm, "3DES" for Encryption algorithm, and "Low(1)" for the Diffie-Hellman Group. 36. Click "OK" to save, then "OK" again, and then "Close" to return to the Local Security Settings screen. 37. Right click the DUT to Win2K Policy and select "Assign" to make your policy active.
Broadband VPN Gateway User Guide Remote IP addresses 172.16.9.10 For a single client, this is the same as the Gateway address Subnet address: 11.5.0.0 255.255.0.0 Address range used on the remote LAN.
Microsoft VPN Windows 2000 Server Configuration Configuration is the same as for Example 2: Windows 2000/XP Client to except for specifying the Source and Destination addresses for the "Filter Properties". Instead, for both IP Filters, the Filter Properties- Addressing should be completed as follows. Figure 77: Windows 2000 Server - Addressing • The Source Address should be set to "A specific IP Subnet", and the IP address and Subnet mask set to the address range used on the Broadband VPN Gateway's LAN.
Broadband VPN Gateway User Guide Certificates Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates". Each CA also issues a certificate to itself. This Certificate is required in order to validate communication with the CA. These certificates are called "Trusted Certificates.
Microsoft VPN 3. 4. 5. 6. Click the "Browse" button, and locate the certificate file on your PC Select the file. The name will appear in the "Certificate File" field. Click "Upload" to upload the certificate file to the Broadband VPN Gateway. Click "Back" to return to the Trusted Certificate list. The new Certificate will appear in the list. Private Certificate Figure 80: Private Certificate Screen Data - Private Certificate Screen Private Certificate Name The name you assigned to this Certificate.
Broadband VPN Gateway User Guide Upload Button After you have received a Certificate, use this to upload the certificate to the Broadband VPN Router. You must select the correct certificate request, so the Broadband VPN Router can correctly match the request and the certificate. New Request Button Use this to generate a new request to be supplied to a CA (Certification Authority). See the following section for details.
Microsoft VPN 3. Authentication Algorithm Select the desired option. RSA is recommended. Key Size Select the desired option. Normally, 1024 bits provides adequate security. IP address Enter your public (Internet) IP address. Domain Name This is optional. If you have a domain name, enter it here. E-mail This is optional. If you have permanent E-mail address, enter it here. Click "Next" to continue to the following screen. Figure 82: Private Certificate Request (2) 4. 5. 6. 7.
Broadband VPN Gateway User Guide 8. • When prompted for the request data, supply the data you copied and saved in step 5 above. • Submit the CA's form. • If there are no problems, the Certificate will then be issued. After obtaining a new Certificate, as described above, you need to upload it the Broadband VPN Gateway. • Return to the Private Certificates screen. • In the Self Certificate Requests list, select the request matching this certificate. • Click the Upload Certificate button.
Microsoft VPN Figure 85: Upload CRL 4. 5. Upload the CRL file: • Click the "Browse" button, and locate the CRL file on your PC • Select the file. The name will appear in the "Upload File" field. • Click "Upload" to upload the CRL file to the Broadband VPN Gateway. • Click "Back" to return to the CRL list. The new CRL will appear in the list. Use the "Delete" button to delete the previous (now outdated) CRL.
Broadband VPN Gateway User Guide Check Log Open a new window and view the contents of the VPN log. Chapter 9 9 Microsoft VPN This Chapter explains the screens and settings available for the Microsoft VPN function. Overview Microsoft VPN uses the Microsoft VPN Adapter which is provided in recent versions of Windows. This feature can be used to provide remote access to your LAN by individual PCs. This method provides an alternative to using IPSec VPN, which is described in the previous chapter.
Microsoft VPN Data - VPN Adapter Screen PPTP Service Enable PPTP Use this checkbox to enable or disable this feature as required. To allow connection by remote Windows clients, you must enable this feature, and enter the client details (on the Clients screen) to allow them to login to this Server. Authentication Methods Enable the desired authentication methods. The methods are listed with the most secure first, least secure last. If multiple methods are checked, the most secure will be tried first.
Broadband VPN Gateway User Guide Data - User Screen Existing Users User List All existing users are listed. If you have not added any users, this list will be empty. When a user is selected, their details are displayed in the Properties panel. You can then edit the user's information as required; click Update Selected User to save your changes. (If you select another user before saving your changes, your changes are lost.) Delete Button Use this to delete the selected user if required.
Microsoft VPN Status Log Screen The Status Log screen is accessed by selecting the Status Log option on the VPN (PPTP) menu. Figure 89: Status Log Screen Data - Status Log Screen Status Log Status This indicates whether or not the PPTP (VPN) Server is enabled. Current Connections This indicates the number of remote clients currently logged into the PPTP (VPN) Server. Service Log Service Log This displays details of each connection or connection attempt.
Broadband VPN Gateway User Guide Windows Client Setup To connect to the PPTP (VPN) Server in the VPN Broadband Gateway: • The Microsoft VPN feature in the VPN Broadband Gateway must be enabled and configured, as described in the previous section. • Each user must have a login (username and password) on the VPN client database on the VPN Broadband Gateway. • The remote client PC must be configured as described in the following sections.
Microsoft VPN To force all outgoing traffic to be sent via VPN, enable the setting This is the default Internet connection on the Dialing tab. (Do NOT enable this setting if using Dial-up or PPPoE client software.) Windows ME VPN Dialing Properties To establish a connection: 1. 2. 3. 4. 5. Ensure you are connected to the Internet. Select Start - Settings - Dial-up Networking Double-click the new VPN entry in Dial-up Networking.
Broadband VPN Gateway User Guide Windows 2000 Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open "Network Connections", and start the "New Connection" Wizard. Figure 92: Windows 2000 Network Connection 2. Select the VPN option ("Connect to a private network through the Internet"), as shown above, and click Next. Figure 93: Windows 2000 Public Network 3. On the screen above: • Select "Do not dial the initial connection" if Internet access is via the LAN.
Microsoft VPN Figure 94: Windows 2000 VPN Host 4. On the screen above, enter the Domain Name or Internet IP address of the Broadband VPN Gateway you wish to connect to. Click Next to continue. Figure 95: Windows 2000 Connection Availability 5. Choose whether to allow this connection for everyone, or only for yourself, as required. Click Next to continue.
Broadband VPN Gateway User Guide Figure 96: Windows 2000 Finish Wizard 6. Enter a suitable name, and click "Finish" to save and exit. Setup is now complete. To establish a connection: 1. 2. 3. Right-click the connection in "Network Connections", and select "Connect". You will then be prompted for the username and password. Enter the username and password assigned to you, as recorded in the VPN client database on the Broadband VPN Gateway.
Microsoft VPN Windows XP Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open Network Connections (Start-Settings-Network Connections), and start the New Connection Wizard. Figure 97: Windows XP Network Connection Type 2. Select the option "Connect to the network at my workplace", as shown above, and click Next. Figure 98: Windows XP Network Connection 3. On the next screen, shown above, select the "Virtual Private Network connection" option.
Broadband VPN Gateway User Guide Figure 99: Windows XP Connection Name 4. Enter a suitable name for this connection. Click Next to continue. Figure 100: Windows XP Public Network 5. On the screen above, select "Do not dial the initial connection". Click Next to continue. Figure 101: Windows XP VPN Server 6. On the screen above, enter the Domain Name or Internet IP address of the Broadband VPN Gateway you wish to connect to. Click Next to continue.
Microsoft VPN Figure 102: Windows XP Connection Availability 7. 8. Choose whether to allow this connection for everyone, or only for yourself, as required. Click Next to continue. On the final screen, click Finish to save and exit. Setup is now complete. To establish a connection: 1. 2. 3. Right-click the connection in "Network Connections", and select "Connect". You will then be prompted for the username and password.
Chapter 10 Other Features & Settings 10 This Chapter explains the screens and settings available via the "Other" menu. Overview Normally, it is not necessary to use these screens, or change any settings. These screens and settings are provided to deal with nonstandard situations, or to provide additional options for advanced users. The screens available are: Diagnostics Ping, DNS Lookup. Password Only required if your LAN has other Routers or Gateways.
Other Features and Settings Diagnostics This screen allows you to perform a "Ping" or a "DNS lookup". These activities can be useful in solving network problems. An example Diagnostics screen is shown below. Figure 103: Diagnostics Screen Data - Diagnostics Screen Ping Ping This IP Address Enter the IP address you wish to ping. The IP address can be on your LAN, or on the Internet. Note that if the address is on the Internet, and no connection currently exists, you could get a "Timeout" error.
Broadband VPN Gateway User Guide Search Button After entering the Domain name/URL, click this button to start the "DNS Search" procedure. The results will be displayed in the DNS Search Result pane.
Other Features and Settings Password Screen The password screen allows you to assign a password to the Wireless Router. Figure 104: Account Management Screen Data - Account Management Screen Password User Name It displays the current existing user names. User Rights It describes the rights of the current user. Latest Login It displays the last login time and the IP Address. Edit Button Click this button to modify the user settings. User Name Enter the desired User Name.
Broadband VPN Gateway User Guide Web Management Web Management allows you to connect to this interface via the Internet, using your Web browser. Figure 106: Web Management Screen Data - Web Management Screen Settings Web Management Select WAN1, WAN2 or LAN to allow administration/management via the Internet. (To connect, see above). If Disabled, this device will ignore management connection attempts from the Internet.
Other Features and Settings External Port Number The default value is 8080. Allow Web Login by This allows you to restrict remote access by IP address. Select the desired option. • Anyone - Remote user's IP address is not checked. • IP Address Range - Only the PCs in the selected IP address range will be allowed. • This PC Only - Only the specified IP address is allowed. If selected, you must enter an IP address in the field provided. To connect from a remote PC via the Internet 1. 2.
Broadband VPN Gateway User Guide Firmware Upgrade Use this screen to upgrade your Broadband VPN Gateway's firmware. • You must download the required firmware file, and store it on your PC. • During the upgrade process, all existing Internet connections will be terminated. • The upgrade process must NOT be interrupted! Figure 107: Upgrade Firmware Screen Data - Firmware Upgrade Screen Firmware Upgrade Current Software Version It displays the current firmware version.
Other Features and Settings Backup/Restore This feature allows you to backup (download) the current settings from the Broadband VPN Gateway, and save them to a file on your PC. You can restore a previously-downloaded configuration file to the Broadband VPN Gateway, by uploading it to the Broadband VPN Gateway. This screen also allows you to set the Broadband VPN Gateway back to its factory default configuration. Any existing settings will be deleted. An example Backup/Restore screen is shown below.
Broadband VPN Gateway User Guide Default Configuration Enable the Restore the default language if required. Clicking the Factory Defaults button will reset the Broadband VPN Gateway to its factory default settings. WARNING ! This will delete ALL of the existing settings.
Appendix A Troubleshooting A This Appendix covers the most likely problems and their solutions. Overview This chapter covers some common problems that may be encountered while using the Broadband VPN Gateway and some possible solutions to them. If you follow the suggested steps and the Broadband VPN Gateway still does not function properly, contact your dealer for further advice. General Problems Problem 1: Can't connect to the Broadband VPN Gateway to configure it.
Broadband VPN Gateway User Guide Solution 2: The Broadband VPN Gateway processes the data passing through it, so it is not transparent. Use the Special Applications feature to allow the use of Internet applications which do not function correctly. If this does solve the problem you can use the DMZ function. This should work with almost every application, but: • It is a security risk, since the firewall is disabled. • Only one (1) PC can use this feature.
Appendix B Specifications B Broadband VPN Gateway Model Broadband VPN Gateway Dimensions 235mm(W) * 147mm(D) * 33mm(H) Operating Temperature 0° C to 40° C Storage Temperature -10° C to 70° C Network Protocol: TCP/IP Network Interface: 6 Ethernet: 4 * 10/100BaseT (RJ45) LAN connection 2 * 10/100BaseT (RJ45) for WAN LEDs 15 Power Adapter 5 V DC External FCC Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FC
Broadband VPN Gateway User Guide This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. CE Marking Warning CE Standards This product complies with the 99/5/EEC directives, including the following safety and EMC standards: • EN301489-1/-17 • EN60950 This is a Class B product. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures.
Appendix B - Specifications 131
Broadband VPN Gateway User Guide 132
