37

Web User Interface

Label

Description

Guest Network

Display the three guest SSID supported by wireless

router. Choices are

- GUEST_WLAN_0 (xx:xx:xx:xx:xx:xx)

- GUEST_WLAN_1 (xx:xx:xx:xx:xx:xx)

- GUEST_WLAN_0 (xx:xx:xx:xx:xx:xx)

If enabled, MAC address of this BSSID will be displayed.

Guest WiFi Security

Settings

Wireless parameters are similar with the settings in

Wireless-Security part before.

Guest Network

Enable or disable the

Guest Network Name

(SSID)

Allow user to fill in with a new SSID name.

Closed Network

If select Enable, this will hide the SSID name. When

nearby wireless client tries to scan the SSID, it will not

discover this hidden SSID name, unless user manually

add this SSID.

Guest LAN Settings

DHCP Server

Allow user to deploy DHCP server for this guest SSID.

IP Address

This IP address will be the default gateway address for

clients connected to this guest network.

Subnet Mask

Define the subnet mask value.

Lease Pool Start

Define the start IP address of this DHCP address pool.

Lease Pool End

Define the last IP address of this DHCP address pool.

Lease Time

Define the lease time for DHCP client. Before expiration,

DHCP client will resend DHCP request. Max value is

86400 second.

Apply

Click to save.

Restore Defaults

Click to reset to factory default values for wireless part.

U10C022

38

Web User Interface

4.4 VPN

Under VPN feature, here provides IPSec VPN, L2TP VPN and PPTP VPN.

A

virtual private network (VPN)

is a computer network in which some of the links between

nodes are carried by open connections or virtual circuits in some larger network (e.g., the

Internet) instead of by physical wires. The link-layer protocols of the virtual network are said

to be tunneled through the larger network when this is the case. One common application is

secure communications through the public Internet, but a VPN need not have explicit

security features, such as authentication or content encryption. VPNs, for example, can be

used to separate the traffic of different user communities over an underlying network with

strong security features.

4.4.1 VPN- Enable

After enable or disable VPN feature, wireless router needs to reboot to take effect.

4.4.2 VPN-Summary

This page allows user to manage VPN tunnels with centralized view.

Label

Description

IPSec Endpoint

Select to disable or enable IPSec VPN service.

#

ID of the IPSec VPN tunnel.

Name

Identical name of IPSec VPN tunnel

Status

Once an IPSec VPN is connected successfully, Status will

turn to be connected. Otherwise, it shows Not Connected.

Control

User can manually trigger IPSec VPN connection request to

U10C022

39

Web User Interface

the remote VPN gateway.

Configure

Click Edit to modify IPSec VPN parameters of this tunnel;

Click Delete to delete this IPSec VPN tunnel.

Add New Tunnel

Click to quickly create a new IPSec VPN tunnel, and then to

modify its parameters.

4.4.3 VPN- Configure

Internet protocol Security (IPSec) is a standard based VPN that offers

flexible solutions for secure data communications across a public network

like the Internet. IPSec is built around a number of standardized

cryptographic techniques to provide confidentiality, data integrity and

authentication at the IP layer.

A VPN tunnel is usually established in two phases. Each phase establishes a security

association (SA), a contract indicating what security parameters wireless router and the

remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA

between wireless router and remote IPSec router. The second phase uses the IKE SA to

securely establish an IPSec SA through which the wireless router and remote IPSec router

can send data between computers on the local network and remote network.

Before IPSec VPN configuration, you will be involved with such terms like IPSec Algorithms,

Authentication Header and ESP protocol.

-

IPSec Algorithms

The

ESP

and

AH

protocols are necessary to create a Security Association (SA), the

foundation of an IPSec VPN. An SA is built from the authentication provided by the

AH

and

ESP

protocols. The primary function of key management is to establish and maintain the SA

between systems. Once the SA is established, the transport of data may commence.

-

AH (Authentication Header) Protocol

AH

protocol (RFC 2402) was designed for integrity, authentication, sequence integrity

(replay resistance), and non-repudiation but not for confidentiality, for which the

ESP

was

designed.

In applications where confidentiality is not required or not sanctioned by government

encryption restrictions, an

AH

can be employed to ensure integrity. This type of

implementation does not protect the information from dissemination but will allow for

verification of the integrity of the information and authentication of the originator.

-

ESP (Encapsulating Security Payload) Protocol

The

ESP

protocol (RFC 2406) provides encryption as well as the services offered by

AH

.

ESP

authenticating properties are limited compared to the

AH

due to the non-inclusion of the

IP header information during the authentication process. However,

ESP

is sufficient if only

the upper layer protocols need to be authenticated. An added feature of the

ESP

is payload

padding, which further protects communications by concealing the size of the packet being

transmitted.

U10C022

40

Web User Interface

Label

Description

Tunnel

Select the specific VPN tunnel to configure.

Name

Input the naming for identifying.

Delete tunnel

This button will delete the selected VPN

Add New Tunnel

Once user inputted name in Name field, he can add this

tunnel

U10C022

41

Web User Interface

Apply

Quickly select certain VPN tunnel, and enable or disable it,

need to click apply.

Local endpoint Settings

Configure the local network that will be protected by IPSec

VPN, located in your wireless router LAN side.

Address group type

Define the local address type,

-

IP Subnet, to protect the whole subnet.

-

Single IP address, to protect a single PC

-

IP address range, to protect several PCs

Subnet

Subnet scale.

Mask

Subnet mask value.

Identity Type

Select different identity type to identity this wireless router

by

-

WAN IP address

-

IP address

-

FQDN

-

Email address

In Aggressive mode, VPN concentrator uses to identify

incoming SAs by ID type and content since this identifying

information is not encrypted, to distinguish between multiple

rules for SAs that connect from remote IPSec routers that

have dynamic WAN IP addresses.

In Main mode, the ID type and content are encrypted to

provide identity protection. In this case VPN concentrator

can only distinguish between up to 30 different incoming

SAs that connect from remote IPSec routers that have

dynamic WAN IP addresses. Because you can select

between five encryption algorithms (DES, 3DES, AES-128,

AES-192 and AES-256), two authentication algorithms

(MD5 and SHA1) and three key groups (DH1 and DH2,

DH5) when you configure a VPN rule. The ID type and

content act as an extra level of identification for incoming

SAs.

Identity

The value of corresponding to selected Identity type.

Remote endpoint

settings

Define the local network that will be protected by IPSec

VPN, located in peer wireless router LAN side.

U10C022