21

Chapter 5: Configuring the Gateway

The Setup Tab

ADSL2 Gateway with 4-Port Switch

•

Internet IP Address. The Router’s current Internet IP Address is displayed here. Because it is dynamic, this will

change.

•

Status. The status of the DDNS service connection is displayed here.

When finished making your changes on this tab, click the

Save Settings

button to save these changes, or click

the

Cancel Changes

button to undo your changes.

Advanced Routing Tab

The Advanced Routing screen allows you to configure the dynamic routing and static routing settings.

Advanced Routing

•

Operating Mode. NAT is a security feature that is enabled by default. It enables the Gateway to translate IP

addresses of your local area network to a different IP address for the Internet. To disable NAT, click the

Disabled

radio button.

•

Dynamic Routing. With Dynamic Routing you can enable the Gateway to automatically adjust to physical

changes in the network’s layout. The Gateway, using the RIP protocol, determines the network packets’ route

based on the fewest number of hops between the source and the destination. The RIP protocol regularly

broadcasts routing information to other Gateways on the network. To enable RIP, click

Enabled

. To disable

RIP, click

Disabled

.

•

Transmit RIP Version. To transmit RIP messages, select the protocol you want:

RIP1, RIP1-Compatible,

or RIP2

.

•

Receive RIP Version. To receive RIP messages, select the protocol you want:

RIP1

or

RIP2

.

•

Static Routing. If the Gateway is connected to more than one network, it may be necessary to set up a static

route between them. A static route is a pre-determined pathway that network information must travel to

reach a specific host or network. To create a static route, change the following settings:

•

Select set number. Select the number of the static route from the drop-down menu. The Gateway

supports up to 20 static route entries. If you need to delete a route, after selecting the entry, click the

Delete This Entry

button.

•

Destination IP Address. The Destination IP Address is the address of the remote network or host to which

you want to assign a static route. Enter the IP address of the host for which you wish to create a static

route. If you are building a route to an entire network, be sure that the network portion of the IP address is

set to 0.

22

Chapter 5: Configuring the Gateway

The Security Tab

ADSL2 Gateway with 4-Port Switch

•

Subnet Mask. The Subnet Mask (also known as the Network Mask) determines which portion of an IP

address is the network portion, and which portion is the host portion.

•

Gateway. This IP address should be the IP address of the gateway device that allows for contact between

the Gateway and the remote network or host.

•

Hop Count. Hop Count is the number of hops to each node until the destination is reached (16 hops

maximum). Enter the Hop Count in the field.

•

Show Routing Table. Click the

Show Routing Table

button to open a screen displaying how data is routed

through your LAN. For each route, the Destination IP address, Subnet Mask, Gateway, and Interface are

displayed. Click the

Refresh

button to update the information. Click the

Close

button to return to the previous

screen.

When finished making your changes on this tab, click the

Save Settings

button to save these changes, or click

the

Cancel Changes

button to undo your changes.

The Security Tab

Firewall

When you click the Security tab, you will see the Firewall screen. This screen contains Filters and the option to

Block WAN Requests. Filters block specific Internet data types and block anonymous Internet requests. To add

Firewall Protection, click

Enable

. If you do not want Firewall Protection, click

Disable

.

Additional Filters

•

Filter Proxy. Use of WAN proxy servers may compromise the Gateway's security. Denying Filter Proxy will

disable access to any WAN proxy servers. To enable proxy filtering, click

Enabled

.

•

Filter Cookies. A cookie is data stored on your computer and used by Internet sites when you interact with

them. To enable cookie filtering, click

Enabled

.

•

Filter Java Applets. Java is a programming language for websites. If you deny Java Applets, you run the risk

of not having access to Internet sites created using this programming language. To enable Java Applet

filtering, click

Enabled

.

•

Filter ActiveX. ActiveX is a programming language for websites. If you deny ActiveX, you run the risk of not

having access to Internet sites created using this programming language. To enable ActiveX filtering, click

Enabled

.

Figure 5-13: Routing Table List

23

Chapter 5: Configuring the Gateway

The Security Tab

ADSL2 Gateway with 4-Port Switch

Block WAN requests

•

Block Anonymous Internet Requests. This keeps your network from being “pinged” or detected and

reinforces your network security by hiding your network ports, so it is more difficult for intruders to discover

your network. Select

Block Anonymous Internet Requests

to block anonymous Internet requests or de-

select it

to allow anonymous Internet requests.

When finished making your changes on this tab, click the

Save Settings

button to save these changes, or click

the

Cancel Changes

button to undo your changes.

VPN

Virtual Private Networking (VPN) is a security measure that basically creates a secure connection between two

remote locations. The VPN screen allows you to configure your VPN settings to make your network more secure.

VPN Passthrough

•

IPSec Passthrough. Internet Protocol Security (IPSec) is a suite of protocols used to implement secure

exchange of packets at the IP layer. To allow IPSec Passthrough, click the

Enable

button. To disable IPSec

Passthrough, click the

Disable

button.

•

PPTP Passthrough. Point-to-Point Tunneling Protocol Passthrough is the method used to enable VPN sessions

to a Windows NT 4.0 or 2000 server. To allow PPTP Passthrough, click the

Enable

button. To disable PPTP

Passthrough, click the

Disable

button.

•

L2TP Passthrough. Layering 2 Tunneling Protocol Passthrough is an extension of the Point-to-Point Tunneling

Protocol (PPTP) used to enable the operation of a VPN over the Internet.To allow L2TP Passthrough, click the

Enable

button. To disable L2TP Passthrough, click the

Disable

button.

IPSec VPN Tunnel

The VPN Gateway creates a tunnel or channel between two endpoints, so that the data or information between

these endpoints is secure.

•

To establish this tunnel, select the tunnel you wish to create in the Select Tunnel Entry drop-down box.

It is

possible to create up to five simultaneous tunnels. Then click

Enabled

to enable the IPSec VPN tunnel. Once

the tunnel is enabled, enter the name of the tunnel in the Tunnel Name field.

This is to allow you to identify

Figure 5-14: Firewall

24

Chapter 5: Configuring the Gateway

The Security Tab

ADSL2 Gateway with 4-Port Switch

multiple tunnels and does not have to match the name used at the other end of the tunnel. To delete a tunnel

entry, select the tunnel, then click

Delete

. To view a summary of the settings, click

Summary

.

•

Local Secure Group and Remote Secure Group. The Local Secure Group is the computer(s) on your LAN that

can access the tunnel. The Remote Secure Group is the computer(s) on the remote end of the tunnel that can

access the tunnel. These computers can be specified by a Subnet, specific IP address, or range.

•

Local Security Gateway.

•

Remote Security Gateway. The Remote Security Gateway is the VPN device, such as a second VPN Gateway,

on the remote end of the VPN tunnel. Enter the IP Address or Domain of the VPN device at the other end of the

tunnel. The remote VPN device can be another VPN Gateway, a VPN Server, or a computer with VPN client

software that supports IPSec. The IP Address may either be static (permanent) or dynamic (changing),

depending on the settings of the remote VPN device.

Make sure that you have entered the IP Address

correctly, or the connection cannot be made.

Remember, this is NOT the IP Address of the local VPN Gateway,

but the IP Address of the remote VPN Gateway or device with which you wish to communicate. If you enter an

IP address, only the specific IP Address will be able to acess the tunnel. If you select

Any

, any IP Address can

access the tunnel.

•

Encryption. Using Encryption also helps make your connection more secure.

There are two different types of

encryption: DES or 3DES (3DES is recommended because it is more secure).

You may choose either of these,

but it must be the same type of encryption that is being used by the VPN device at the other end of the tunnel.

Or, you may choose not to encrypt by selecting Disable.

In Figure 5-19, DES (which is the default) has been

selected.

•

Authentication. Authentication acts as another level of security.

There are two types of authentication: MD5

and SHA (SHA is recommended because it is more secure).

As with encryption, either of these may be

selected, if the VPN device at the other end of the tunnel is using the same type of authentication.

Or, both

ends of the tunnel may choose to Disable authentication.

In the Manual Key Management screen, MD5 (the

default) has been selected.

•

Key Management. Select

Auto (IKE)

or

Manual

from the drop-down menu. The two methods are described

below.

Auto (IKE)

Select

Auto (IKE)

and enter a series of numbers or letters in the Pre-shared Key field. Based on this word,

which MUST be entered at both ends of the tunnel if this method is used, a key is generated to scramble

(encrypt) the data being transmitted over the tunnel, where it is unscrambled (decrypted).

You may use any

combination of up to 24 numbers or letters in this field. No special characters or spaces are allowed. In the

Key Lifetime field, you may select to have the key expire at the end of a time period.

Enter the number of

seconds you’d like the key to be useful, or leave it blank for the key to last indefinitely. Check the box next to

PFS (Perfect Forward Secrecy) to ensure that the initial key exchange and IKE proposals are secure.

Figure 5-15: VPN

Figure 5-16: VPN Settings Summary

25

Chapter 5: Configuring the Gateway

The Security Tab

ADSL2 Gateway with 4-Port Switch

Manual

Select

Manual,

then select the Encryption Algorithm from the drop-down menu. Enter the Encryption Key in

the field (if you chose DES for your Encryption Algorithm, enter 16 hexadecimal characters, if you chose 3DES,

enter 48 hexadecimal characters). Select the Authentication Algorithm from the drop-down menu. Enter the

Authentication Key in the field (if you chose MD5 for your Authentication Algorithm, enter 32 hexadecimal

characters, if you chose SHA1, enter 40 hexadecimal characters). Enter the Inbound and Outbound SPIs in the

respective fields.

•

Status. The status of the connection is shown.

Click the

Connect

button to connect your VPN tunnel. Click

View Logs

to view system, UPnP, VPN, firewall,

access, or all logs.Click the

Advanced Settings

button and the Advanced IPSec VPN Tunnel Setup screen will

appear.

When finished making your changes on this tab, click the

Save Settings

button to save these changes, or click

the

Cancel Changes

button to undo your changes.

Advanced VPN Tunnel Setup

From the Advanced IPSec VPN Tunnel Setup screen you can adjust the settings for specific VPN tunnels.

Phase 1

•

Phase 1 is used to create a security association (SA), often called the IKE SA. After Phase 1 is completed,

Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions.

•

Operation Mode. There are two modes: Main and Aggressive, and they exchange the same IKE payloads in

different sequences. Main mode is more common; however, some people prefer Aggressive mode because it

is faster. Main mode is for normal usage and includes more authentication requirements than Aggressive

mode. Main mode is recommended because it is more secure. No matter which mode is selected, the VPN

Gateway will accept both Main and Aggressive requests from the remote VPN device.

•

Encryption. Select the length of the key used to encrypt/decrypt ESP packets. There are two choices: DES and

3DES. 3DES is recommended because it is more secure.

•

Authentication. Select the method used to authenticate ESP packets. There are two choices: MD5 and SHA.

SHA is recommended because it is more secure.

•

Group. There are two Diffie-Hellman Groups to choose from: 768-bit and 1024-bit. Diffie-Hellman refers to a

cryptographic technique that uses public and private keys for encryption and decryption.

Figure 5-17: Manual Key Management

Figure 5-18: System Log