25

Chapter 5: Configuring the ADSL Gateway

The Security Tab

ADSL Gateway

•

Delete: Click this button to delete the selected tunnel.

•

Summary: Click this button to see a summary of your IPSec settings and the tunnels’ status.

•

IPSec VPN Tunnel: Click Enabled to enable the selected tunnel, or Disabled to disable it.

•

Tunnel Name: Click and type in this box to give the selected tunnel a name. A name is required, but is only

for your reference and need not match the name used at the remote gateway or client.

•

Local Secure Group: To give an entire local network access to the tunnel, select Subnet and enter the network

address and mask. To give a particular host access to the tunnel, select IP Address and enter the host’s

address and mask.

•

Local Security Gateway: If you have multiple PVCs, open this list and select the PVC you wish to use for the

VPN tunnel.

•

Remote Secure Group: Use this control to specify the remote device or devices that will be granted access to

the tunnel. This can be the public IP address of a network or host; the IP address and mask of a remote

subnet; Host, that is, identical to the Remote Security Gateway setting; or Any, which allows any device with

permission from the remote security gateway to access the tunnel.

•

Remote Security Gateway: Use the controls in this section to specify the remote endpoint of the IPSec tunnel,

whether it will be a gateway or a client. Select

IP Address

or

FQDN

(fully qualified domain name) and input

the correct address or name; or select

Any

, which allows any machine with the correct IPSec settings to act

as the remote endpoint of the tunnel.

•

Encryption: To have communication through the tunnel encrypted, select DES (Data Encryption Standard)

or 3DES (Triple DES). To leave communication unencryped, select Disable.

•

Authentication: Authentication verifies the identity of the remote machine and the integrity of the data

received. Set this control to MD5 (Message Digest 5) or SHA (Secure Hash Algorithm). SHA is newer, and

generally considered more secure, than MD5.

•

Key Management: A key is a string of letters and/or numbers that is used for authentication or encryption. Key

management can be automatic (performed by IKE, the Internet Key Exchange protocol) or manual.

•

To use automatic key management

, select Auto.(IKE), enter the pre-shared key and the key lifetime, and

enable or disable PFS (perfect forward secrecy). The key should be a string of 8 to 23 characters

representing no dictionary word or numeric pattern. PFS enhances security by enabling automatic re-

keying. The settings must exactly match those at the remote end of the tunnel.

Figure 5-20: VPN Settings Summary

Downloaded from

www.Manualslib.com

manuals search engine

26

Chapter 5: Configuring the ADSL Gateway

The Security Tab

ADSL Gateway

•

To use manual key management

, select Manual, enter authentication and encryption keys (these must be

identical to those entered at the remote end), and enter inbound and outbound SPIs (security parameter

indexes). The SPIs must be exactly complementary to those entered at the remote end.

When you select automatic key management, an Advanced Settings button appears. Click this button if there are

special requirements for this IPSec tunnel. The Advanced IPSec VPN Tunnel Setup window will appear. (Help for

this window can be displayed by clicking More on the right side of the VPN panel.)

In this window you can set parameters for IKE phases 1 and 2, and other settings. Phase 1 is when the two ends

negotiate parameters for key exchange; phase 2 is when they negotiate parameters for data exchange.

•

Operation mode: Key exchange parameters can be negotiated in Main mode, which is more secure, or

Aggressive mode, which is quicker. The Gateway will accept requests in either mode, but some gateways

and clients will accept requests only in the mode specified by the user.

•

Proposal 1: A proposal is a set of parameters that the initiator sends and the responder examines for

acceptability. You can specify encryption and authentication algorithms, Diffie-Hellman group, and key

lifetime for the first proposal.

•

Phase 2 Proposal: Select the desired Diffie-Hellman group, 768-bit or 1024-bit.

•

Other Settings

NAT Traversal: Enable this feature if the machine or machines being accessed through the tunnel stand

behind a NAT (Network Address Translation) server.

NetBIOS broadcast: Enable this feature if the local network does not include a WINS server and the remote

machine or machines will need to find local machines by their NetBIOS (Windows Networking) names.

Anti-replay: Packets sent through an IPSec tunnel contain sequencing numbers to let the receiver detect if

a substitution has occurred. You can enable this function for greater security.

Keep-alive: This feature, enabled by default, makes the Gateway check the tunnel connection periodically

and attempt to re-establish it if it goes down.

If IKE failed . . . : IKE failure may signify an unwanted intrusion attempt. You can set a limit on the number

of consecutive failed requests that the Gateway will allow from the same IP address, and the amount of

time that the Gateway will ignore further requests from that address.

When finished making changes in this panel, click the

Save Settings

button to save your changes, or click

Cancel Changes

to undo the changes. Use the VPN panel’s

Connect

and

View Logs

buttons to test the tunnel.

Figure 5-21: Advanced VPN Settings

Figure 5-22: VPN Log

Downloaded from

www.Manualslib.com

manuals search engine

27

Chapter 5: Configuring the ADSL Gateway

The Access Restriction Tab

ADSL Gateway

The Access Restriction Tab

The Internet Access Tab

The

Internet Access

tab allows you to block or allow specific kinds of Internet usage. You can set up Internet

access policies for specific computers and block websites by URL address or keyword.

Internet Access Policy

. Access can be managed by a policy. Use the settings on this screen to establish an

access policy (after the

Save Settings

button is clicked). Selecting a policy from the drop-down menu will

display that policy’s settings. To delete a policy, select that policy’s number and click the

Delete

button. To view

all the policies, click the

Summary

button. (Policies can be deleted from the

Summary

screen by selecting the

policy or policies and clicking the

Delete

button. To return to the Internet Access screen, click the

Close

button.)

Status

. Policies are disabled by default. To enable a policy, select the policy number from the drop-down menu,

and click the radio button beside

Enable

.

To create an Internet Access policy:

1.

Select a number from the

Internet Access Policy

drop-down menu.

2.

To enable this policy, click the radio button beside

Enable

.

3.

Enter a Policy Name in the field provided.

Figure 5-23: Internet Access

Figure 5-24: Internet Policy Summary

Downloaded from

www.Manualslib.com

manuals search engine

28

Chapter 5: Configuring the ADSL Gateway

The Access Restriction Tab

ADSL Gateway

4.

Click the

Edit List of PCs

button to select which PCs will be affected by the policy. The

List of PCs

screen will

appear. You can select a PC by MAC Address or IP Address. You can also enter a range of IP Addresses if you

want this policy to affect a group of PCs. After making your changes, click the

Save Settings

button to apply

your changes or

Cancel Changes

to cancel your changes.

5.

Click the appropriate option,

Deny

or

Allow

, depending on whether you want to block or allow Internet access

for the PCs you listed on the

List of PCs

screen.

6.

Decide which days and what times you want this policy to be enforced. Select the individual days during

which the policy will be in effect, or select

Everyday

. Then enter a range of hours and minutes during which

the policy will be in effect, or select

24 Hours

.

7.

If you want to block websites with specific URL addresses, enter each URL in a separate field next to

Website

Blocking by URL Address

.

8.

If you want to block websites using specific keywords, enter each keyword in a separate field next to

Website

Blocking by Keyword

.

9.

You can filter access to various services accessed over the Internet, such as FTP or telnet, by selecting

services from the drop-down menus next to

Blocked Services

.

Then enter the range of ports you want to filter.

If the service you want to block is not listed or you want to edit a service’s settings, then click the

Add/Edit

Service

button. Then the

Port Services

screen will appear.

To add a service, enter the service’s name in the

Service Name

field. Select its protocol from the

Protocol

drop-down menu, and enter its range in the

Port Range

fields. Then click the

Add

button.

To modify a service, select it from the list on the right. Change its name, protocol setting, or port range. Then

click the

Modify

button.

To delete a service, select it from the list on the right. Then click the

Delete

button.

When you are finished making changes on the

Port Services

screen, click the

Apply

button to save changes.

If you want to cancel your changes, click the

Cancel

button. To close the

Port Services

screen and return to

the

Access Restrictions

screen, click the

Close

button.

10. Click the

Save Settings

button to save the policy’s settings. To undo the policy’s settings, click the

Cancel

Changes

button.

Figure 5-26: Add/Edit Service

Figure 5-25: List of PCs

Downloaded from

www.Manualslib.com

manuals search engine

29

Chapter 5: Configuring the ADSL Gateway

The Applications & Gaming Tab

ADSL Gateway

The Applications & Gaming Tab

The Single Port Forwarding Tab

Single Port Forwarding

Use the

Single Port Forwarding

screen when you want to open a specific port so users on the Internet can see the

servers behind the Gateway (such servers may include FTP or e-mail servers). When users send this type of

request to your network via the Internet, the Gateway will forward those requests to the appropriate computer.

Any computer whose port is being forwarded should have its DHCP client function disabled and should have a

new static IP address assigned to it because its IP address may change when using the DHCP function.

•

PVC Connection Select. If the service requests you wish to configure will be coming in over a PVC other than

PVC 1, select the correct PVC from this list.

•

Port Map List. In this section you will customize the port service for your applications.

•

Application. Enter the name of the application in the field provided.

•

External Port and Internal Port. Enter the External and Internal Port numbers.

•

Protocol. Select the protocol you wish to use for each application:

TCP

or

UDP

.

•

IP Address. Enter the IP Address of the appropriate computer.

•

Enabled. Click

Enabled

to enable forwarding for the chosen application.

When finished making your changes on this tab, click the

Save Settings

button to save these changes, or click

the

Cancel Changes

button to undo your changes.

Figure 5-27: Single Port Forwarding

Downloaded from

www.Manualslib.com

manuals search engine