42

Web User Interface

Address group type

Define the local address type,

-

IP Subnet, to protect the whole subnet.

-

Single IP address, to protect a single PC

-

IP address range, to protect several PCs

Subnet

Subnet scale.

Mask

Subnet mask value.

Identity type

Select different identity type to identity this wireless router

by

-

WAN IP address

-

IP address

-

FQDN

-

Email address

Identity

The value of corresponding to selected Identity type.

Network address type

Filled in with the IP address or Domain name of the peer

IPSec VPN Gateway, you can select

-

IP address, usually suitable for static public IP address.

-

Fully Qualified Domain Name (FQDN), usually suitable

for dynamic public IP address.

Remote address

Input IP address value when choose IP address in Network

address type. Input FQDN value when selected FQDN in

Network address type. This filed is used to identify specific

remote IPSec VPN gateway which your wireless router will

initiate IPSec VPN connection to.

IPSec settings

Configure the IPSec Protocol related parameters

Pre-shared Key

Type your pre-shared key in this field. A pre-shared key

identifies a

communicating party during a phase 1 IKE negotiation. It is

called "pre-shared" because you have to share it with

another party before you can communicate with them over

a secure connection.

Phase 1 DH group

Select which Diffie-Hellman key group (DH

x

) you want to

use for encryption keys. Choices are:

DH1

- use a 768-bit random number

DH2

- use a 1024-bit random number

DH5 – user a 1536-bit random number

Phase 1 encryption

Select which key size and encryption algorithm to use for

U10C022

43

Web User Interface

data communications. Choices are:

DES

- a 56-bit key with the DES encryption algorithm

3DES

- a 168-bit key with the DES encryption algorithm

wireless router and the remote IPSec router must use the

same algorithms and key , which can be used to encrypt

and decrypt the message or to generate and verify a

message authentication code. Longer keys require more

processing power, resulting in increased latency and

decreased throughput.

AES

- Advanced Encryption Standard is a newer method of

data encryption that also uses a secret key. This

implementation of AES applies a 128-bit key to 128-bit

blocks of data. AES is faster than 3DES. Here you can have

the choice

AES-128, AES-192, AES-256

Phase 1 authentication

Select which hash algorithm to use to authenticate packet

data in the IKE SA. Choices are

SHA1

and

MD5

.

SHA1

is

generally considered stronger than

MD5

, but it is also

slower.

MD5 (Message Digest 5) produces a 128-bit digest to

authenticate packet data.

SHA1 (Secure Hash Algorithm) produces a 160-bit digest to

authenticate packet data.

Phase 1 SA lifetime

Define the length of time before an IKE SA automatically

renegotiates in this field. It may range from 120 to 86400

seconds. A short SA Life Time increases security by forcing

the two VPN gateways to update the encryption and

authentication keys. However, every time the VPN tunnel

renegotiates, all users accessing remote resources are

temporarily disconnected.

Phase 2 encryption

Select which key size and encryption algorithm to use for

data communications. Choices are:

Null –

No data encryption in IPSec SA. Not suggested.

DES

- a 56-bit key with the DES encryption algorithm

3DES

- a 168-bit key with the DES encryption algorithm

wireless router and the remote IPSec router must use the

same algorithms and key , which can be used to encrypt

and decrypt the message or to generate and verify a

message authentication code. Longer keys require more

U10C022

44

Web User Interface

processing power, resulting in increased latency and

decreased throughput.

AES

- Advanced Encryption Standard is a newer method of

data encryption that also uses a secret key. This

implementation of AES applies a 128-bit key to 128-bit

blocks of data. AES is faster than 3DES. Here you can

have the choice

AES-128, AES-192, AES-256

Phase 2 authentication

Select which hash algorithm to use to authenticate packet

data in the IKE SA. Choices are

Null, SHA1

and

MD5

.

SHA1

is generally considered stronger than

MD5

, but it is

also slower.

Phase 2 SA lifetime

Define the length of time before an IPSec SA automatically

renegotiates in this field. It may range from 120 to 86400

seconds.

Show Advanced Settings

Some advanced IPSec VPN configuration is hidden by

default, usually you just keep it with no change.

Key management

Key management allows you to determine whether to use

IKE (ISAKMP) or manual key configuration in order to set

up a VPN.

IKE negotiation mode

Determines how the Security Association (SA) will be

established for each connection through IKE negotiations.

-

Main Mode, which ensures the highest level of security

when the communicating parties are negotiating

authentication (phase 1).

-

Aggressive Mode, which is quicker than Main Mode

because it eliminates several steps when the

communicating parties are negotiating authentication

(phase 1).

Perfect forward secrecy

(PFS)

Perfect Forward Secret (PFS) is disabled (NONE) by

default in phase 2 IPSec SA setup. This allows faster IPSec

setup, but is not so secure. Select DH1, DH2 or DH5 to

enable PFS.

Phase 2 DH group

After enable PFS, you need to choose DHx.

Replay detection

As a VPN setup is processing intensive, the system is

vulnerable to Denial of Service (DOS) attacks. The IPSec

receiver can detect and reject old or duplicate packets to

protect against replay attacks. Enable replay detection by

selecting this check box.

NetBIOS broadcast

NetBIOS (Network Basic Input/Output System) are TCP or

U10C022

45

Web User Interface

forwarding

UDP packets that enable a computer to find other

computers. It may sometimes be necessary to allow

NetBIOS packets to pass through VPN tunnels in order to

allow local computers to find computers on the remote

network and vice versa. Select this check box to send

NetBIOS packets through the VPN connection.

Dead peer detection

Force wireless router to detect if the remote IPSec gateway

is available or not periodically.

Manual Encryption Key

If choose Manual in Key Management field, you need to

input a Manual encryption key for encryption, 16

hexadecimal digits

Manual Authentication

Key

Type a unique authentication key to be used by IPSec, 32

hexadecimal digits

Inbound SPI

Type a unique SPI (Security Parameter Index)

Outbound SPI

Type a unique SPI (Security Parameter Index)

4.4.4 VPN - Event Log

This page allows you to view the VPN Event Log.

Label

Description

Time

Local time mapping to a certain log event.

Description

Detail information of a log.

Refresh

Click to refresh current page to view new log event.

Clear

Click to clear all of the logs.

4.5 P

ARENTAL

C

ONTROL

4.5.1 User Setup

This page allows configuration of users. 'White List Only' feature limits the user to visit only the

sites specified in the Allowed Domain List of his/her content rule.

U10C022

46

Web User Interface

The Parental Control User Setup Page is the master page to which each individual user is linked

to a specified time access rule, content filtering rule, and login password to get to the filtered

content. Each specified user may also be enabled as a trusted user which means that person

will have access to all Internet content regardless of filters that may be set up. This check box

can be used as a simple override to grant a user full access but still having the ability to keep all of

the previous filtering settings stored and available. Session duration timers can also be entered

to allow a finite amount of time that a user has Internet access via the rules entered once

entering their password to get to the Internet for the first time. This allows access to the Internet for

a defined user without having to enter a password every time a new web page is served to the

client. Likewise, there is a password inactivity timer if there is no Internet access for the specified

amount of time in minutes, requiring the user to re-login at expiration to continue using the Internet.

These timed logins insure that a specific user is using the Internet gateway for access and

logging/access can be provided appropriately. Any time a change is made on this page for a

particular user, the Apply button at the bottom of the page needs to be pressed to activate and

store the settings.

Label

Description

User configuration

Input username to create a new user.

Add user

Click to direct add this user into local database even you

haven’t finished the configuration for this user.

U10C022