Vigor2800 Series User’s Guide

75

The reminder as regards concern about Firewall and UPnP

Can't work with Firewall Software

Enabling firewall applications on your PC may cause the UPnP function not

working properly. This is because these applications will block the accessing

ability of some network ports.

Security Considerations

Activating the UPnP function on your network may incur some security threats.

You should consider carefully these risks before activating the UPnP function.

¾

Some Microsoft operating systems have found out the UPnP weaknesses and

hence you need to ensure that you have applied the latest service packs and

patches.

¾

Non-privileged users can control some router functions, including removing

and adding port mappings.

The UPnP function dynamically adds port mappings on behalf of some

UPnP-aware applications. When the applications terminate abnormally, these

mappings may not be removed.

Vigor2800 Series User’s Guide

76

3.6.5 Wake On LAN

A PC client on LAN can wake up specified PC through the router. Yet the specified PC must

have installed a network card supporting WOL function. By the way, WOL function must be

set as “Enable” on the BIOS setting of the specified PC.

Wake by

Two types provide for you to wake up the binded IP. If you

choose Wake by MAC Address, you have to type the correct

MAC address of the host in MAC Address boxes. If you

choose Wake by IP Address, you have to choose the correct IP

address. The IP address should be binded with MAC address

configured in

Bind IP to MAC

page.

IP Address

The IP addresses that have been configured in

Firewall>>Bind IP to MAC

will be shown in this drop down

list. Choose the IP address from the drop down list that you

want to wake up.

MAC Address

Type any one of the MAC address of the binded PCs.

Wake Up!

Click this button to wake up the selected IP. See the following

figure. The result will be shown on the box.

Vigor2800 Series User’s Guide

77

3.7 VPN and Remote Access

A Virtual Private Network (VPN) is the extension of a private network that encompasses

links across shared or public networks like the Internet. In short, by VPN technology, you

can send data between two computers across a shared or public network in a manner that

emulates the properties of a point-to-point private link.

Below shows the menu items for VPN and Remote Access.

Note:

This feature can be applied for ISDN remote dial-in or ISDN LAN-to-LAN

connection in

i

series models.

3.7.1 Remote Access Control

Enable the necessary VPN service as you need. If you intend to run a VPN server inside your

LAN, you should disable the VPN service of Vigor Router to allow VPN tunnel pass through,

as well as the appropriate NAT settings, such as DMZ or open port.

The Vigor router will not accept the ISDN dial-in connection if the box of

Enable ISDN

Dial-in

is not checked.

3.7.2 PPP General Setup

This submenu only applies to PPP-related VPN connections, such as PPTP, L2TP, L2TP

over IPSec.

Vigor2800 Series User’s Guide

78

Dial-In PPP

Authentication PAP Only

Select this option to force the router to authenticate dial-in

users with the PAP protocol.

PAP or CHAP

Selecting this option means the router will attempt to

authenticate dial-in users with the CHAP protocol first. If the

dial-in user does not support this protocol, it will fall back to

use the PAP protocol for authentication.

Dial-In PPP Encryption

(MPPE Optional MPPE

This option represents that the MPPE encryption method will

be optionally employed in the router for the remote dial-in

user. If the remote dial-in user does not support the MPPE

encryption algorithm, the router will transmit “no MPPE

encrypted packets”. Otherwise, the MPPE encryption scheme

will be used to encrypt the data.

Require MPPE (40/128bits) -

Selecting this option will force

the router to encrypt packets by using the MPPE encryption

algorithm. In addition, the remote dial-in user will use 40-bit

to perform encryption prior to using 128-bit for encryption.

In other words, if 128-bit MPPE encryption method is not

available, then 40-bit encryption scheme will be applied to

encrypt the data.

Maximum MPPE -

This option indicates that the router will

use the MPPE encryption scheme with maximum bits

(128-bit) to encrypt the data.

Mutual Authentication

(PAP)

The Mutual Authentication function is mainly used to

communicate with other routers or clients who need

bi-directional authentication in order to provide stronger

security, for example, Cisco routers. So you should enable

this function when your peer router requires mutual

authentication. You should further specify the

User Name

and

Password

of the mutual authentication peer.

Start IP Address

Enter a start IP address for the dial-in PPP connection. You

should choose an IP address from the local private network.

For example, if the local private network is

192.168.1.0/255.255.255.0, you could choose 192.168.1.200

as the Start IP Address. But, you have to notice that the first

Vigor2800 Series User’s Guide

79

two IP addresses of 192.168.1.200 and 192.168.1.201 are

reserved for ISDN remote dial-in user.

3.7.3 IPSec General Setup

In

IPSec General Setup,

there are two major parts of configuration.

There are two phases of IPSec.

¾

Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman

parameter values, and lifetime to protect the following IKE exchange, authentication of

both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that

starts the negotiation proposes all its policies to the remote peer and then remote peer

tries to find a highest-priority match with its policies. Eventually to set up a secure

tunnel for IKE Phase 2.

¾

Phase 2: negotiation IPSec security methods including Authentication Header (AH) or

Encapsulating Security Payload (ESP) for the following IKE exchange and mutual

examination of the secure tunnel establishment.

There are two encapsulation methods used in IPSec,

Transport

and

Tunnel

. The

Transport

mode will add the AH/ESP payload and use original IP header to encapsulate the data

payload only. It can just apply to local packet, e.g., L2TP over IPSec. The

Tunnel

mode will

not only add the AH/ESP payload but also use a new IP header (Tunneled IP header) to

encapsulate the whole original IP packet.

Authentication Header (AH) provides data authentication and integrity for IP packets passed

between VPN peers. This is achieved by a keyed one-way hash function to the packet to

create a message digest. This digest will be put in the AH and transmitted along with packets.

On the receiving side, the peer will perform the same one-way hash on the packet and

compare the value with the one in the AH it receives.

Encapsulating Security Payload (ESP) is a security protocol that provides data

confidentiality and protection with optional authentication and replay detection service.

IKE Authentication Method

This usually applies to those are remote dial-in user or node

(LAN-to-LAN) which uses dynamic IP address and

IPSec-related VPN connections such as L2TP over IPSec

and IPSec tunnel.

Pre-Shared Key -

Currently only support Pre-Shared Key

authentication.

Pre-Shared Key-

Specify a key for IKE authentication

Re-type Pre-Shared Key-

Confirm the pre-shared key.