Page 26 / 75 Scroll up to view Page 21 - 25
EtherFast
®
Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint
Key Management
In order for any encryption to occur, the two ends of the tunnel must agree on
the type of encryption and the way the data will be decrypted.
This is done by
sharing a “key” to the encryption code.
Under
Key Management
, you may
choose automatic or manual key management.
Automatic Key Management
Select
Auto (IKE)
and enter a series of numbers or letters in the Pre-shared Key
field. Check the box next to
PFS (Perfect Forward Secrecy)
to ensure that the
initial key exchange and IKE proposals are secure. In the example shown in
Figure 7-20, the word
MyTest
is used.
Based on this word, which MUST be
entered at both ends of the tunnel if this method is used, a key is generated to
scramble (encrypt) the data being transmitted over the tunnel, where it is
unscrambled (decrypted).
You may use any combination of up to 24 numbers or
letters in this field. No special characters or spaces are allowed. In the Key
Lifetime field, you may optionally select to have the key expire at the end of a
time period of your choosing.
Enter the number of seconds you’d like the key to
be useful, or leave it blank for the key to last indefinitely.
Manual Key Management
Similarly, you may choose
Manual
keying, which allows you to generate the
key yourself.
Enter your
key
into the Encryption KEY field.
Then enter an
Authentication KEY
into that field.
These fields must both match the infor-
mation that is being entered in the fields at the other end of the tunnel.
The
example in Figure 7-21 shows some sample entries for both the Encryption and
Authentication Key fields. Up to 24 alphanumeric characters are allowed to
create the Encryption Key. Up to 20 alphanumeric characters are allowed to
create the Authentication Key.
45
44
Figure 7-20
Instant Broadband
®
Series
• Any
- If you select Any for the Remote Security Gateway, as shown in
Figure 7-19, the VPN device at the other end of the tunnel will accept a
request from any IP address. The remote VPN device can be another
Firewall Router, a VPN Server, or a computer with VPN client software
that supports IPSec. If the remote user has an unknown or dynamic IP
address (such as a professional on the road or a telecommuter using
DHCP or PPPoE), then Any should be selected.
Encryption
Using
Encryption
also helps make your connection more secure.
There are
two different types of encryption:
DES
or
3DES
(3DES is recommended
because it is more secure).
You may choose either of these, but it must be the
same type of encryption that is being used by the VPN device at the other end
of the tunnel.
Or, you may choose not to encrypt by selecting
Disable
.
Authentication
Authentication
acts as another level of security.
There are two types of authen-
tication:
MD5
and
SHA
(SHA is recommended because it is more secure).
As
with encryption, either of these may be selected, provided that the VPN device
at the other end of the tunnel is using the same type of authentication.
Or, both
ends of the tunnel may choose to
Disable
authentication.
Figure 7-19
Downloaded from
www.Manualslib.com
manuals search engine
Page 27 / 75
EtherFast
®
Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint
47
46
On the VPN screen, the word
Connected
should appear beside Status if the
connection is successful.
The other fields reflect the information that you
entered on the VPN screen to make the connection.
If
Disconnected
appears under Status, as shown in Figure 7-23, some problem
exists that prevents the creation of the tunnel.
Make sure that all of your wiring
is securely connected.
Double-check all the values you entered on the VPN
screen to make sure they are correct.
If the other end of the tunnel is some dis-
tance from you (e.g., in another city, etc.), call to make sure that the settings on
that end of the tunnel are correct as well.
If, for any reason, you experience a temporary disconnection, the connection will
be re-established as long as the settings on both ends of the tunnel stay the same.
Figure 7-23
Instant Broadband
®
Series
The
Inbound SPI
and
Outbound SPI
fields are different, however. The
Inbound SPI value set here must match the
Outbound SPI
value at the other end
of the tunnel.
The Outbound SPI here must match the
Inbound SPI
value at the
other end of the tunnel.
In the example (see Figure7-21), the Inbound SPI and
Outbound SPI values shown would be opposite on the other end of the tunnel.
Only numbers can be used in these fields. After you click the Apply button,
hexadecimal characters (series of letters and numbers) are displayed in the
Inbound SPI and Outbound SPI fields.
Once you are satisfied with all your settings, click the
Apply
button.
If you
make any mistakes, clicking the
Cancel
button will exit the screen without sav-
ing any changes, provided that you have not already clicked the Apply button.
After the VPN device is set up at the other end of the tunnel, you may click the
Connect
button to use the tunnel.
This assumes that both ends of the tunnel
have a physical connection to each other (e.g., over the Internet, physical
wiring, etc.).
After clicking the Connect button, click the
Summary
button.
If
the connection is made, the screen shown in Figure 7-22 will appear:
Figure 7-21
Figure 7-22
Downloaded from
www.Manualslib.com
manuals search engine
Page 28 / 75
EtherFast
®
Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint
49
48
Encryption
Select the length of the key used to encrypt/decrypt ESP packets. There are two
choices: DES and 3DES. 3DES is recommended because it is more secure.
Authentication
Select the method used to authenticate ESP packets. There are two choices:
MD5 and SHA. SHA is recommended because it is more secure.
Group
There are two Diffie-Hellman Groups to choose from: 768-bit and 1024-bit.
Diffie-Hellman refers to a cryptographic technique that uses public and private
keys for encryption and decryption.
Key Lifetime
In the Key Lifetime field, you may optionally select to have the key expire at the
end of a time period of your choosing.
Enter the number of seconds you’d like
the key to be used until a re-key negotiation between each endpoint is completed.
Figure 7-25
Instant Broadband
®
Series
To get more details concerning your tunnel connection, click the
View Logs
button.
The screen in Figure 7-24 will appear:
Select the log you wish to view: All (to view all logs), System Log, Access Log,
Firewall Log, or VPN Log. The System Log screen displays a list of cold and
warm starts, web login successes and failures, and packet filtering policies. The
Access Log shows all incoming and outgoing traffic. The Firewall Log lists
activities performed by the firewall to prevent DoS attacks, including URL fil-
tering and time filtering. The VPN Log screen displays successful connections,
transmissions and receptions, and the types of encryption used.
Once you no longer have need of the tunnel, simply click the
Disconnect
but-
ton on the bottom of the VPN page.
To change advanced settings, select the
tunnel
whose advanced settings you
wish to change. Then, click the
Advanced Setting
button to change the
Advanced Settings for a specific VPN tunnel.
Advanced Settings for Selected IPSec Tunnel
From the Advanced Settings screen, shown in Figure 7-25, you can adjust the
settings for specific VPN tunnels.
Phase 1
Phase 1 is used to create a security association (SA), often called the IKE SA.
After Phase 1 is completed, Phase 2 is used to create one or more IPSec SAs,
which are then used to key IPSec sessions.
Operation Mode
There are two modes: Main and Aggressive, and they exchange the same IKE
payloads in different sequences. Main mode is more common; however, some
people prefer Aggressive mode because it is faster. Main mode is for normal
usage and includes more authentication requirements than Aggressive mode.
Main mode is recommended because it is more secure. No matter which mode
is selected, the VPN Router will accept both Main and Aggressive requests
from the remote VPN device.
Figure 7-24
Downloaded from
www.Manualslib.com
manuals search engine
Page 29 / 75
EtherFast
®
Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint
51
Phase 2
Group
There are two Diffie-Hellman Groups to choose from: 768-bit and 1024-bit.
Diffie-Hellman refers to a cryptographic technique that uses public and private
keys for encryption and decryption.
Key Lifetime
In the Key Lifetime field, you may optionally select to have the key expire at the
end of a time period of your choosing.
Enter the number of seconds you’d like
the key to be used until a re-key negotiation between each endpoint is completed.
Other Settings
NetBIOS broadcast
Check the box next to NetBIOS broadcast to enable NetBIOS traffic to pass
through the VPN tunnel.
Anti-replay
Check the box next to Anti-replay to enable the Anti-replay protection. This
feature keeps track of sequence numbers as packets arrive, ensuring security at
the IP packet-level.
Keep-Alive
Check the box next to Keep-Alive to re-establish the VPN tunnel connection
whenever it is dropped. Once the tunnel is initialized, this feature will keep the
tunnel connected for the specified amount of idle time.
Unauthorized IP Blocking
Check this box to block unauthorized IP addresses. Complete the on-screen
sentence to specify how many times IKE must fail before blocking that unau-
thorized IP address for a length of time that you specify (in seconds).
50
The Password screen, shown in Figure 7-26, allows you to change the password,
set SNMP Community names, enable UPnP Services, and
restore default set-
tings on the
Router.
Router Password
It is
strongly
recommended that you set a password for the
Router. The default password is
admin
. If you don’t change the password, all
users on your network will be able to access the Router using the default pass-
word
admin
.
SNMP Community
Each SNMP Community field allows a name to be
assigned to any SNMP community that has been set up in the network. Four
different communities can be defined, including the two default communities,
public and private. For each SNMP Community name, you can configure each
community’s accessibility, making it either
Read-Only
or
Read-Write
.
Restore Factory Defaults
If you select the
Restore Factory Defaults
option
and click the
Apply
button, you will clear all of the Router’s settings.
Password
Figure 7-26
Instant Broadband
®
Series
Downloaded from
www.Manualslib.com
manuals search engine
Page 30 / 75
EtherFast
®
Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint
53
Do not restore the factory defaults unless you are having difficulties with the
Router and have exhausted all other troubleshooting measures. Once the Router
is reset, you will have to re-enter all of your configuration data.
UPnP Function
Universal Plug and Play (UPnP) allows Windows XP to auto-
matically configure the Router for various Internet applications, such as gam-
ing and videoconferencing. To enable the use of UPnP, click the
Yes
radio but-
ton next to UPnP Function, or click the
No
radio button to disable the use of
UPnP.
UPnP Control
This feature allows Windows XP to read and write UPnP
Forwarding using UPnP. To enable this feature, click the
Yes
radio button next
to UPnP Control, or click the
No
radio button to disable this feature. If dis-
abled, UPnP Forwarding can only be read.
To apply any of the settings you change on a page, click the
Apply
button, and
then click the
Continue
button.
To cancel any values you’ve entered on any
page, click the
Cancel
button.
52
The Status screen, shown in Figure 7-27, displays the Router’s current status
and reflects the data and selections you’ve entered using the Setup screen.
All of the information provided on this screen is read-only.
To make changes,
select the Setup tab.
Host Name
This field shows the name of the Router. This entry is necessary
for some ISPs.
Status
Figure 7-27
Note:
The information provided and buttons available may
vary depending on the Router’s settings.
Instant Broadband
®
Series
Downloaded from
www.Manualslib.com
manuals search engine

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top