Page 16 / 63 Scroll up to view Page 11 - 15
Instant Broadband
®
Series
24
EtherFast
®
Cable/DSL VPN Router with 4-Port 10/100 Switch
Virtual Private Networking (VPN) is a security measure that basically creates
a secure connection between two remote locations.
This connection is very
specific as far as its settings are concerned; this is what creates the security.
The VPN screen, shown in Figure 6-8, allows you to configure your VPN set-
tings to make your network more secure.
VPN
Note:
Network security, while a desirable and often necessary
aspect of networking, is complex and requires a thorough under-
standing of networking principles.
Figure 6-8
PPTP
Point
to
Point
Tunneling
Protocol
(PPTP) is a service
that applies for con-
nections in Europe
only. (This setup is
shown in Figure 6-7.)
Specify
WAN IP
Address
This is the
Router’s IP address,
as seen from the
Internet. Your ISP
will provide you with
the IP Address you
need to specify here.
Subnet Mask
This is the Router’s Subnet Mask, as seen by external users on
the Internet (including your ISP). Your ISP will provide you with the Subnet
Mask.
Default Gateway Address
Your ISP will provide you with the Default Gateway
Address.
Connect on Demand and Max Idle Time
You can configure the Router to cut
your connection with your ISP after a specified period of time (
Max Idle
Time
). If you have been disconnected due to inactivity,
Connect on Demand
enables the Router to automatically re-establish your connection as soon as you
attempt to access the Internet again. If you wish to activate
Connect on
Demand
, click the radio button. If you want your Internet connection to remain
on at all times, enter
0
in the
Max Idle Time
field.
Otherwise, enter the num-
ber of minutes you want to have elapsed before your Internet access discon-
nects.
Keep Alive Option and Redial Period
This option keeps your PPPoE-enabled
Internet access connected indefinitely, even when it sits idle.
Click the radio
button next to
Keep Alive
to select it. The default
Redial Period
is 30 seconds.
Figure 6-7
25
Downloaded from
www.Manualslib.com
manuals search engine
Page 17 / 63
EtherFast
®
Cable/DSL VPN Router with 4-Port 10/100 Switch
• IP Address
- If you select
IP Address
, only the computer with the spe-
cific IP Address that you enter will be able to access the tunnel.
In the
example shown in Figure 6-10, only the computer with IP Address
192.168.1.10 can access the tunnel from this end.
Only the computer with
IP Address 192.168.2.12 can access the tunnel from the remote end (in
your settings, use the IP Addresses appropriate for your VPN).
• IP Range
- If you select IP Range, it will be a combination of Subnet and
IP Address.
You can specify a range of IP Addresses within the Subnet
which will have access to the tunnel.
In the example shown in Figure 6-
11, all computers on this end of the tunnel with IP Addresses between
192.168.1.1 and 192.168.1.20 can access the tunnel from the local end.
Only computers assigned an IP Address between 192.168.2.1 and
192.168.2.100 can access the tunnel from the remote end (in your set-
tings, use the IP Ranges appropriate for your VPN).
Figure 6-10
Figure 6-11
Note:
It is possible to set up the VPN Router using any combination of the
three settings under Local Secure Group and the five settings under
Remote Secure Group.
For instance, when Subnet is chosen on the local
end of the tunnel, Subnet does not have to be chosen at the remote end.
So
a single IP Address could be chosen to access the tunnel on the local end
and a range of IP Addresses could be set at the remote end of the tunnel.
26
Establishing a Tunnel
The VPN Router creates a tunnel or channel between two endpoints, so that the
data or information between these endpoints is secure.
To establish this tunnel,
select the tunnel you wish to create in the
Select Tunnel Entry
drop-down box.
It is possible to create up to 70 simultaneous tunnels.
Then check the box next to
Enable
to enable the tunnel.
Once the tunnel is enabled, enter the name of the tunnel in the
Tunnel Name
field.
This is to allow you to identify multiple tunnels and does not have to
match the name used at the other end of the tunnel.
Local Secure Group and Remote Secure Group
The
Local Secure Group
is the computer(s) on your LAN that can access the
tunnel. The
Remote Secure Group
is the computer (s) on the remote end of
the tunnel that can access the tunnel. Under Local Secure Group and Remote
Secure Group, you may choose one of three options: Subnet, IP Address, and
IP Range. Under Remote Secure Group, you have two additional options: Host
and Any.
• Subnet
- If you select
Subnet
(which is the default), this will allow all
computers on the local subnet to access the tunnel.
In the example shown
in Figure 6-9, all Local Secure Group computers with IP Addresses
192.168.1.xxx will be able to access the tunnel. All Remote Secure Group
computers with IP Addresses 192.168.2.xxx will be able to access the tun-
nel (in your settings, use the IP Addresses appropriate for your VPN).
When using the Subnet setting, the default values of
0
should remain in
the last fields of the
IP
and
Mask
settings.
Note:
The IP Addresses and Subnet Mask values used here are for example
only.
Do not try to use them for your actual setup.
Obtain the relevant infor-
mation from your own network to accurately configure the Router.
Figure 6-9
27
Instant Broadband
®
Series
Downloaded from
www.Manualslib.com
manuals search engine
Page 18 / 63
• IP Address
- If you select IP Address, as shown in Figure 6-14, enter the
IP Address of the VPN device at the other end of the tunnel. The remote
VPN device can be another VPN Router, a VPN Server, or a computer
with VPN client software that supports IPSec.
The IP Address may either
be static (permanent) or dynamic (changing), depending on the settings of
the remote VPN device.
Make sure that you have entered the IP Address
correctly, or the connection cannot be made.
Remember, this is NOT the
IP Address of the local VPN Router, but the IP Address of the remote
VPN Router or device with which you wish to communicate.
• FQDN
(Fully Qualified Domain Name) - If you select FQDN, as shown
in Figure 6-15, enter the FQDN of the VPN device at the other end of the
tunnel. The remote VPN device can be another VPN Router, a VPN
Server, or a computer with VPN client software that supports IPSec.
The
FQDN is the host name and domain name for a specific computer on the
Internet, for example,
vpn.myvpnserver.com
.
Figure 6-14
Figure 6-15
EtherFast
®
Cable/DSL VPN Router with 4-Port 10/100 Switch
Under
Remote Secure Group
, you have two additional options: Host and Any.
• Host
- If you select Host for the Remote Secure Group, then the Remote
Secure Group will be the same as the Remote Security Gateway setting:
IP Address, FQDN (Fully Qualified Domain Name), or Any. (Remote
Security Gateway settings are explained on the following page.) In the
example shown in Figure 6-12, the Remote Secure Group is the same as
the Remote Security Gateway, set to a specific IP Address.
• Any
- If you select Any for the Remote Security Group, the local VPN
Router will accept a request from any IP address. This setting, shown in
Figure 6-13, should be chosen when the other endpoint is using DHCP or
PPPoE on the WAN side.
Remote Security Gateway
The Remote Security Gateway is the VPN device, such as a second VPN
Router, on the remote end of the VPN tunnel. Under
Remote Security
Gateway
, you have three options: IP Address, FQDN, and Any.
Figure 6-12
Figure 6-13
Instant Broadband
®
Series
28
29
Downloaded from
www.Manualslib.com
manuals search engine
Page 19 / 63
EtherFast
®
Cable/DSL VPN Router with 4-Port 10/100 Switch
Key Management
In order for any encryption to occur, the two ends of the tunnel must agree on
the type of encryption and the way the data will be decrypted.
This is done by
sharing a “key” to the encryption code.
Under
Key Management
, you may
choose automatic or manual key management.
Automatic Key Management
Select
Auto (IKE)
and enter a series of numbers or letters in the Pre-shared Key
field. Check the box next to
PFS (Perfect Forward Secrecy)
to ensure that the
initial key exchange and IKE proposals are secure. In the example shown in
Figure 6-17, the word
MyTest
is used.
Based on this word, which MUST be
entered at both ends of the tunnel if this method is used, a key is generated to
scramble (encrypt) the data being transmitted over the tunnel, where it is
unscrambled (decrypted).
You may use any combination of up to 24 numbers or
letters in this field. No special characters or spaces are allowed. In the Key
Lifetime field, you may optionally select to have the key expire at the end of a
time period of your choosing.
Enter the number of seconds you’d like the key to
be useful, or leave it blank for the key to last indefinitely.
Manual Key Management
Similarly, you may choose
Manual
keying, which allows you to generate the
key yourself.
Enter your
key
into the Encryption KEY field.
Then enter an
Authentication KEY
into that field.
These fields must both match the infor-
mation that is being entered in the fields at the other end of the tunnel.
The
example in Figure 6-18 shows some sample entries for both the Encryption and
Authentication Key fields. Up to 24 alphanumeric characters are allowed to
create the Encryption Key. Up to 20 alphanumeric characters are allowed to
create the Authentication Key.
31
Instant Broadband
®
Series
• Any
- If you select Any for the Remote Security Gateway, as shown in
Figure 6-16, the VPN device at the other end of the tunnel will accept a
request from any IP address. The remote VPN device can be another VPN
Router, a VPN Server, or a computer with VPN client software that sup-
ports IPSec. If the remote user has an unknown or dynamic IP address
(such as a professional on the road or a telecommuter using DHCP or
PPPoE), then Any should be selected.
Encryption
Using
Encryption
also helps make your connection more secure.
There are
two different types of encryption:
DES
or
3DES
(3DES is recommended
because it is more secure).
You may choose either of these, but it must be the
same type of encryption that is being used by the VPN device at the other end
of the tunnel.
Or, you may choose not to encrypt by selecting
Disable
.
In
Figure 6-16, DES (which is the default) has been selected.
Authentication
Authentication
acts as another level of security.
There are two types of authen-
tication:
MD5
and
SHA
(SHA is recommended because it is more secure).
As
with encryption, either of these may be selected, provided that the VPN device
at the other end of the tunnel is using the same type of authentication.
Or, both
ends of the tunnel may choose to
Disable
authentication.
In Figure 6-16, MD5
(the default) has been selected.
30
Figure 6-17
Figure 6-16
Downloaded from
www.Manualslib.com
manuals search engine
Page 20 / 63
Under
Status
, the word
Connected
should appear if the connection is success-
ful.
The other fields reflect the information that you entered on the VPN screen
to make the connection.
If
Disconnected
appears under Status, as shown in Figure 6-20, some problem
exists that prevents the creation of the tunnel.
Make sure that all of your wiring
is securely connected.
Double-check all the values you entered on the VPN
screen to make sure they are correct.
If the other end of the tunnel is some dis-
tance from you (e.g., in another city, etc.), call to make sure that the settings on
that end of the tunnel are correct as well.
If, for any reason, you experience a temporary disconnection, the connection will
be re-established as long as the settings on both ends of the tunnel stay the same.
Figure 6-20
EtherFast
®
Cable/DSL VPN Router with 4-Port 10/100 Switch
The
Inbound SPI
and
Outbound SPI
fields are different, however.
The
Inbound SPI value set here must match the
Outbound SPI
value at the other end
of the tunnel.
The Outbound SPI here must match the
Inbound SPI
value at the
other end of the tunnel.
In the example (see Figure 6-18), the Inbound SPI and
Outbound SPI values shown would be opposite on the other end of the tunnel.
Only numbers can be used in these fields. After you click the Apply button,
hexadecimal characters (series of letters and numbers) are displayed in the
Inbound SPI and Outbound SPI fields.
Once you are satisfied with all your settings, click the
Apply
button.
If you
make any mistakes, clicking the
Cancel
button will exit the screen without sav-
ing any changes, provided that you have not already clicked the Apply button.
After the VPN device is set up at the other end of the tunnel, you may click the
Connect
button to use the tunnel.
This assumes that both ends of the tunnel
have a physical connection to each other (e.g., over the Internet, physical
wiring, etc.).
After clicking the Connect button, click the
Summary
button.
If
the connection is made, the screen shown in Figure 6-19 will appear:
Figure 6-18
Figure 6-19
Instant Broadband
®
Series
33
32
Downloaded from
www.Manualslib.com
manuals search engine

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top