27

Chapter 6: Setting Up and Configuring the Router

Firewall Tab

4-Port Gigabit Security Router with VPN

8.

You can filter access to various applications accessed over the Internet, such as FTP or telnet, by selecting up

to two services to block in the

Blocked Services

section. The block services select list offers a choice of

preset applications. If you select a preset application, its port numbers and protocol are displayed and can not

be changed. If the application you want to block is not listed, select User-Defined, then you can enter the port

range and protocol for the service you wish to block. To remove the blocking, select “None” in the service list.

9.

Click the

Save Settings

button to save the policy settings.

Single Port Forwarding

Application Name

. Enter the name of the application you wish to configure.

External Port

. This is the port number used by the server or Internet application. Internet users must connect

using this port number. Check with the software documentation of the Internet application for more information.

Internal Port

. This is the port number used by the Router when forwarding Internet traffic to the PC or server on

your LAN. Normally, this is the same as the External Port number. If it is different, the Router performs a “Port

Translation”, so that the port number used by Internet users is different to the port number used by the server or

Internet application.

For example, you could configure your Web Server to accept connections on both port 80 (standard) and port

8080. Then enable Port Forwarding, and set the External Port to 80, and the Internal Port to 8080. Now, any traffic

from the Internet to your Web server will be using port 8080, even though the Internet users used the standard

port, 80. (Users on the local LAN can and should connect to your Web Server using the standard port 80.)

Protocol

. Select the protocol used for this application, TCP and/or UDP.

IP Address

. For each application, enter the IP address of the PC running the specific application.

Enabled

. Click the Enabled checkbox to enable port forwarding for the relevant application.

Port Range Forwarding

Application

. Enter the name of the application you wish to configure.

Start

. This is the beginning of the port range. Enter the beginning of the range of port numbers (external ports)

used by the server or Internet application. Check with the software documentation of the Internet application for

more information if necessary.

Figure 6-20: Single Port Forwarding

Figure 6-21: Port Range Forwarding

Downloaded from

www.Manualslib.com

manuals search engine

28

Chapter 6: Setting Up and Configuring the Router

VPN Tab

4-Port Gigabit Security Router with VPN

End

. This is the end of the port range. Enter the end of the range of port numbers (external ports) used by the

server or Internet application. Check with the software documentation of the Internet application for more

information if necessary.

Protocol

. Select the protocol(s) used for this application, TCP and/or UDP.

IP Address

. For each application, enter the IP address of the PC running the specific application.

Enabled

. Click the Enabled checkbox to enable port range forwarding for the relevant application.

Port Range Triggering

Application Name

. Enter the name of the application you wish to configure.

Triggered Range

. For each application, list the triggered port number range. These are the ports used by

outgoing traffic. Check with the Internet application documentation for the port number(s) needed. In the first

field, enter the starting port number of the Triggered Range. In the second field, enter the ending port number of

the Triggered Range.

Forwarded Range

. For each application, list the forwarded port number range. These are the ports used by

incoming traffic. Check with the Internet application documentation for the port number(s) needed. In the first

field, enter the starting port number of the Forwarded Range. In the second field, enter the ending port number of

the Forwarded Range.

Enabled

. Click the Enabled checkbox to enable port range triggering for the relevant application.

VPN Tab

IPSec VPN

Select Tunnel Entry

. Select a tunnel to configure.

Delete Button

. Click this button to delete all settings for the selected tunnel.

Summary Button

. Clicking this button shows the settings and status of all enabled tunnels.

IPSec VPN Tunnel

. Check the Enable option to enable this tunnel.

Tunnel Name

. Enter a name for this tunnel, such as “Anaheim Office”.

Figure 6-22: Port Range Triggering

Figure 6-23: VPN

Downloaded from

www.Manualslib.com

manuals search engine

29

Chapter 6: Setting Up and Configuring the Router

VPN Tab

4-Port Gigabit Security Router with VPN

Local Security Group

Local Security Group Type

. Select the local LAN user(s) behind the router that can use this VPN tunnel. This may

be a single IP address or Sub-network. Notice that the Local Security Group must match the other router's

Remote Security Group.

IP Address

. Enter the IP address on the local network.

Subnet Mask

. If the “Subnet” option is selected, enter the mask to determine the IP addresses on the local

network.

Remote Security Group

Remote Security Group

. Select the remote LAN user(s) behind the remote gateway who can use this VPN tunnel.

This may be a single IP address, a Sub-network, or any addresses. If “Any” is set, the router acts as responder

and accepts request from any remote user. Notice that the Remote Security Group must match the other router's

Local Security Group.

IP Address

. Enter the IP address on the remote network.

Subnet Mask

. If the “Subnet” option is selected, enter the mask to determine the IP addresses on the remote

network.

Remote Security Gateway

Remote Security Gateway Type

. Select the desired option - IP address or “Any”. If the remote gateway has a

dynamic IP address, select “Any”.

IP Address

. The IP address in this field must match the public IP address (i.e. WAN IP Address) of the remote

gateway at the other end of this tunnel.

Key Management

Key Exchange Method

. The router supports both automatic and manual key management. When choosing

automatic key management, IKE (Internet Key Exchange) protocols are used to negotiate key material for SA. If

manual key management is selected, no key negotiation is needed. Basically, manual key management is used in

small static environments or for troubleshooting purpose. Notice that both sides must use the same Key

Management method.

Auto IKE

Downloaded from

www.Manualslib.com

manuals search engine

30

Chapter 6: Setting Up and Configuring the Router

VPN Tab

4-Port Gigabit Security Router with VPN

Encryption

. The Encryption method determines the length of the key used to encrypt/decrypt ESP packets.

Only 3DES is supported. Notice that both sides must use the same Encryption method.

Authentication

. Authentication determines a method to authenticate the ESP packets. Either MD5 or SHA1

may be selected. Notice that both sides (VPN endpoints) must use the same Authentication method.

•

MD5: A one way hashing algorithm that produces a 128-bit digest.

•

SHA1: A one way hashing algorithm that produces a 160-bit digest.

PFS

. If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic encryption and

authentication. Note: that both sides must have this selected.

Pre-Shared Key

. IKE uses the Pre-shared Key field to authenticate the remote IKE peer. Both character and

hexadecimal values are acceptable in this field. e.g. “My_@123” or “0x4d795f40313233” Note: that both

sides must use the same Pre-shared Key.

Key Life Time

. This field specifies the lifetime of the IKE generated key. If the time expires, a new key will be

renegotiated automatically. The Key Life Time may range from 300 to 100,000,000 seconds. The default Life

Time is 3600 seconds.

Manual

Encryption Algorithm

. The Encryption method determines the length of the key used to encrypt/decrypt ESP

packets. Only 3DES is supported. Notice that both sides must use the same Encryption method.

Encryption Key

. This field specifies a key used to encrypt and decrypt IP traffic. Both character and

hexadecimal value are acceptable in this field. Note: that both sides must use the same Encryption Key.

Authentication Algorithm

. Authentication determines a method to authenticate the ESP packets. Either MD5

or SHA1 may be selected. Notice that both sides (VPN endpoints) must use the same Authentication method.

•

MD5: A one way hashing algorithm that produces a 128-bit digest.

•

SHA1: A one way hashing algorithm that produces a 160-bit digest.

Authentication Key

. This field specifies a key used to authenticate IP traffic. Both character and hexadecimal

values are acceptable in this field. Note: that both sides must use the same Authentication Key.

Inbound SPI/Outbound SPI

. The SPI (Security Parameter Index) is carried in the ESP header. This enables

the receiver to select the SA, under which a packet should be processed. The SPI is a 32-bit value. Both

decimal and hexadecimal values are acceptable. e.g. “987654321” or “0x3ade68b1”. Each tunnel must have

Downloaded from

www.Manualslib.com

manuals search engine

31

Chapter 6: Setting Up and Configuring the Router

VPN Tab

4-Port Gigabit Security Router with VPN

unique an Inbound SPI and Outbound SPI. No two tunnels share the same SPI. Notice that Inbound SPI must

match the other router's Outbound SPI, and vice versa.

Status

Status

. This field shows the connection status for the selected tunnel. The state is either connected or

disconnected.

Connect button

. Use this to establish a connection for the current VPN tunnel. If you have made any changes,

click Save Settings to first apply your changes.

Disconnect button

. Use this to break a connection for the current VPN tunnel.

View Log button

. Click this to view the VPN log, which shows details of each tunnel established.

Advanced Settings button

. If the Key Exchange Method is Auto (IKE), this button provides access to some

additional settings relating to IKE. Use this if this router is unable to establish a VPN tunnel to the remote VPN

Gateway; ensure the Advanced Settings match those on the remote VPN Gateway.

Advanced Settings

Phase 1

Operation Mode

. Select the method to match the remote VPN endpoint.

•

Main: Main Mode is slower but more secure.

•

Aggressive: Aggressive mode is faster but less secure.

Local Identity

. Select the desired option to match the “Remote Identity” setting at the other end of this

tunnel.

•

Local IP address: Your WAN IP Address.

•

Name: Your domain name.

Remote Identity

. Select the desired option to match the “Local Identity” setting at the other end of this

tunnel.

•

Local IP address: WAN IP Address of the remote VPN endpoint.

•

Name: Domain name of the remote VPN endpoint.

Downloaded from

www.Manualslib.com

manuals search engine