Page 21 / 43 Scroll up to view Page 16 - 20
Chapter±3
Advanced Configuration
20
W±reless-N ADSL2+ Gateway
Authent±cat±on
Authentication acts as another level of
security.
There are two types of authentication: MD5 and
SHA (SHA is recommended because it is more secure).
As
with encryption, either of these may be selected, provided
that the VPN device at the other end of the tunnel is using
the same type of authentication.
Or, both ends of the
tunnel may choose to Disable authentication.
Key Management
In order for any encryption to occur, the two ends of the
tunnel must agree on the type of encryption and the way
the data will be decrypted.
This is done by sharing a “key”
to the encryption code.
Under Key Management, you may
choose automatic or manual key management.
Auto (IKE) Key Management
Encrypt±on
The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets.
Notice that both sides must use the same method.
Authent±cat±on
The Authentication method authen-
ticates the Encapsulating Security Payload (ESP) packets.
Select MD5 or SHA. Notice that both sides (VPN endpoints)
must use the same method.
MD5 - A one-way hashing algorithm that
produces a 128-bit digest
SHA - A one-way hashing algorithm that produces
a 160-bit digest
Perfect Forward Secrecy (PFS)
If PFS is enabled, IKE
Phase 2 negotiation will generate new key material for
IP traffic encryption and authentication. Note that both
sides must have PFS enabled.
Pre-Shared
Key
IKE
uses
the
Pre-Shared
Key
to
authenticate the remote IKE peer. Both character and
hexadecimal values are acceptable in this field, e.g., “My_
@123” or “0x4d795f40313233”. Note that both sides must
use the same Pre-Shared Key.
Key L±fet±me
This field specifies the lifetime of the
IKE generated key. If the time expires, a new key will be
renegotiated automatically. The Key Lifetime may range
from 300 to 100,000,000 seconds. The default lifetime is
3600 seconds.
Manual Key Management
Encrypt±on
Algor±thm
The
Encryption
method
determines the length of the key used to encrypt/decrypt
ESP packets. Notice that both sides must use the same
method.
Encrypt±on Key
This field specifies a key used to encrypt
and decrypt IP traffic. Both character and hexadecimal
values are acceptable in this field. Note that both sides
must use the same Encryption Key.
Authent±cat±on Algor±thm
The Authentication method
authenticates the Encapsulating Security Payload (ESP)
packets. Select MD5 or SHA. Notice that both sides (VPN
endpoints) must use the same method.
MD³
A one-way hashing algorithm that produces a 128-
bit digest
SHA
A one-way hashing algorithm that produces a 160-
bit digest
Authent±cat±on Key
This field specifies a key used to
authenticate IP traffic. Both character and hexadecimal
values are acceptable in this field. Note that both sides
must use the same Authentication Key.
Inbound SPI/Outbound SPI
The Security Parameter
Index (SPI) is carried in the ESP header. This enables the
receiver to select the SA, under which a packet should
be processed. The SPI is a 32-bit value. Both decimal and
hexadecimal values are acceptable. e.g., “987654321” or
“0x3ade68b1”. Each tunnel must have a unique Inbound
SPI and Outbound SPI. No two tunnels share the same
SPI. Note that the Inbound SPI must match the remote
gateway’s Outbound SPI, and vice versa.
The Status field at the bottom of the screen will show
when a tunnel is active.
To connect a VPN tunnel, click the
Connect
button. Click
the
D±sconnect
button to break a connection for the
current VPN tunnel. The
V±ew Log
button, when logging is
enabled on the Log screen of the Administration tab, will
show you VPN activity on a separate screen. The VPN Log
screen displays successful connections, transmissions and
receptions, and the types of encryption used. For more
advanced VPN options, click the
Advanced Sett±ngs
button to open the Advanced Settings screen.
Click
Save Sett±ngs
to apply your changes, or click
Cancel
Changes
to cancel your changes.
Advanced VPN Tunnel Setup
Advanced VPN Tunnel Setup
Page 22 / 43
Chapter±3
Advanced Configuration
21
W±reless-N ADSL2+ Gateway
From the Advanced Settings screen you can adjust the
settings for specific VPN tunnels.
Phase 1
Phase 1 is used to create a security association
(SA), often called the IKE SA. After Phase 1 is completed,
Phase 2 is used to create one or more IPSec SAs, which are
then used to key IPSec sessions.
Operat±on Mode
There are two modes: Main and
Aggressive, and they exchange the same IKE payloads
in different sequences. Main mode is more common;
however, some people prefer Aggressive mode because
it is faster. Main mode is for normal usage and includes
more authentication requirements than Aggressive mode.
Main mode is recommended because it is more secure. No
matter which mode is selected, the VPN Router will accept
both Main and Aggressive requests from the remote VPN
device. If a user on one side of the tunnel is using a Unique
Firewall Identifier, this should be entered under the User
Name field.
Encrypt±on
3DES
is
used
to
encrypt/decrypt
ESP
packets.
Authent±cat±on
Select the method used to authenticate
ESP packets. There are two choices: MD5 and SHA. SHA is
recommended because it is more secure.
Group.
There are two Diffie-Hellman Groups to choose
from: 768-bit, 1024-bit, and 1536-bit. Diffie-Hellman refers
to a cryptographic technique that uses public and private
keys for encryption and decryption.
Key L±fet±me
In the Key Lifetime field, you may optionally
select to have the key expire at the end of a time period of
your choosing.
Enter the number of seconds you’d like the
key to be used until a re-key negotiation between each
endpoint is completed.
Phase 2
Group
There are two Diffie-Hellman Groups to choose
from: 768-bit, 1024-bit., and 1536-bit Diffie-Hellman refers
to a cryptographic technique that uses public and private
keys for encryption and decryption.
Key L±fet±me
In the Key Lifetime field, you may optionally
select to have the key expire at the end of a time period of
your choosing.
Enter the number of seconds you’d like the
key to be used until a re-key negotiation between each
endpoint is completed.
Click
Save Sett±ngs
to apply your changes, or click
Cancel
Changes
to cancel your changes.
Access Restrictions > Internet Access Policy
The
Internet  Access  Policy
screen allows you to block or
allow specific kinds of Internet usage and traffic, such as
Internet access, designated services, and websites during
specific days and times.
Access Restrictions > Internet Access Policy
Internet Access Policy
Internet Access Pol±cy
Access can be managed by a
policy. Use the settings on this screen to establish an
access policy (after
Save Sett±ngs
is clicked). Selecting a
policy from the drop-down menu will display that policy’s
settings. To delete a policy, select that policy’s number
and click
Delete
. To view all the policies, click
Summary
.
Summary
The policies are listed with the following information: No.,
Policy Name, Days, and Time of Day. To delete a policy,
select
Delete
. To return to the
Internet Access Policy
screen,
click
Close
.
Summary
Status
Policies are disabled by default. To enable a policy,
select the policy number from the drop-down menu, and
select
Enable
.
Page 23 / 43
Chapter±3
Advanced Configuration
22
W±reless-N ADSL2+ Gateway
To create a policy, follow steps 1-11. Repeat these steps to
create additional policies, one at a time.
Select a number from the
Internet Access Policy
drop-
down menu.
To enable this policy, select
Enable
.
Enter a Policy Name in the field provided.
Click
Ed±t L±st of PCs
to select which computers will be
affected by the policy. The
Internet Access PC List 
screen
appears. You can select a computer by MAC address or
IP address. You can also enter a range of IP addresses
if you want this policy to affect a group of computers.
After making your changes, click
Save Sett±ngs
to
apply your changes, or click
Cancel Changes
to cancel
your changes. Then click
Close
.
Internet Access PC List
Select
the
appropriate
option,
Deny
or
Allow
,
depending on whether you want to block or allow
Internet access for the computers you selected on the
Internet Access PC List
screen.
Decide which days and what times you want this policy
to be enforced. Select the individual days during which
the policy will be in effect, or select
Everyday
. Then
enter a range of hours and minutes during which the
policy will be in effect, or select
2² Hours
.
You can block websites with specific URL addresses.
Enter each URL in a separate
Website Blocking by URL 
Address
field.
You can also block websites using specific keywords.
Enter each keyword in a separate
Website Blocking by 
Keyword
field.
1.
2.
3.
4.
5.
6.
7.
8.
You can filter access to various services accessed over
the Internet, such as FTP or telnet.
From the Blocked Services list, select the service you
want to block. The port numbers and protocol for the
selected service are automatically displayed.
If the service you want is not listed, select
User-
Def±ned
. Enter its port numbers in the fields provided.
Then select its protocol:
ICMP
,
TCP
,
UDP
, or
TCP &
UDP
from the drop-down menu.
Click
Save Sett±ngs
to save the policy’s settings. To
cancel the policy’s settings, click
Cancel Changes
.
Applications and Gaming > Single Port
Forwarding
The
 Single Port Forwarding
screen allows you to customize
port services for common applications.
When users send these types of requests to your network via
the Internet, the Gateway will forward those requests to the
appropriate servers (computers). Before using forwarding,
you should assign static IP addresses to the designated
servers.
Applications and Gaming > Single Port Forwarding
Single Port Forwarding
To forward a port, enter the information on each line for
the criteria required.
Appl±cat±on
Enter the name you wish to give the
application. Each name can be up to 12 characters.
External and Internal Port
Enter the external and
internal port numbers.
Protocol
Select the protocol used for this application,
either
TCP
or
UDP
.
9.
10.
11.
Page 24 / 43
Chapter±3
Advanced Configuration
23
W±reless-N ADSL2+ Gateway
IP Address
For each application, enter the IP address of
the computer that should receive the requests.
Enabled
For each application, select
Enabled
to enable
port forwarding.
Click
Save Sett±ngs
to apply your changes, or click
Cancel
Changes
to cancel your changes.
Applications and Gaming > Port Range
Forwarding
The
  Port  Range  Forwarding
screen allows you to set up
public services on your network, such as web servers,
ftp servers, e-mail servers, or other specialized Internet
applications. (Specialized Internet applications are any
applications that use Internet access to perform functions
such as videoconferencing or online gaming. Some Internet
applications may not require any forwarding.)
When users send these types of requests to your network via
the Internet, the Gateway will forward those requests to the
appropriate servers (computers). Before using forwarding,
you should assign static IP addresses to the designated
servers.
If you need to forward all ports to one computer, click the
DMZ
tab.
Applications and Gaming > Port Range Forwarding
Port Range Forwarding
To forward a port range, enter the information on each
line for the criteria required.
Appl±cat±on
In this field, enter the name you wish to give
the application. Each name can be up to 12 characters.
Port Range Start and End
Enter the number or range of
port(s) used by the server or Internet applications. Check
with the Internet application documentation for more
information.
Protocol
Select the protocol used for this application,
either
TCP
or
UDP
, or
Both
.
IP Address
For each application, enter the IP address of
the computer running the specific application.
Enable
Select
Enable
to enable port forwarding for the
applications you have defined.
Click
Save Sett±ngs
to apply your changes, or click
Cancel
Changes
to cancel your changes.
Applications & Gaming > Port Range
Triggering
The
Port  Range  Triggering
screen allows the Gateway to
watch outgoing data for specific port numbers. The IP
address of the computer that sends the matching data is
remembered by the Gateway, so that when the requested
data returns through the Gateway, the data is pulled back
to the proper computer by way of IP address and port
mapping rules.
Applications and Gaming > Port Range Triggering
Port Range Triggering
To trigger a port range, enter the information on each line
for the criteria required.
Appl±cat±on Name
Enter the application name of the
trigger.
Tr±ggered Range Start Port and End Port
For each
application, enter the starting and ending port numbers of
the triggered port number range. Check with the Internet
application
documentation
for
the
port
number(s)
needed.
Forwarded Range Start Port and End Port
For each
application, enter the starting and ending port numbers
of the forwarded port number range. Check with the
Internet application documentation for the port number(s)
needed.
Enabled
Select
Enabled
to enable port triggering for the
applications you have defined.
Click
Save Sett±ngs
to apply your changes, or click
Cancel
Changes
to cancel your changes.
Page 25 / 43
Chapter±3
Advanced Configuration
W±reless-N ADSL2+ Gateway
Applications and Gaming > DMZ
The DMZ feature allows one network computer to be
exposed to the Internet for use of a special-purpose
service such as Internet gaming or videoconferencing.
DMZ hosting forwards all the ports at the same time to
one PC. The Port Range Forwarding feature is more secure
because it only opens the ports you want to have opened,
while DMZ hosting opens all the ports of one computer,
exposing the computer to the Internet.
Applications and Gaming > DMZ
DMZ
Any computer whose port is being forwarded must have
its DHCP client function disabled and should have a new
static IP address assigned to it because its IP address may
change when using the DHCP function.
DMZ Host±ng
To disable DMZ hosting, keep the default,
D±sable
. To expose one PC, select
Enable
. Then configure
the following setting:
DMZ Host IP Address
Enter the IP address of the
computer.
Click
Save Sett±ngs
to apply your changes, or click
Cancel
Changes
to cancel your changes.
Applications and Gaming > QoS
Quality of Service (QoS) ensures better service to
high-priority
types
of
network
traffic,
which
may
involve
demanding,
real-time
applications,
such
as
videoconferencing.
Applications and Gaming > QoS
Wireless
The Gateway features Wi-Fi Multimedia (WMM™) Support.
The No Acknowledgement feature is available only when
the WMM Support feature is enabled.
WMM Support
Wi-Fi Multimedia is a QoS feature defined
by WiFi Alliance before IEEE 802.11e was finalized. Now it
is part of IEEE 802.11e. When it is enabled, it provides four
priority queues for different types of traffic. It automatically
maps the incoming packets to the appropriate queues
based on QoS settings (in IP or layer 2 header). WMM
provides the capability to prioritize traffic in your
environment. If you have other devices on your network
that support WMM, keep the default, Enabled. Otherwise,
select
D±sabled
.
No
ACK
If
you
want
to
disable
the
Gateway’s
Acknowledgement feature, so the Gateway will not re-
send data if an error occurs, then keep the default, Enabled.
Otherwise, select
D±sabled
.
Internet Access Priority
In this section, you can set the bandwidth priority for a
variety of applications and devices. There are four levels
priority: High, Medium, Normal, or Low. When you set
priority, do not set all applications to High, because this will
defeat the purpose of allocating the available bandwidth.
If you want to select below normal bandwidth, select Low.
Depending on the application, a few attempts may be
needed to set the appropriate bandwidth priority.
Enabled/D±sabled
To use the QoS policies you have set,
select
Enabled
. Otherwise, select
D±sabled
.
Category
The following categories are available: Applications,
Online Games, MAC Address, Ethernet Port, or Voice
Device. Proceed to the instructions for your selection.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top