29

Chapter 5: Configuring the Gateway

The Security Tab

Wireless-G ADSL Gateway

Advanced VPN Tunnel Setup

From the Advanced IPSec VPN Tunnel Setup screen, shown in Figure 5-21, you can adjust the settings for specific

VPN tunnels.

Phase 1

•

Phase 1 is used to create a security association (SA), often called the IKE SA. After Phase 1 is completed,

Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions.

•

Operation Mode. There are two modes: Main and Aggressive, and they exchange the same IKE payloads in

different sequences. Main mode is more common; however, some people prefer Aggressive mode because it

is faster. Main mode is for normal usage and includes more authentication requirements than Aggressive

mode. Main mode is recommended because it is more secure. No matter which mode is selected, the VPN

Gateway will accept both Main and Aggressive requests from the remote VPN device. Select Username, then

enter the user name.

•

Encryption. Select the length of the key used to encrypt/decrypt ESP packets. There are two choices: DES and

3DES. 3DES is recommended because it is more secure.

•

Authentication. Select the method used to authenticate ESP packets. There are two choices: MD5 and SHA.

SHA is recommended because it is more secure.

•

Group. There are two Diffie-Hellman Groups to choose from: 768-bit and 1024-bit. Diffie-Hellman refers to a

cryptographic technique that uses public and private keys for encryption and decryption.

•

Key Life Time. In the Key Lifetime field, you may optionally select to have the key expire at the end of a time

period of your choosing.

Enter the number of seconds you’d like the key to be used until a re-key negotiation

between each endpoint is completed.

Phase 2

•

Encryption. The encryption method selected in Phase 1 will be displayed.

•

Authentication. The authentication method selected in Phase 1 will be displayed.

•

PFS. The status of PFS will be displayed.

•

Group. There are two Diffie-Hellman Groups to choose from: 768-bit and 1024-bit. Diffie-Hellman refers to a

cryptographic technique that uses public and private keys for encryption and decryption.

Figure 5-21: Advanced VPN Tunnel Setup

30

Chapter 5: Configuring the Gateway

The Security Tab

Wireless-G ADSL Gateway

•

Key Life Time. In the Key Lifetime field, you may select to have the key expire at the end of a time period of

your choosing.

Enter the number of seconds you’d like the key to be used until a re-key negotiation between

each endpoint is completed.

Other Setting

•

NetBIOS broadcast. Check the box next to NetBIOS broadcast to enable NetBIOS traffic to pass through the

VPN tunnel.

•

Anti-replay. Check the box next to Anti-replay to enable the Anti-replay protection. This feature keeps track of

sequence numbers as packets arrive, ensuring security at the IP packet-level.

•

Keep-Alive. If you select this option, the Gateway will periodically check your Internet connection. If you are

disconnected, then the Gateway will automatically re-establish your connection.

•

Check this box to block unauthorized IP addresses. Enter in the field to specify how many times IKE must fail

before blocking that unauthorized IP address. Enter the length of time that you specify (in seconds) in the

field.

When finished making your changes on this tab, click the

Save Settings

button to save these changes, or click

the

Cancel Changes

button to undo your changes. For further help on this tab, click the

Help

button.

31

Chapter 5: Configuring the Gateway

The Access Restrictions Tab

Wireless-G ADSL Gateway

The Access Restrictions Tab

Internet Access

The Access Restrictions tab, shown in Figure 5-22, allows you to block or allow specific kinds of Internet usage.

You can set up Internet access policies for specific computers and set up filters by using network port numbers.

•

Internet Access Policy. Multiple Filters can be saved as Internet Access Policies. When you wish to edit one,

select the number of the Policy from the drop-down menu. The tab will change to reflect the settings of this

Policy. If you wish to delete this Policy, click the

Delete

button. To see a summary of all Policies, click the

Summary

button.

The summaries are listed on this screen, shown in Figure 5-23, with their name and settings. To return to the

Filters tab, click the

Close

button.

•

Enter Policy Name. Policies are created from the fields presented here.

To create an Internet Access policy:

1.

Enter a Policy Name in the field provided. Select

Internet Access

as the Policy Type.

2.

Click the

Edit List

button. This will open the List of computers screen, shown in Figure 5-24. From this

screen, you can enter the IP address or MAC address of any computer to which this policy will apply. You can

even enter ranges of computers by IP address. Click the

Apply

button to save your settings, the

Cancel

button to undo any changes, and the

Close

button to return to the Filters tab.

3.

If you wish to Deny or Allow Internet access for those computers you listed on the List of PCs screen, click the

option.

4.

You can filter access to various services accessed over the Internet, such as FTP or Telnet, by selecting a

service from the drop-down menus next to Blocked Services. If a service isn’t listed, you can click the

Add/

Edit Service

button to open the Port Service screen, shown in Figure 5-25, and add a service to the list. You

will need to enter a Service name, as well as the Protocol and Port Range used by the service.

5.

By selecting the appropriate setting next to Days and Time, choose when Internet access will be filtered.

6.

Click the

Save Settings

button to activate the policy.

Figure 5-23: Internet Policy Summary

Figure 5-22: Access Restriction

32

Chapter 5: Configuring the Gateway

The Access Restrictions Tab

Wireless-G ADSL Gateway

Internet Access can also be filtered by URL Address, the address entered to access Internet sites, by entering the

address in one of the Website Blocking by URL Address fields. If you do not know the URL Address, filtering can

be done by Keyword by entering a keyword in one of the Website Blocking by Keyword fields.

When finished making your changes on this tab, click the

Save Settings

button to save these changes, or click

the

Cancel Changes

button to undo your changes.

Figure 5-24: List of PCs

Figure 5-25: Port Services

33

Chapter 5: Configuring the Gateway

The Applications and Gaming Tab

Wireless-G ADSL Gateway

The Applications and Gaming Tab

Single Port Forwarding

The Single Port Forwarding screen provides options for customization of port services for common applications.

(See Figure 5-26.)

When users send this type of request to your network via the Internet, the Gateway will forward those requests to

the appropriate computer. Any computer whose port is being forwarded should have its DHCP client function

disabled and should have a new static IP address assigned to it because its IP address may change when using

the DHCP function.

Choose or enter the Application in the field. Then, enter the External and Internal Port numbers in the fields.

Select the type of protocol you wish to use for each application:

TCP

or

UDP

. Enter the IP Address in the field.

Click

Enabled

to enable UPnP Forwarding for the chosen application.

When finished making your changes on this tab, click the

Save Settings

button to save these changes, or click

the

Cancel Changes

button to undo your changes.

Figure 5-26: Single Port Forwarding