Page 26 / 72 Scroll up to view Page 21 - 25
Chapter µ
Configuring the Wireless-G Router
²±
Wireless-G VPN Router with RangeBooster
VPN > VPN Client Access
User Name
Enter a name for the VPN client.
Password
Enter a password for the VPN client.
Re-enter to confirm
Enter the password again to confirm
it.
Allow user to change password?
If you want to let the
user change his or her password from the user’s QuickVPN
client, select
Yes
.
When you have finished entering the user name and
password of the VPN client, click
Add/Save
to add the VPN
client to your list. A warning message will appear the first
time you add a VPN client. After all VPN clients are added
to the VPN Client List Table, click
Save Settings
.
VPN C;lient Access Warning
VPN Client List Table
No.
This is the number assigned to this VPN client. The
Router supports up to 10 QuickVPN clients.
Active
If you want to activate this VPN client, click the
Active
checkbox.
Username
The Username assigned to this VPN client will
be displayed here.
Password
The Password assigned to this VPN client will
be displayed here.
Edit/Remove
If you want to change the settings for a
VPN client, click
Edit
and then make your changes. If you
want to delete a VPN client from your list, click
Remove
.
Certificate Management
This section allows you to manage the certificate used
for securing the communication between the router and
QuickVPN clients.
Generate
Click this button to generate a new certificate
to replace the existing certificate on the router.
Export for Admin
Click this button to export the certificate
for administrator. A dialog will ask you to specify where
you want to store your certificate. The default file name
is “WRV200_Admin.pem” but you can use another name.
The certificate for administrator contains the private key
and needs to be stored in a safe place as a backup. If the
router’s configuration is reset to the factory default, this
certificate can be imported and restored on the router.
Export for Client
Click this button to export the certificate
for client. A dialog will ask where you want to store your
certificate. The default file name is “WRV200_Client.pem”
but you can use another name. For QuickVPN users to
securely connect to the router, this certificate needs to be
placed in the install directory of the QuickVPN client.
Import
Click this button to import a certificate previously
saved to a file using
Export for Admin
or
Export for
Client
. Enter the file name in the field or click
Browse
to
locate the file on your computer, then click
Import
.
When you have finished making changes to the screen,
click
Save Settings
to save the changes, or click
Cancel
Changes
to undo your changes. For help information,
click More.
VPN > VPN Passthrough
The
VPN > VPN Passthrough
screen is used to allow VPN
tunnels to pass through the Router’s firewall using IPSec,
L2TP, or PPTP protocols.
VPN > VPN Passthrough
IPSec PassThrough
Internet Protocol Security (IPSec) is
a suite of protocols used to implement secure exchange
of packets at the IP layer. IPSec Passthrough is enabled by
default to allow IPSec tunnels to pass through the Router.
To disable IPSec Passthrough, select
Disabled
.
Page 27 / 72
Chapter µ
Configuring the Wireless-G Router
²²
Wireless-G VPN Router with RangeBooster
PPTP PassThrough
Point-to-Point Tunneling Protocol
(PPTP) allows the Point-to-Point Protocol (PPP) to be
tunneled through an IP network. PPTP Passthrough is
enabled by default. To disable it, select
Disabled
.
L²TP PassThrough
Layer 2 Tunneling Protocol is the
method used to enable Point-to-Point sessions via the
Internet on the Layer 2 level. L2TP Passthrough is enabled
by default. To disable L2TP Passthrough, select
Disabled
.
When you have finished making changes to the screen,
click
Save Settings
to save the changes, or click
Cancel
Changes
to undo your changes. For help information,
click More.
VPN > IPSec VPN
The
VPN > IPSec VPN
screen is used to create and configure
a Virtual Private Network (VPN) tunnel.
VPN > IPSec VPN
Tunnel Entry
To create a new tunnel, select
new.
To
configure an existing tunnel, select it from the drop-down
menu.
VPN Tunnel
Check the
Enabled
option to enable this
tunnel.
Tunnel Name
Enter a name for this tunnel, such as
“Anaheim Office”.
NAT-Traversal
You can enable NAT-Traversal to support
the remote IPSec peer operating behind a NAT device. To
enable NAT traversal, check the
Enabled
option. If NAT
traversal is enabled, the
Remote Secure Group
and
Remote 
Secure Gateway
must be set to
Any
.
Advanced Settings
To define allowable remote private
networks, click
Advanced Settings
.
A screen appears
with the following settings.
Allowable Remote Private Networks
You can select
Allow All
to allow the peer to sit in any private network
that is behind a NAT, or
By Manual Setting
to indicate
designated private networks manually.
Manual Setting
Enter the IP Address and Mask of
what you want to accept that remote peer sat behind
NAT. Click the checkbox and then click
Save Settings
to save and enable your new configuration.
NAT Traversal Advanced Settings
Local Secure Group
The Local Secure Group is the computer(s) on your LAN
that can access the tunnel.
Type
From the drop-down menu, select
Subnet
, to
include the entire network for the tunnel; select
IP
Address
if you want a specific computer; or select
Host
,
which is used with Port Forwarding to direct the traffic to
the correct computer. The screen will change depending
on the selected option. The options are described below.
Subnet
Enter the
IP Address
and
Mask
of the local
VPN Router in the fields provided. To allow access
to the entire IP subnet, enter 0 for the last set of IP
Addresses (e.g., 192.168.1.0).
IP Addr.
Enter the IP Address of the local VPN Router.
The Mask will be displayed.
Host
The VPN tunnel will terminate at the router with
this setting. Use Port Range Forwarding to direct traffic
to the correct computer. Refer to the
Firewall  >  Port 
Range Forwarding
screen.
Remote Secure Group
The Remote Secure Group is the computer(s) on the
remote end of the tunnel that can access the tunnel.
Type
From the drop-down menu, select
Subnet
, to
include the entire network for the tunnel; select
IP
address
if you want a specific computer; select
Host
, if
Page 28 / 72
Chapter µ
Configuring the Wireless-G Router
²³
Wireless-G VPN Router with RangeBooster
the VPN will terminate at the Router, instead of the PC;
or
Any
, to allow any computer to access the tunnel. The
screen will change depending on the selected option. The
options are described below.
Subnet
Enter the IP Address and Mask of the remote
VPN router in the fields provided. To allow access to the
entire IP subnet, enter
0
for the last set of IP Addresses
(e.g., 192.168.1.0).
IP Addr.
Enter the IP Address of the remote VPN
router. The Mask will be displayed.
Host
The VPN tunnel will terminate at the router with
this setting. Use Port Range Forwarding to direct traffic
to the correct computer. Refer to the
Firewall  >  Port 
Range Forwarding
screen.
Any
Allows any computer to access the tunnel.
Remote Secure Gateway
The Remote Secure Gateway is the VPN device, such as a
second VPN router, on the remote end of the VPN tunnel.
Enter the IP Address of the VPN device at the other end
of the tunnel. The remote VPN device can be another
VPN router, a VPN server, or a computer with VPN client
software that supports IPSec. The IP address may either be
static (permanent) or dynamic, depending on the settings
of the remote VPN device.
If the IP Address is static, select
IP Addr.
and enter the IP
address. Make sure that you have entered the IP address
correctly, or the connection cannot be made. Remember,
this is NOT the IP address of the local VPN Router; it is the
IP address of the remote VPN router or device with which
you wish to communicate. If the IP address is dynamic,
select
FQDN
for DDNS or
Any
. If FQDN is selected, enter
the domain name of the remote router, so the Router can
locate a current IP address using DDNS. If
Any
is selected,
then the Router will accept requests from any IP address.
Key Management
Key Exchange Method
IKE is an Internet Key Exchange
protocol used to negotiate key material for Security
Association
(SA).
IKE
uses
the
Pre-shared
Key
to
authenticate the remote IDE peer. Select
Auto (IKE)
for the
Key Exchange Method. Both ends of a VPN tunnel must
use the same mode of key management. The settings
available on this screen may change, depending on the
selection you have made.
Operation Mode
Use this option to set the operation
mode to
Main
(default) or
Aggressive
. Main Mode
operation is supported in ISAKMP SA establishment.
ISAKMP Encryption Method
There are four different
types of encryption:
³DES
,
AES-±²8
,
AES-±9²
, or
AES-
²µ¶
. You may choose any of these, but it must be the
same type of encryption that is being used by the VPN
device at the other end of the tunnel.
ISAKMP Authentication Method
There are two types
of authentication: MD5 and SHA (SHA is recommended
because it is more secure). As with encryption, either
of these may be selected, provided that the VPN device
at the other end of the tunnel is using the same type of
authentication.
ISAKMP
DH
Group
This
is
for
Diffie-Hellman
key
negotiation. There are 7 groups available for ISAKMP SA
establishment. Group 1024, 1536, 2048, 3072, 4096, 6144,
and 8192 represent different bits used in Diffie-Hellman
mode operation. The default value is
±0²´
.
ISAKMP Key Lifetime(s)
This field specifies how long
an ISAKMP key channel should be kept, before being
renegotiated.
The default is
²8800
seconds.
PFS
PFS (Perfect Forward Secrecy) ensures that the initial
key exchange and IKE proposals are secure. To use PFS,
click the
Enabled
radio button.
IPSec Encryption Method
Using encryption also helps
make your connection more secure. There are four
different types of encryption:
³DES
,
AES-±²8
,
AES-±9²
,
or
AES-²µ¶
. You may choose any of these, but it must be
the same type of encryption that is being used by the VPN
device at the other end of the tunnel.
IPSec
Authentication
Method
Authentication
acts
as another level of security. There are two types of
authentication: MD5 and SHA (SHA is recommended
because it is more secure). As with encryption, either
of these may be selected, provided that the VPN device
at the other end of the tunnel is using the same type of
authentication. Or, both ends of the tunnel may choose to
disable authentication.
IPSec DH Group
This is the same as the
ISAKMP DH Group
setting.
IPSec Key Lifetime(s)
In this field, you may optionally
select to have the key expire at the end of a time period of
your choosing. Enter the number of seconds you’d like the
key to be used until a re-key negotiation between each
endpoint is completed. The default is
³¶00
seconds.
Pre-shared Key
Enter a series of numbers or letters in
the
Pre-shared Key
field. Based on this word, which MUST
be entered at both ends of the tunnel, a key is generated
to scramble (encrypt) the data being transmitted over the
tunnel, where it is unscrambled (decrypted). You may use
any combination of up to 24 numbers or letters in this
field. No special characters or spaces are allowed.
Tunnel Options
Dead
Peer
Detection
You
can
select
Dead
Peer
Detection
(DPD) to detect the status of a remote Peer.
Page 29 / 72
Chapter µ
Configuring the Wireless-G Router
²´
Wireless-G VPN Router with RangeBooster
DPD will issue DPD packets (ISAKMP format) to query a
remote peer, and wait for a reply to recognize that it is
still alive. There are 3 auxiliary options: Detection Delay(s),
Detection Timeout(s), and DPD Action for DPD.
Detection Delay(s)
You can indicate the interval between
DPD query packets. The default value is
³0
seconds.
Detection Timeout(s)
You can indicate the length of
timeout when DPD cannot hear any DPD reply. The default
value is
±²0
seconds.
DPD Action
When DPD Timeout expires, the DPD will take
DPD Action to deal with the connection. You can select
Wait for Response to still wait for remote peer response, or
select
Suspend Connection
to stop passively recovering
the connection or select
Recover Connection
.
If IKE failed more than _times, block this unauthorized
IP for _ seconds
This feature is enabled by default. It
enables the Router to block unauthorized IP addresses.
Specify the number of times IKE must fail before the Router
blocks that unauthorized IP address.
Anti-replay
This protects the Router from anti-replay
attacks, when people try to capture your authentication
packets in an attempt to gain access. The feature is
enabled by default.
When you have finished making changes to the screen,
click
Save Settings
to save the changes, or click
Cancel
Changes
to undo your changes. For help information,
click More.
VPN > VPN Summary
VPN > VPN Summary
This page summarizes the comprehensive details of IPSec
VPN Tunnels that include Tunnel Name, Remote Gateway,
Remote Group, Local Group, Key Methods, Tunnel Status,
and Start/Stop/Detail Connection. Each field displays
information according to a pre-configured value of IPSec
tunnel separately, and each IPSec tunnel can be easily
commanded to start/stop connection here. VPN Summary
can help an administrator to manage and examine all
IPSec tunnels status.
Tunnel Name
The field displays the name of the tunnel.
Remote Gateway
The field displays the remote gateway.
If the pre-configured type is IP Addr., the field displays the
IP address of remote gateway. If the pre-configured type
of remote gateway is Any, the field displays ANY. If the
pre-configured type is FQDN, the field displays the FQDN
string directly.
Remote Group
The field displays the remote peer that
is designated for VPN communication after a IPSec VPN
tunnel is established. If the pre-configured type of the
remote group is IP Addr., the field displays the IP address
of the remote peer. If the pre-configured type of the
remote group is Subnet, the field displays the subnet type
“IP Address/Mask”. If the pre-configured type of remote
group is Host or Any, the field displays the “Host” or “Any”
directly.
Local Group
The field displays the local peer that is
designated for VPN communication after an IPSec VPN
tunnel is established. If the pre-configured type of local
group is IP Addr., the field displays the IP address of the
local peer. If the pre-configured type of local group is
Subnet, the field displays the subnet type “IP Address/
Mask”. If the pre-configured type of local group is Host,
the field displays the “Host” directly.
Key Methods
The field displays the IPSec authentication
and encryption key methods of the Key exchange Method
that is followed with the setting value of the Password
Forward Secrecy.
Tunnel Status
The field displays the status of IPSec
Tunnel as follows.
C
The Tunnel is Connected.
T
Try to Connect to Remote Peer.
Stop
The Tunnel is Stopped.
D
The Tunnel is Disabled.
Any
The Tunnel always waits for the connection from
the remote initiator.
NAT-T
The Tunnel enables the NAT-Traversal to allow
the remote initiator that is behind the NAT to construct
this IPSec Tunnel.
Start/Stop/Restart Connection
You can manually start/
stop IPSec connection according to pre-configured tunnel
settings. If the pre-configured type of remote gateway or
remote group is either
Any
or
NAT-Traversal
, the
Detai
l
button can also examine Remote Security Gateway
information.
Page 30 / 72
Chapter µ
Configuring the Wireless-G Router
²µ
Wireless-G VPN Router with RangeBooster
Detail
Each Tunnel has a
Detail
button. This button will
become available when a Tunnel Status reveals a “C”, “T”,
“Any”, and “ NAT-T”. When you press the Detail button, a
“VPN Advanced Tunnel Information” screen appears. This
feature provides more detailed information for advanced
configuration and management. VPN Advanced Tunnel
Information will show Advanced Tunnel Information and
Remote Security Gateway.
VPN Log Button
Use to check the overall related VPN
behaviors and contact messages of a VPN Tunnel and
VPN Client. Click this button to view the VPN operation
situation. If you want to clear this log information, click
Clear Log Now
.
Click the
Refresh
button to update the on-screen
information.
QoS
Quality of Service (QoS) ensures better service to high-
priority service. The QoS tab allows you to configure the
Router’s QoS settings.
QoS > Application-Based QoS
Application-based QoS involves Internet traffic, which
may involve demanding, real-time applications, such as
videoconferencing. To enable Application-based QoS,
you can select either
Priority Queue
or
Bandwidth
Allocation
. The remaining fields in the screen depend on
the selection.
Priority Queue
QoS > Application Based QoS - Priority Queue
Application-based QoS manages information as it is
transmitted from LAN to WAN. Depending on the settings
of the Priority Queue, this feature will assign information a
high or low priority for the five preset applications and up
to thirteen additional applications that you specify.
High Priority and Low Priority
For each application,
select
High Priority
or
Low Priority
. The packets will be
put into High or Low Priority Queue for the egress port of
WAN according to your settings.
Specific Port #
You can add up to thirteen additional
applications by entering their respective application port
numbers in the
Specific Port #
field.
Bandwidth Allocation
QoS > Application Based QoS - Bandwidth Allocation
For each of the three Application Level Gateways (ALGs),
you can choose a Bandwidth Allocation Policy from
Guaranteed
and
Spare
with a specified percentage value
to control the bandwidth utilization from LAN to WAN. It
depends on the specified policy to let the bandwidth be
reserved or shared with the applications. Guaranteed will
reserve specific bandwidth for the applications and Spare
will use the remaining bandwidth for other applications.
User Define Button
You can define the policies regarding
source or destination IP, protocol and port number. You
also can mark the DSCP field with specific value to egress
packets. The bandwidth utilization could be controlled
from LAN to WAN.
When you have finished making changes to the screen,
click
Save Settings
to save the changes, or click
Cancel
Changes
to undo your changes. For help information,
click
More
.
QoS > Port-Based QoS
Port-based QoS ensures better service to a specific LAN port.
QoS > Port-Based QoS
Priority
Select the QoS priority for each LAN port. High/
Low setting will queue all egress packets from this port

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top