Page 86 / 123
Scroll up to view Page 81 - 85
VPN
83
Example 2:
Windows 2000/XP Client to LAN
In this example, a Windows 2000/XP client connects to the TW100-BRV304 and gains access
to the local LAN.
Figure 55: Windows 2000/XP Client to TW100-BRV304
TW100-BRV304 Configuration
Name
Win Client
Name does not affect operation. Select a
meaningful name.
Remote Endpoint
172.16.9.10
Other endpoint's WAN (Internet) IP address.
Local
IP addresses
Subnet address:
192.168.0.0
255.255.255.0
Allows access to entire LAN. Use a more
restrictive definition if possible.
Remote
IP addresses
172.16.9.10
For a single client, this address is the same as
the endpoint address.
Key Exchange
IKE
Must match client PC
IKE Direction
Both ways
Using "Responder only" is not possible.
Local Identity
IP address
Required.
Remote Identity
IP address
Required
IKE Authentication
method
Pre-shared Key
Certificates are not widely used.
Pre-shared Key
Xxxxxxxxxx
Must match client PC
IKE Authentication
algorithm
SHA-1
Must match client PC
IKE Encryption
3DES
Must match client PC
IKE Exchange
mode
Main Mode
Windows 2000 only supports Main Mode.
Page 87 / 123
TW100-BRV304 User Guide
84
DH Group
Group 1 (768 bit)
Must match client PC
IKE SA Life time
28800
Does not have to match client PC. Shorter
period will be used.
IKE PFS
Disable
Must match client PC
IPSec SA Life time
28800
Do not have to match. Shorter period will be
used.
IPSec PFS
Disable
Must match client PC
AH authentication
Disabled
AH is rarely used
ESP authentication
Enable/MD5
Must match client PC
ESP encryption
Enable/DES
Must match client PC
Windows Client Configuration
1.
Select
Start - Programs - Administrative Tools - Local Security Policy
.
2.
Right click
IP Security Policy on Local Machine
and select
Create IP Security Policy
Figure 56: Windows 2000/XP - Local Security Settings
3.
Click "Next", then enter a policy name, for example "DUT To Win2K", then click "Next".
4.
Step through the Wizard:
•
Deselect
Activate the default response rule
.
Click "Next",
•
Leave
Edit Properties
checked.
Click "Finish".
5.
The following "Properties - Rules" screen will be displayed.
Page 88 / 123
VPN
85
Figure 57: Windows 2000/XP - Policy Properties
•
Note that no rules are in use. Two 2 rules are required - incoming and outgoing.
•
The outgoing rule will be added first.
6.
Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below.
Figure 58: IP Filter List
7.
Type "To DUT" for the name, then click "Add" to see a screen like the following.
Page 89 / 123
TW100-BRV304 User Guide
86
Figure 59: Filter Properties: Addressing
8.
Enter the
Source IP address
and the
Destination IP address
.
•
Since this is the outgoing filter, the
Source IP address
is "My IP address" and the
Destination IP address
is the address range used on the remote LAN.
•
Ensure the
Mirrored
option is checked.
9.
Click "OK" to save your settings and close this dialog.
Figure 60: New Rule Properties: IP Filter List
10. On the resulting screen (above), ensure the "To DUT" filter is selected, then click the
Filter Action
tab to see a screen like the following
Page 90 / 123
VPN
87
Figure 61:
New Rule Properties: Filter Action
11. Select
Require Security
, then click the "Edit" button, to view the
Require Security Proper-
ties
screen.
Figure 62: Require Security Properties
12. Select
Negotiate security
(this selects IKE), then click "Add".
19216811.live