How it Works
Allnet
Loading...
ALL1294VPN
User Manual
140 pgs2.65 Mb0
Table of contents
Loading...

Allnet ALL1294VPN User Manual

Download
Broadband VPN
Router
ALL1294VPN
Broadband Internet Access
4-Port Switching Hub
Table of Contents
CHAPTER 1 INTRODUCTION .............................................................................................1
Broadband VPN Router Features....................................................................................1
Package Contents ..............................................................................................................3
Physical Details..................................................................................................................4
CHAPTER 2 INSTALLATION...............................................................................................6
Requirements.....................................................................................................................6
Procedure...........................................................................................................................6
CHAPTER 3 SETUP ................................................................................................................8
Overview ............................................................................................................................8
Configuration Program ....................................................................................................9
Setup Wizard...................................................................................................................11
WAN Port Configuration Screen...................................................................................14
LAN Screen......................................................................................................................17
CHAPTER 4 PC CONFIGURATION..................................................................................19
Overview ..........................................................................................................................19
Windows Clients..............................................................................................................19
Macintosh Clients............................................................................................................31
Linux Clients....................................................................................................................31
Other Unix Systems.........................................................................................................31
CHAPTER 5 OPERATION AND STATUS.........................................................................32
Operation......................................................................................................................... 32
Status Screen....................................................................................................................32
Connection Status - PPPoE ............................................................................................34
Connection Status - PPTP ..............................................................................................36
Connection Status - Telstra Big Pond............................................................................37
Connection Details - SingTel RAS.................................................................................38
Connection Details - Fixed/Dynamic IP Address .........................................................40
CHAPTER 6 ADVANCED FEATURES..............................................................................42
Overview ..........................................................................................................................42
Advanced Internet Screen ..............................................................................................43
Dynamic DNS (Domain Name Server)..........................................................................48
Virtual Servers.................................................................................................................50
Access Control.................................................................................................................53
Firewall Rules..................................................................................................................57
Scheduling........................................................................................................................61
Services.............................................................................................................................62
CHAPTER 7 VPN...................................................................................................................64
Overview ..........................................................................................................................64
Common VPN Situations................................................................................................66
VPN Configuration .........................................................................................................68
Examples..........................................................................................................................77
Using Certificates ............................................................................................................95
VPN Status.......................................................................................................................99
CHAPTER 8 MICROSOFT VPN .......................................................................................100
Overview ........................................................................................................................100
Server Setup................................................................................................................... 100
i
Client Database..............................................................................................................101
Status Screen..................................................................................................................103
Windows Client Setup...................................................................................................104
CHAPTER 9 ADMINISTRATIONS...................................................................................112
Overview ........................................................................................................................112
Config File......................................................................................................................113
Logs.................................................................................................................................114
Admin Login..................................................................................................................116
Network Diagnostics .....................................................................................................117
Options...........................................................................................................................118
PC Database...................................................................................................................119
Remote Administration.................................................................................................123
Routing...........................................................................................................................124
Security Options............................................................................................................129
Firmware Upgrade........................................................................................................131
UPnP...............................................................................................................................132
APPENDIX A TROUBLESHOOTING..............................................................................133
Overview ........................................................................................................................133
General Problems..........................................................................................................133
Internet Access...............................................................................................................133
APPENDIX B SPECIFICATIONS......................................................................................135
Broadband VPN Router ...............................................................................................135
FCC Statement ..............................................................................................................135
CE Marking Warning...................................................................................................136
P/N: 9560J20130 Copyright © 2006. All Rights Reserved. Document Version: 1.0
All trademarks and trade names are the properties of their respective owners.
ii
Chapter 1
Introduction
This Chapter provides an overview of the Broadband VPN Router's features and capabilities.
Congratulations on the purchase of your new Broadband VPN Router. The Broadband VPN Router is a multi-function device providing the following services:
Shared Broadband Internet Access for all LAN users.
4-Port Switching Hub for 10BaseT or 100BaseT connections.
Figure 1: Broadband VPN Router
1

Broadband VPN Router Features

The Broadband VPN Router incorporates many advanced features, carefully designed to provide sophisticated functions while being easy to use.
Internet Access Features
Shared Internet Access. All users on the LAN or WLAN can access the Internet
through the Broadband VPN Router, using only a single external IP Address. The local (invalid) IP Addresses are hidden from external sources. This process is called NAT (Network Address Translation).
DSL & Cable Modem Support. The Broadband VPN Router has a 100BaseT Ethernet
port for connecting a DSL or Cable Modem. All popular DSL and Cable Modems are supported. SingTel RAS and Big Pond (Australia) login support is also included.
PPPoE, PPTP, SingTel RAS and Telstra Big Pond Support. The Internet (WAN
port) connection supports PPPoE (PPP over Ethernet), PPTP (Peer-to-Peer Tunneling Protocol), SingTel RAS and Telstra Big Pond (Australia), as well as "Direct Connection" type services.
Fixed or Dynamic IP Address. On the Internet (WAN port) connection, the
Broadband VPN Router supports both Dynamic IP Address (IP Address is allocated on connection) and Fixed IP Address.
1
Broadband VPN Gateway User Guide
Advanced Internet Functions
Communication Applications. Support for Internet communication applications, such
as interactive Games, Telephony, and Conferencing applications, which are often difficult to use when behind a Firewall, is included.
Special Internet Applications. Applications which use non-standard connections or
port numbers are normally blocked by the Firewall. The ability to define and allow such applications is provided, to enable such applications to be used normally.
Virtual Servers. This feature allows Internet users to access Internet servers on your
LAN. The required setup is quick and easy.
Multi-DMZ. For each WAN (Internet) IP address allocated to you, one (1) PC on your
local LAN can be configured to allow unrestricted 2-way communication with Servers or individual users on the Internet. This provides the ability to ru n programs which are incompatible with Firewalls.
URL Filter. Use the URL Filter to block access to undesirable Web sites by LAN users.
Internet Access Log. See which Internet connections have been made.
VPN Pass through Support. PCs with VPN (Virtual Private Networking) software
using PPTP, L2TP and IPSec are transparently supported - no configuration is required.
LAN Features
4-Port Switching Hub. The Broadband VPN Router incorporates a 4-port 10/100BaseT
switching hub, making it easy to create or extend your LAN.
DHCP Server Support. Dynamic Host Configuration Protocol provides a dynamic IP
address to PCs and other devices upon request. The Broadband VPN Router can act as a DHCP Server for devices on your local LAN and WLAN.
Multi Segment LAN Support. LANs containing one or more segments are supported,
via the Broadband VPN Router 's RIP (Routing Information Protocol) support and built-in static routing table.
DMZ Port. Used when allowing Servers on your LAN to be accessed from the Internet,
the DMZ port provides additional protection for both your Servers and your LAN.
Configuration & Management
Easy Setup. Use your WEB browser from anywhere on the LAN or WLAN for
configuration.
Remote Management. The Broadband VPN Router can be managed from any PC on
your LAN. And, if the Internet connection exists, it can also (optionally) be configured via the Internet.
UPnP Support. UPnP (Universal Plug and Play) allows automatic discovery and
configuration of the Broadband VPN Router. UPnP is by supported by Windows ME, XP, or later.
Configuration File Backup & Restore. You can backup (download) the Broadband
VPN Router's configuration file to your PC, and restore (upload) a previously-saved configuration file to the Broadband VPN Router.
Security Features
Password - protected Configuration. Optional password protection is provided to
prevent unauthorized users from modifying the configuration data and settings.
2
NAT Protection. An intrinsic side effect of NAT (Network Address Translation)
technology is that by allowing all LAN users to share a single IP address, the location and even the existence of each PC is hidden. From the external viewpoint, there is no network, only a single device - the Broadband VPN Router.
Stateful Inspection Firewall. All incoming data packets are monitored and all
incoming server requests are filtered, thus protecting your network from malicious attacks from external sources.
Protection against DoS attacks. DoS (Denial of Service) attacks can flood your
Internet connection with invalid packets and connection requests, using so much bandwidth and so many resources that Internet access becomes unavailable. The Broadband VPN Router incorporates protection against DoS attacks.
Rule-based Policy Firewall. To provide additional protection against malicious
packets, you can define your own firewall rules. This can also be used to control the Internet services available to LAN users.
VPN Gateway Features
IPSec.. Support for IPSec standards, including IKE and certificates.
70 Tunnels. Up to 70 VPN tunnels can be created.
High performance. High performance encryption engine maintains high throughput
even when using 3DES.
Introduction
Microsoft VPN Gateway Support
PPTP Server. The Broadband VPN Router emulates a Microsoft PPTP VPN Server,
allowing clients to use the Microsoft VPN client provided in Windows.
Windows Client Support. Remote users can use the Microsoft VPN client (VPN
Adapter) provided in recent versions of Windows.
Easy Setup. For both the Administrator and remote users, the Microsoft VPN is much
easier to configure than IPSec VPN.

Package Contents

The following items should be included:
The Broadband VPN Router Unit
Power Adapter
Quick Installation Guide
CD-ROM containing the on-line manual.
If any of the above items are damaged or missing, please contact your dealer immediately.
3
Broadband VPN Gateway User Guide

Physical Details

Front-mounted LEDs
Figure 2: Front Panel
Power On - Power on.
Off - No power.
Status (Red) On - Error condition.
Off - Normal operation. Blinking - This LED blinks during start up.
LAN
WAN On - Connection to the modem attached to the WAN (Internet) port is
PPPoE On - PPPoE connection established.
DMZ
For each port, there are 2 LEDs
Link/Act
On - Corresponding LAN (hub) port is active.
Off - No active connection on the corresponding LAN (hub) port.
Flashing - Data is being transmitted or received via the
corresponding LAN (hub) port.
100
On - Corresponding LAN (hub) port is using 100BaseT.
Off - Corresponding LAN (hub) port connection is using
10BaseT, or no active connection.
established.
Flashing - Data is being transmitted or received via the WAN port.
Off - No PPPoE connection.
Link/Act
Blinking – receiving/ transmitting data
100
On -
Off -
Link at 100Mbps
Link at 10Mbps
4
Rear Panel
Introduction
Figure 3: Rear Panel
DMZ
Reset Button
WAN port (10/100BaseT)
10/100BaseT LAN connections
Use a standard LAN cable to connect to a normal port on another hub.
This button has two (2) functions:
Reboot. When pressed and released, the Broadband VPN
Router will reboot (restart).
Clear All Data. This button can also be used to clear ALL data
and restore ALL settings to the factory default values.
To Clear All Data and restore the factory default values:
1. Power Off.
2. Hold the Reset Button down while you Power On.
3. Keep holding the Reset Button for a few seconds, until the RED LED has flashed TWICE.
4. Release the Reset Button. The Broadband VPN Router is now using the factory default values.
Connect the DSL or Cable Modem here. If your modem came with a cable, use the supplied cable. Otherwise, use a standard LAN cable.
Use standard LAN cables (RJ45 connectors) to connect your PCs to these ports.
Note:
Any LAN port on the Broadband VPN Router will automatically function as an "Uplink" port when required. Just connect any port to a normal port on the other hub, using a standard LAN cable.
Power port
Connect the supplied power adapter here.
5
Chapter 2
Installation
This Chapter covers the physical installation of the Broadband VPN Router.

Requirements

Network cables. Use standard 10/100BaseT network (UTP) cables with RJ45 connectors.
TCP/IP protocol must be installed on all PCs.
For Internet Access, an Internet Access account with an ISP, and either of a DSL or Cable
modem (for WAN port usage)

Procedure

Figure 4: Installation Diagram
1. Choose an Installation Site
Select a suitable place on the network to install the Broadband VPN Router. Ensure the Broadband VPN Router and the DSL/Cable modem are powered OFF.
2. Connect LAN Cables
Use standard LAN cables to connect PCs to the Switching Hub ports on the Broadband VPN Router. Both 10BaseT and 100BaseT connections can be used simultaneously.
If required, you can connect any LAN port to another Hub. Any LAN port on the Broadband VPN Router will automatically function as an "Uplink" port when required. Just connect any LAN port to a normal port on the other hub, using a standard LAN cable.
If desired, connect the DMZ port to a standard port on another Hub. PCs connected this hub will also gain Internet access, but will NOT be able to access the rest of the LAN.
6
Installation
3. Connect WAN Cable
Connect the DSL or Cable modem to the WAN port on the Broadband VPN Router. Use the cable supplied with your DSL/Cable modem. If no cable was supplied, use a standard cable.
4. Power Up
Power on the Cable or DSL modem.
Connect the supplied power adapter to the Broadband VPN Router and power up.
Use only the power adapter provided. Using a different one may cause hardware damage
5. Check the LEDs
The Power LED should be ON.
The Status LED should flash, then turn Off. If it stays on, there is a hardware error.
For each LAN (PC) connection, the LAN Link/Act LED should be ON (provided the PC is
also ON.)
The WAN LED should be ON.
For more information, refer to Front-mounted LEDs in Chapter 1.
Using the DMZ Port
Please note the following points regarding the DMZ port.
The DMZ port is a normal port, not an "uplink" port.
PCs connected to the DMZ port are on the same LAN segment as PCs connected to the
Hub ports. They must use the same IP address range.
PCs connected to the DMZ port are NOT visible to PCs on the hub (LAN) ports. So you cannot use Microsoft networking or other networking protocols to connect to PCs on the DMZ.
PCs connected to the DMZ port still share the WAN port IP address for Internet access.
Advantages of the DMZ Port
If running any Servers on your LAN, you should connect them to the DMZ port, for the following reasons:
Traffic passing between the DMZ and LAN passes through the firewall. The firewall will protect your LAN if your Server is compromised and used to launch an attack on your LAN.
When using the Virtual Servers feature, (see Virtual Servers in Chapter 6) a firewall rule to allow incoming traffic from the Internet (WAN) to the DMZ is automatically created. If the Server is connected to the LAN (hub) ports, you must add the firewall rule manually.
7
Chapter 3
Setup
This Chapter provides Setup details of the Broadband VPN Router.
3

Overview

This chapter describes the setup procedure for:
Internet Access
LAN configuration
PCs on your local LAN may also require configuration. For details, see Chapter 4 - PC Configuration.
Other configuration may also be required, depending on which features and functions of the Broadband VPN Router you wish to use. Use the table below to locate detailed instructions for the required functions.
To Do this: Refer to:
Configure PCs on your LAN. Chapter 4:
PC Configuration
Check Broadband VPN Router operation and Status. Chapter 5:
Operation and Status
Use any of the following Internet features:
Advanced Internet
Dynamic DNS
Virtual Servers
Access Control
Firewall Rules
Scheduling
Services
Use the IPSec VPN features:
VPN Policies
Certificates
CRLs
VPN Status
Use the Microsoft VPN feature:
PPTP Server in the Broadband VPN Router.
User and Client setup.
Checking VPN connection Status.
Chapter 6: Advanced Features
Chapter 7: VPN
Chapter 8: Microsoft VPN
8
Setup
Configure or use any of the following:
Configuration File backup and restore.
Logs
Admin Login
Network Diagnostic
Options
PC Database
Remote Administration
Routing
Security Options
Upgrade Firmware
UPnP
Where use of a certain feature requires that PCs or other LAN devices be configured, this is also explained in the relevant chapter.

Configuration Program

Chapter 9: Administrations
The Broadband VPN Router contains an HTTP server. This enables you to connect to it, and configure it, using your Web Browser. Your Browser must support JavaScript. The configuration program has been tested on the following browsers:
Netscape V4.08 or later
Internet Explorer V4 or later
Preparation
Before attempting to configure the Broadband VPN Router, please ensure that:
Your PC can establish a physical connection to the Broadband VPN Router. The PC and the Broadband VPN Router must be directly connected (using the Hub ports on the Broadband VPN Router) or on the same LAN segment.
The Broadband VPN Router must be installed and powered ON.
If the Broadband VPN Router 's default IP Address (192.168.0.1) is already used by
another device, the other device must be turned OFF until the Broadband VPN Router is allocated a new IP Address during configuration.
Using UPnP
If your Windows system supports UPnP, an icon for the Broadband VPN Router will appear in the system tray, notifying you that a new network device has been found, and offering to create a new desktop shortcut to the newly-discovered device.
Unless you intend to change the IP Address of the Broadband VPN Router, you can accept the desktop shortcut.
Whether you accept the desktop shortcut or not, you can always find UPnP devices in My Network Places (previously called Network Neighborhood).
9
Broadband VPN Gateway User Guide
Double - click the icon for the Broadband VPN Router (either on the Desktop, or in My Network Places) to start the configuration. Refer to the following section Setup Wizard for
details of the initial configuration pro cess.
Using your Web Browser
To establish a connection from your PC to the Broadband VPN Router:
1. After installing the Broadband VPN Router in your LAN, start your PC. If your PC is already running, restart it.
2. Start your WEB browser.
3. In the Address box, enter "HTTP://" and the IP Address of the Broadband VPN Router, as in this example, which uses the Broadband VPN Router 's default IP Address:
HTTP://192.168.0.1
If you can't connect
If the Broadband VPN Router does not respond, check the following:
The Broadband VPN Router is properly installed, LAN connection is OK, and it is powered ON. You can test the connection by using the "Ping" command:
Open the MS-DOS window or command prompt window.
Enter the command:
ping 192.168.0.1 If no response is received, either the connection is not working, or your PC's IP address is not compatible with the Broadband VPN Router 's IP Address. (See next item.)
If your PC is using a fixed IP Address, its IP Address must be within the range
192.168.0.2 to 192.168.0.254 to be compatible with the Broadband VPN Router 's default IP Address of 192.168.0.1. Also, the Network Mask must be set to 255.255.255.0. See Chapter 4 - PC Configuration for details on checking your PC's TCP/IP settings.
Ensure that your PC and the Broadband VPN Router are on the same network segment. (If you don't have a router, this must be the case.)
4. You will be prompted for a username and password, as shown below.
Figure 5: Password Dialog
Enter admin for the User Name, and leave the Password blank.
Both the name and password can (and should) be changed, using the Admin Login screen.
10
Setup

Setup Wizard

The first time you connect to the Broadband VPN Router, the Setup Wizard will ru n automatically. (The Setup Wizard will also run if the Broadband VPN Router's default setting are restored.)
1. Step through the Wizard until finished.
You need to know the type of Internet connection service used by your ISP. Check the data supplied by your ISP.
The common connection types are explained in the tables below.
2. On the final screen of the Wizard, run the test and check that an Internet connection can be established.
3. If the connection test fails:
Check your data, the Cable/DSL modem, and all connections.
Check that you have entered all data correctly.
If using a Cable modem, your ISP may have recorded the MAC (physical) address of
your PC. Run the Wizard, and on the Cable Modem screen, use the "Clone MAC address" button to copy the MAC address from your PC to the Broadband VPN Router.
Common Connection Types
Cable Modems
Type Details ISP Data required
Dynamic IP Address
Static (Fixed) IP Address
DSL Modems
Type Details ISP Data required
Dynamic IP Address
Your IP Address is allocated automatically, when you connect to you ISP.
Your ISP allocates a permanent IP Address to you.
Your IP Address is allocated automatically, when you connect to you ISP.
Usually, none. However, some ISP's may
require you to use a particular Hostname, Domain name , or MAC (physical) address.
IP Address allocated to you, mask and gateway (if provided), and DNS address.
Some ISP's may also require you to use a particular Hostname, Domain name , or MAC (physical) address.
None.
Static (Fixed) IP Address
Your ISP allocates a permanent IP Address to you.
IP Address allocated to you, mask and gateway (if provided), and DNS address.
11
Broadband VPN Gateway User Guide
PPPoE You connect to the ISP only
when required. The IP address is usually allocated automatically.
PPTP Mainly used in Europe.
You connect to the ISP only when required. The IP address is usually allocated automatically, but may be Static (Fixed).
Other Modems (e.g. Broadband Wireless)
Type Details ISP Data required
Dynamic IP Address
Static (Fixed) IP Address
Your IP Address is allocated automatically, when you connect to you ISP.
Your ISP allocates a permanent IP Address to you.
User name and password.
PPTP Server IP Address.
User name and password.
IP Address allocated to
you, if Static (Fixed).
Usually, none. However, some ISP's may
require you to use a particular Hostname, Domain name , or MAC (physical) address.
IP Address allocated to you, mask and gateway (if provided), and DNS address.
Big Pond Cable (Australia)
For this connection method, the following data is required:
User Name
Password
Big Pond Server IP address
SingTel RAS
For this connection method, the following data is required:
User Name
Password
RAS Plan
12
Setup
Home Screen
After finishing or exiting the Setup Wizard, you will see the Home screen. When you connect in future, you will see this screen when you connect. An example screen is shown below.
Figure 6: Home Screen
Navigation & Data Input
Use the menu bar on the top of the screen, and the "Back" button on your Browser, for navigation.
Changing to another screen without clicking "Save" does NOT save any changes you may have made. You must "Save" before changing screens or your data will be ignored.
On each screen, clicking the "Help" button will display help for that screen.
From any help screen, you can access the list of all help files (help index).
13
Broadband VPN Gateway User Guide

WAN Port Configuration Screen

The WAN Port Configuration screen provides an alternative to using the Wizard. It can be accessed from the Advanced Settings menu. An example screen is shown below.
Identification
Hostname
Domain name
WAN Port MAC Address
IP Address
IP Address is assigned automatically
Figure 7: WAN Port
Normally, there is no need to change the default name, but if your ISP requests that you use a particular “Hostname”, enter it here.
If your ISP provided a domain name, enter it here. Otherwise, this may be left blank.
Also called Network Adapter Address or Physical Address. This is a low-level identifier, as seen from the WAN port.
Normally there is no need to change this, but some ISPs require a particular value, often that of the PC initially used for Internet access.
You can use the Copy from PC button to copy your PC's address into this field, the Default button to insert the default value, or enter a value directly.
Also called Dynamic IP Address. This is the default, and the most common. Leave this selected if your ISP allocates an IP Address to the Wireless Router upon connection.
14
Setup
Specified IP Address
NAT
Enable NAT
Disable NAT
Also called Static IP Address. Select this if your ISP has allocated you a fixed IP Address. If this option is selected, the following data must be entered.
IP Address.
The IP Address allocated by the ISP.
Network Mask (Not required for PPPoE)
This is also supplied by your ISP. It must be compatible with the IP Address above.
Gateway IP Address (Not required for PPPoE)
The address of the router or gateway, as supplied by your ISP.
DNS IP Address
The DNS (Domain Name Server) IP Address provided by your ISP. If required, additional DNS entries can be made on the Internet Options screen.
NAT (Network Address Translation) is the technology which allows all PCs on your LAN to share the Internet IP address allocated to the WAN port on this Router. From the Internet, all PCs appear to have the same IP address.
For normal operation, this setting must be ENABLED. Disabling NAT will disable Internet access, unless all PCs have valid
Internet IP addresses.
DNS
Automatically obtain from Serve
Use this DNS
If you wish to use this device for Routing ONLY (and NOT for Internet access), then NAT should be disabled.
The DNS (Domain Name Server) address will be obtained automatically from your ISP's server. Note that if using a fixed IP address, with no login (login is set to "None"), then no Server is used, so this option cannot be used.
If this option is selected, you must enter the IP address of the DNS (Domain Name Server) you wish to use.
Note: If the DNS is unavailable, the "Backup DNS", entered on the "Options" screen, will be used
15
Broadband VPN Gateway User Guide
Login
Login Method
Login User Name Login Password RAS Plan Server IP Address
Connection Behavior
If your ISP does not use a login method (username, password) for Internet access, leave this at the default value "None (Direct connection)"
Otherwise, check the documentation from your ISP, select the login method used, and enter the required data.
PPPoE - this is the most common login method, widely used
with DSL modems. Normally, your ISP will have provided some software to connect and login. This software is no longer required, and should not be used.
PPTP - this is mainly used in Europe. You need to know the
PPTP Server address as well as your name and password.
Big Pond Cable - for Australia only.
SingTel RAS - for Singapore only.
The User Name (or account name) provided by your ISP. Enter the password for the login name above. For SingTel customers only, select the RAS plan you are on. If using PPTP or Big Pond Cable, enter the IP address or the Domain
name of your ISP's server. Select the desired option:
Automatic Connect/Disconnect
An Internet connection is automatically made when required, and disconnected when idle for the time period specified by the "Auto-disconnect Idle Time-out".
Manual Connect/Disconnect
You must manually establish and terminate the connection.
Keep alive (maintain connection)
The connection will never be disconnected by this device. If disconnected by your ISP, the connection will be re-established immediately. (However, this does not ensure that your Internet IP address will remain unchanged.)
Auto-disconnect Idle Time-out
Buttons
Default
Copy from PC
Save Cancel
This field has no effect unless using the Automatic Connect/Disconnect setting.
If using this setting, enter the desired idle time-out period (in minutes). After the connection to your ISP has been idle for this time period, the connection will be terminated.
Inserts the default MAC address into the MAC address field. You must click "Save" to actually change the address used.
Inserts the MAC address from your PC into the MAC address field. You must click "Save" to actually change the address used.
Save your changes to the Wireless Router. Reverse any changes made since the last "Save".
16

LAN Screen

Use the LAN link on the main menu to reach the LAN screen An example screen is shown below.
Figure 8: LAN Screen
Data - LAN Screen
TCP/IP
Setup
IP Address
Subnet Mask
DHCP Server
Buttons
Save
IP address for the Broadband VPN Router, as seen from the local LAN. Use the default value unless the address is already in use or your LAN is using a different IP address range. In the latter case, enter an unused IP Address from within the range used by your LAN.
The default value 255.255.255.0 is standard for small (class "C") networks. For other networks, use the Subnet Mask for the LAN segment to which the Broadband VPN Router is attached (the same value as the PCs on that LAN segment).
If Enabled, the Broadband VPN Router will allocate IP Addresses to PCs (DHCP clients) on your LAN when they start up. The default (and recommended) value is Enabled.
If you are already using a DHCP Server, this setting must be Disabled, and the existing DHCP server must be re-configured to treat the Broadband VPN Router as the default Gateway. See the following section for further details.
The Start IP Address and Finish IP Address fields set the values used by the DHCP server when allocating IP Addresses to DHCP clients. This range also determines the number of DHCP clients supported.
See the following section for further details on using DHCP.
Save the data on screen.
Cancel
The "Cancel" button will discard any data you have entered and reload the file from the Broadband VPN Router.
17
Broadband VPN Gateway User Guide
DHCP
What DHCP Does
A DHCP (Dynamic Host Configuration Protocol) Server allocates a valid IP address to a DHCP Client (PC or device) upon request.
The client request is made when the client device starts up (boots).
The DHCP Server provides the Gateway and DNS addresses to the client, as well as
allocating an IP Address.
The Broadband VPN Router can act as a DHCP server.
Windows 95/98/ME and other non-Server versions of Windows will act as a DHCP
client. This is the default Windows setting for the TCP/IP network protocol. However, Windows uses the term Obtain an IP Address automatically instead of "DHCP Client".
You must NOT have two (2) or more DHCP Servers on the same LAN segment. (If your LAN does not have other Routers, this means there must only be one (1) DHCP Server on your LAN.)
Using the Broadband VPN Router 's DHCP Server
This is the default setting. The DHCP Server settings are on the LAN screen. On this screen, you can:
Enable or Disable the Broadband VPN Router 's DHCP Server function.
Set the range of IP Addresses allocated to PCs by the DHCP Server function.
You can assign Fixed IP Addresses to some devices while using DHCP, provided that the Fixed IP Addresses are NOT within the range used by the DHCP Server.
Using another DHCP Server
You can only use one (1) DHCP Server per LAN segment. If you wish to use another DHCP Server, rather than the Broadband VPN Router 's, the following procedure is required.
1. Disable the DHCP Server feature in the Broadband VPN Router. This setting is on the LAN screen.
2. Configure the DHCP Server to provide the Broadband VPN Router 's IP Address as the Default Gateway.
To Configure your PCs to use DHCP
This is the default setting for TCP/IP under Windows 95/98/ME. See Chapter 4 - Client Configuration for the procedure to check these settings.
18
Chapter 4
PC Configuration
This Chapter details the PC Configuration required on the local ("Internal") LAN.
4

Overview

For each PC, the following may need to be configured:
TCP/IP network settings
Internet Access configuration

Windows Clients

This section describes how to configure Windows clients for Internet access via the Broadband VPN Router.
The first step is to check the PC's TCP/IP settings. The Broadband VPN Router uses the TCP/IP network protocol for all functions, so it is
essential that the TCP/IP protocol be installed and configured on each PC.
TCP/IP Settings - Overview
If using the default Broadband VPN Router settings, and the default Windows TCP/IP settings, no changes need to be made.
By default, the Broadband VPN Router will act as a DHCP Server, automatically providing a suitable IP Address (and related information) to each PC when the PC boots.
For all non-Server versions of Windows, the default TCP/IP setting is to act as a DHCP client.
If using a Fixed (specified) IP address, the following changes are required:
The Gateway must be set to the IP address of the Broadband VPN Router
The DNS should be set to the address provided by your ISP.
If your LAN has a Router, the LAN Administrator must re­configure the Router itself. Refer to Chapter 8 - Other Features and Operations for details.
19
Broadband VPN Gateway User Guide
Checking TCP/IP Settings - Windows 9x/ME:
1. Select Control Panel - Network. You should see a screen like the following:
Figure 9: Network Configuration
2. Select the TCP/IP protocol for your network card.
3. Click on the Properties button. You should then see a screen like the following.
Figure 10: IP Address (Win 95)
Ensure your TCP/IP settings are correct, as follows:
Using DHCP
To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the Broadband VPN Router will act as a DHCP Server.
Restart your PC to ensure it obtains an IP Address from the Broadband VPN Router.
Using "Specify an IP Address"
If your PC is already configured, check with your network administrator before making the following changes:
20
PC Configuration
On the Gateway tab, enter the Broadband VPN Router 's IP address in the New Gateway field and click Add, as shown below. Your LAN administrator can advise you of the IP Address they assigned to the Broadband VPN Router.
Figure 11: Gateway Tab (Win 95/98)
On the DNS Configuration tab, ensure Enable DNS is selected. If the DNS Server Search Order list is empty, enter the DNS address provided by your ISP in the fields beside the Add button, then click Add.
Figure 12: DNS Tab (Win 95/98)
21
Broadband VPN Gateway User Guide
Checking TCP/IP Settings - Windows NT4.0
1. Select Control Panel - Network, and, on the Protocols tab, select the TCP/IP protocol, as shown below.
Figure 13: Windows NT4.0 - TCP/IP
2. Click the Properties button to see a screen like the one below.
22
PC Configuration
Figure 14: Windows NT4.0 - IP Address
3. Select the network card for your LAN.
4. Select the appropriate radio button - Obtain an IP address from a DHCP Server or Specify an IP Address, as explained below.
Obtain an IP address from a DHCP Server
This is the default Windows setting. Using this is recommended. By default, the Broadband VPN Router will act as a DHCP Server.
Restart your PC to ensure it obtains an IP Address from the Broadband VPN Router.
Specify an IP Address
If your PC is already configured, check with your network administrator before making the following changes.
1. The Default Gateway must be set to the IP address of the Broadband VPN Router. To set this:
Click the Advanced button on the screen above.
On the following screen, click the Add button in the Gateways panel, and enter the
Broadband VPN Router 's IP address, as shown in Figure 15 below.
If necessary, use the Up button to make the Broadband VPN Router the first entry in
the Gateways list.
23
Broadband VPN Gateway User Guide
Figure 15 - Windows NT4.0 - Add Gateway
2. The DNS should be set to the address provided by your ISP, as follows:
Click the DNS tab.
On the DNS screen, shown below, click the Add button (under DNS Service Search
Order), and enter the DNS provided by your ISP.
24
PC Configuration
Figure 16: Windows NT4.0 - DNS
25
Broadband VPN Gateway User Guide
Checking TCP/IP Settings - Windows 2000:
1. Select Control Panel - Network and Dial-up Connection.
2. Right - click the Local Area Connection icon and select Properties. You should see a screen like the following:
Figure 17: Network Configuration (Win 2000)
3. Select the TCP/IP protocol for your network card.
4. Click on the Properties button. You should then see a screen like the following.
26
PC Configuration
Figure 18: TCP/IP Properties (Win 2000)
5. Ensure your TCP/IP settings are correct, as described below.
Using DHCP
To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the Broadband VPN Router will act as a DHCP Server.
Restart your PC to ensure it obtains an IP Address from the Broadband VPN Router.
Using a fixed IP Address ("Use the following IP Address")
If your PC is already configured, check with your network administrator before making the following changes.
Enter the Broadband VPN Router 's IP address in the Default gateway field and click OK. (Your LAN administrator can advise you of the IP Address they assigned to the Broadband VPN Router.)
If the DNS Server fields are empty, select Use the following DNS server addresses, and enter the DNS address or addresses provided by your ISP, then click OK.
27
Broadband VPN Gateway User Guide
Checking TCP/IP Settings - Windows XP
1. Select Control Panel - Network Connection.
2. Right click the Local Area Connection and choose Properties. You should see a screen like the following:
Figure 19: Network Configuration (Windows XP)
3. Select the TCP/IP protocol for your network card.
4. Click on the Properties button. You should then see a screen like the following.
28
PC Configuration
Figure 20: TCP/IP Properties (Windows XP)
5. Ensure your TCP/IP settings are correct.
Using DHCP
To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the Broadband VPN Router will act as a DHCP Server.
Restart your PC to ensure it obtains an IP Address from the Broadband VPN Router.
Using a fixed IP Address ("Use the following IP Address")
If your PC is already configured, check with your network administrator before making the following changes.
In the Default gateway field, enter the Broadband VPN Router 's IP address and click OK. Your LAN administrator can advise you of the IP Address they assigned to the Broadband VPN Router.
If the DNS Server fields are empty, select Use the following DNS server addresses, and enter the DNS address or addresses provided by your ISP, then click OK.
29
Broadband VPN Gateway User Guide
Internet Access
To configure your PCs to use the Broadband VPN Router for Internet access:
Ensure that the DSL modem, Cable modem, or other permanent connection is functional.
Use the following procedure to configure your Browser to access the Internet via the
LAN, rather than by a Dial-up connection.
For Windows 9x/ME/2000
1. Select Start Menu - Settings - Control Panel - Internet Options.
2. Select the Connection tab, and click the Setup button.
3. Select "I want to set up my Internet connection manually, or I want to connect through a local area network (LAN)" and click Next.
4. Select "I connect through a local area network (LAN)" and click Next.
5. Ensure all of the boxes on the following Local area network Internet Configuration screen are unchecked.
6. Check the "No" option when prompted "Do you want to set up an Internet mail account now?".
7. Click Finish to close the Internet Connection Wizard. Setup is now completed.
For Windows XP
1. Select Start Menu - Control Panel - Network and Internet Connections.
2. Select Set up or change your Internet Connection.
3. Select the Connection tab, and click the Setup button.
4. Cancel the pop-up "Location Information" screen.
5. Click Next on the "New Connection Wizard" screen.
6. Select "Connect to the Internet" and click Next.
7. Select "Set up my connection manually" and click Next.
8. Check "Connect using a broadband connection that is always on" and click Next.
9. Click Finish to close the New Connection Wizard. Setup is now completed.
Accessing AOL
To access AOL (America On Line) through the Broadband VPN Router, the AOL for Windows software must be configured to use TCP/IP network access, rather than a dial-up connection. The configuration process is as follows:
Start the AOL for Windows communication software. Ensure that it is Version 2.5, 3.0 or later. This procedure will not work with earlier versions.
Click the Setup button.
Select Create Location, and change the location name from "New Locality" to
"Broadband VPN Router ".
Click Edit Location. Select TCP/IP for the Network field. (Leave the Phone Number blank.)
Click Save, then OK. Configuration is now complete.
Before clicking "Sign On", always ensure that you are using the "Broadband VPN Router " location.
30
PC Configuration

Macintosh Clients

From your Macintosh, you can access the Internet via the Broadband VPN Router. The procedure is as follows.
1. Open the TCP/IP Control Panel.
2. Select Ethernet from the Connect via pop-up menu.
3. Select Using DHCP Server from the Configure pop-up menu. The DHCP Client ID field can be left blank.
4. Close the TCP/IP panel, saving your settings.
Note:
If using manually assigned IP addresses instead of DHCP, the required changes are:
Set the Router Address field to the Broadband VPN Router 's IP Address.
Ensure your DNS settings are correct.

Linux Clients

To access the Internet via the Broadband VPN Router, it is only necessary to set the Broadband VPN Router as the "Gateway".
Ensure you are logged in as "root" before attempting any changes.
Fixed IP Address
By default, most Unix installations use a fixed IP Address. If you wish to continue using a fixed IP Address, make the following changes to your configuration.
Set your "Default Gateway" to the IP Address of the Broadband VPN Router.
Ensure your DNS (Name server) settings are correct.
To act as a DHCP Client (recommended)
The procedure below may vary according to your version of Linux and X -windows shell.
1. Start your X Windows client.
2. Select Control Panel - Network
3. Select the "Interface" entry for your Network card. Normally, this will be called "eth0".
4. Click the Edit button, set the "protocol" to "DHCP", and save th is data.
5. To apply your changes
Use the "Deactivate" and "Activate" buttons, if available.
OR, restart your system.

Other Unix Systems

To access the Internet via the Broadband VPN Router:
Ensure the "Gateway" field for your network card is set to the IP Address of the Broadband VPN Router.
Ensure your DNS (Name Server) settings are correct.
31
Chapter 5
Operation and Status
This Chapter details the operation of the Broadband VPN Router and the status screens.

Operation

Once both the Broadband VPN Router and the PCs are configured, operation is automatic.
However, there are some situations where additional Internet configuration may be required:
If using Internet-based Communication Applications, it may be necessary to specify which PC receives an incoming connection. Refer to Chapter 6 - Internet Features for further details.
Applications which use non-standard connections or port numbers may be blocked by the Broadband VPN Router 's built-in firewall. You can define such applications as Special Applications to allow them to function normally. Refer to Chapter 6 - Internet Features for further details.
Some non-standard applications may require use of the DMZ feature. Refer to Chapter 6 - Internet Features for further details.
5

Status Screen

Use the Status link on the main menu to view this screen.
Figure 21: Status Screen
32
Data - Status Screen
Internet
Operation and Status
Connection Method
Broadband Modem Internet Connection
Internet IP Address
"Connection Details" Button
LAN
IP Address Network Mask DHCP Server
This indicates the current connection method, as set in the Setup Wizard.
This shows the connection status of the modem. Current connection status:
Active
Idle
Unknown
Failed
If there is an error, you can click the "Connection Details" button to find out more information.
This IP Address is allocated by the ISP (Internet Service Provider).
Click this button to open a sub-window and view a detailed description of the current connection. Depending on the type of connection, a "log" may also be available.
The IP Address of the Broadband VPN Router. The Network Mask (Subnet Mask) for the IP Address above. This shows the status of the DHCP Server function - either
"Enabled" or "Disabled".
System
Device Name Firmware Version
"System Data" Button
Buttons
Connection Details
System Data Restart Router
Refresh Screen
For additional information about the PCs on your LAN, and the IP addresses allocated to them, use the PC Database option on the Advanced menu.
This displays the current name of the Broadband VPN Router. The current version of the firmware installed in the Broadband
VPN Router. Clicking this button will open a Window which lists all system
details and settings.
View the details of the current Internet connection. The sub­screen displayed will depend on the connection method used. See the following sections for details of each sub-screen.
Display all system information in a sub-window. Restart (reboot) the Router. You will have to wait for the restart
to be completed before continuing. Update the data displayed on screen.
33
Broadband VPN Gateway User Guide

Connection Status - PPPoE

If using PPPoE (PPP over Ethernet), a screen like the following example will be displayed when the "Connection Details" button is clicked.
Data - PPPoE Screen
Connection
Physical Address
IP Address
Network Mask PPPoE Link Status
Connection Log
Connection Log
Figure 22: PPPoE Status Screen
The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.)
The IP Address of this device, as seen by Internet users. This address is allocated by your ISP (Internet Service Provider).
The Network Mask associated with the IP Address above. This indicates whether or not the connection is currently
established.
If the connection does not exist, the "Connect" button can be used to establish a connection.
If the connection currently exists, the "Disconnect" button can be used to break the connection.
The Connection Log shows status messages relating to the existing connection.
The most common messages are listed in the table below.
34
Buttons
Operation and Status
The "Clear Log" button will restart the Log, while the Refresh button will update the messages shown on screen.
Connect Disconnect Clear Log
If not connected, establish a connection to your ISP. If connected to your ISP, hang up the connection. Delete all data currently in the Log. This will make it easier to
read new messages.
Refresh
Update the data on screen.
Connection Log Messages
Message Description
Connect on Demand Connection attempt has been triggered by the "Connect
automatically, as required" setting. Manual connection Connection attempt started by the "Connect" button. Reset physical connection Preparing line for connection attempt. Connecting to remote
server Remote Server located ISP's Server has responded to connection attempt. Start PPP Attempting to login to ISP's Server and establish a PPP
Attempting to connect to the ISP's server.
connection. PPP up successfully Able to login to ISP's Server and establish a PPP connection. Idle time-out reached The connection has been idle for the time period specified in
the "Idle Time-out" field. The connection will now be
terminated. Disconnecting The current connection is being terminated, due to either the
"Idle Time-out" above, or "Disconnect" button being clicked. Error: Remote Server not
found Error: PPP Connection
failed
ISP's Server did not respond. This could be a Server problem,
or a problem with the link to the Server.
Unable to establish a PPP connection with the ISP's Server.
This could be a login problem (name or password) or a Server
problem. Error: Connection to
Server lost Error: Invalid or unknown
packet type
The existing connection has been lost. This could be caused
by a power failure, a link failure, or Server failure.
The data received from the ISP's Server could not be
processed. This could be caused by data corruption (from a
bad link), or the Server using a protocol which is not
supported by this device.
35
Broadband VPN Gateway User Guide

Connection Status - PPTP

If using PPTP (Peer-to-Peer Tunneling Protocol), a screen like the following example will be displayed when the "Connection Details" button is clicked.
Data - PPTP Screen
Connection
Physical Address
IP Address
Connection Status
Connection Log
Connection Log
Figure 23: PPTP Status Screen
The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.)
The IP Address of this device, as seen by Internet users. This address is allocated by your ISP (Internet Service Provider).
This indicates whether or not the connection is currently established.
If the connection does not exist, the "Connect" button can be used to establish a connection.
If the connection currently exists, the "Disconnect" button can be used to break the connection.
The Connection Log shows status messages relating to the existing connection.
The "Clear Log" button will restart the Log, while the Refresh button will update the messages shown on screen.
Buttons
Connect
If not connected, establish a connection to your ISP.
36
Operation and Status
N
Disconnect Clear Log
Refresh
If connected to your ISP, hang up the connection. Delete all data currently in the Log. This will make it easier to read
new messages. Update the data on screen.

Connection Status - Telstra Big Pond

An example screen is shown below.
Figure 24: Telstra Big Pond Status Screen
Data - Telstra Big Pond Screen
Connection
Physical Address
IP Address
Connection Status
The hardware address of this device, as seen by remote devices. (This is different to the hardware address seen by devices on the local LAN.)
The IP Address of this device, as seen by Internet users. This address is allocated by your ISP (Internet Service Provider).
This indicates whether or not the connection is currently established.
If the connection does not exist, the "Connect" button can be used to establish a connection.
If the connection currently exists, the "Disconnect" button can be used to break the connection.
ormally, it is not necessary to use the Connect and
37
Broadband VPN Gateway User Guide
Disconnect buttons unless the setting "Connect automatically, as required" is disabled.
Connection Log
Connection Log
Buttons
The Connection Log shows status messages relating to the existing connection.
The Clear Log button will restart the Log, while the Refresh button will update the messages shown on screen.
Connect Disconnect Clear Log
Refresh
If not connected, establish a connection to Telstra Big Pond. If connected to Telstra Big Pond, terminate the connection. Delete all data currently in the Log. This will make it easier to read
new messages. Update the data on screen.

Connection Details - SingTel RAS

If using the SingTel RAS access method, a screen like the following example will be displayed when the "Connection Details" button is clicked.
Figure 25: Connection Details - SingTel RAS
Data - SingTel RAS Screen
Internet
RAS Plan Physical Address
IP Address
The RAS Plan which is currently used. The hardware address of this device, as seen by remote devices on
the Internet. (This is different to the hardware address seen by devices on the local LAN.)
The IP Address of this device, as seen by Internet users. This address
38
is allocated by your ISP (Internet Service Provider).
Operation and Status
Network Mask Default Gateway
DNS IP Address DHCP Client
Buttons
Release/Renew Button will display
EITHER "Release" OR "Renew"
The Network Mask associated with the IP Address above. The IP Address of the remote Gateway or Router associated with the
IP Address above. The IP Address of the Domain Name Server which is currently used. This will show "Enabled" or "Disabled", depending on whether or
not this device is functioning as a DHCP client. If "Enabled" the "Remaining lease time" field indicates when the IP
Address allocated by the DHCP Server will expire. The lease is automatically renewed on expiry; use the "Renew" button if you wish to manually renew the lease immediately.
This button is only useful if the IP address shown above is allocated automatically on connection. (Dynamic IP address). If you have a Fixed (Static) IP address, this button has no effect.
If the ISP's DHCP Server has NOT allocated an IP Address for the Broadband VPN Router, this button will say "Renew". Clicking the "Renew" button will attempt to re-establish the connection and obtain an IP Address from the ISP's DHCP Server.
If an IP Address has been allocated to the Broadband VPN Router (by the ISP's DHCP Server), this button will say "Release". Clicking the "Release" button will break the connection and release the IP Address.
Refresh
Update the data shown on screen.
39
Broadband VPN Gateway User Guide

Connection Details - Fixed/Dynamic IP Address

If your access method is "Direct" (no login), a screen like the following example will be displayed when the "Connection Details" button is clicked.
Figure 26: Connection Details - Fixed/Dynamic IP Address
Data - Fixed/Dynamic IP address Screen
Internet
Physical Address
IP Address
Network Mask Default Gateway
DNS IP Address DHCP Client
Buttons
Release/Renew Button will display
EITHER "Release" OR "Renew"
The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.)
The IP Address of this device, as seen by Internet users. This address is allocated by your ISP (Internet Service Provider).
The Network Mask associated with the IP Address above. The IP Address of the remote Gateway or Router associated with the
IP Address above. The IP Address of the Domain Name Server which is currently used. This will show "Enabled" or "Disabled", depending on whether or
not this device is functioning as a DHCP client. If "Enabled" the "Remaining lease time" field indicates when the IP
Address allocated by the DHCP Server will expire. The lease is automatically renewed on expiry; use the "Renew" button if you wish to manually renew the lease immediately.
This button is only useful if the IP address shown above is allocated automatically on connection. (Dynamic IP address). If you have a Fixed (Static) IP address, this button has no effect.
If the ISP's DHCP Server has NOT allocated an IP Address for the Broadband VPN Router, this button will say "Renew". Clicking the "Renew" button will attempt to re-establish the
40
Operation and Status
connection and obtain an IP Address from the ISP's DHCP Server.
If an IP Address has been allocated to the Broadband VPN Router (by the ISP's DHCP Server), this button will say "Release". Clicking the "Release" button will break the connection and release the IP Address.
Refresh
Update the data shown on screen.
41
Chapter 6
Advanced Features
This Chapter explains when and how to use the Broadband VPN Router's "Advanced" Features.

Overview

The following advanced features are provided.
Advanced Internet
Communication Applications
Special Applications
Multi-DMZ
URL filter
Dynamic DNS
Virtual Servers
Access Control
Firewall Rules
Scheduling
Services
6
42

Advanced Internet Screen

Advanced Features
Figure 27: Internet Screen
This screen allows configuration of all advanced features relating to Internet access.
Communication Applications
Special Applications
Multi-DMZ
URL filter
Communication Applications
Most applications are supported transparently by the Broadband VPN Router. But sometimes it is not clear which PC should receive an incoming connection. This problem could arise with the Communication Applications listed on this screen.
If this problem arises, you can use this screen to set which PC should receive an incoming connection, as described below.
Communication Applications
Select an Application
This lists applications which may generate incoming connections, where the destination PC (on your local LAN) is unknown.
43
Broadband VPN Gateway User Guide
Send incoming calls to
This lists the PCs on your LAN.
If necessary, you can add PCs manually, using the "PC Database" option on the advanced menu.
For each application listed above, you can choose a destination PC.
There is no need to "Save" after each change; you can set the destination PC for each application, then click "Save".
Special Applications
If you use Internet applications which use non-standard connections or port numbers, you may find that they do not function correctly because they are blocked by the Broadband VPN Router 's firewall. In this case, you can define the application as a "Special Application".
Special Applications Screen
This screen can be reached by clicking the Special Applications button on the Advanced Internet screen.
You can then define your Special Applications. You will need detailed information about the application; this is normally available from the supplier of the application.
Also, note that the terms "Incoming" and "Outgoing" on this screen refer to traffic from the client (PC) viewpoint
Figure 28: Special Applications Screen
Data - Special Applications Screen
Checkbox Name
Use this to Enable or Disable this Special Application as required. Enter a descriptive name to identify this Special Application.
44
Advanced Features
Incoming Ports
Outgoing Ports
Type - Select the protocol (TCP or UDP) used when you receive data
from the special application or service. (Note: Some applications use different protocols for outgoing and incoming data).
Start - Enter the beginning of the range of port numbers used by the
application server, for data you receive. If the application uses a single port number, enter it in both the "Start" and "Finish" fields.
Finish - Enter the end of the range of port numbers used by the
application server, for data you receive.
Type - Select the protocol (TCP or UDP) used when you send data to
the remote system or service.
Start - Enter the beginning of the range of port numbers used by the
application server, for data you send to it. If the application uses a single port number, enter it in both the "Start" and "Finish" fields.
Finish - Enter the end of the range of port numbers used by the
application server, for data you send to it. If the application uses a single port number, enter it in both the "Start" and "Finish" fields.
Using a Special Application
Configure the Special Applications screen as required.
On your PC, use the application normally. Remember that only one (1) PC can use each
Special application at any time. Also, when 1 PC is finished using a particular Special Application, there may need to be a "Time-out" before another PC can use the same Special Application. The "Time-out" period may be up to 3 minutes.
If an application still cannot function correctly, try using the "DMZ" feature.
Multi-DMZ
This feature is only available if your ISP has allocated you multiple Internet IP addresses. If you have multiple Internet IP addresses, you can assign one DMZ PC for each Internet IP
address.
The "DMZ PC" will receive all "Unknown" connections and data received for the Internet IP address associated with it.
All outgoing traffic from the DMZ PC will be assigned the WAN IP address associated with it, rather than the shared IP address on the WAN port. Note that ONLY th e DMZ PC will use the WAN (Internet) IP address you enter on this screen.
To use this feature:
Enter an IP address allocated to you by your ISP into th e WAN IP address field.
Select the PC to be the DMZ PC for traffic sent to this IP address.
Enable this DMZ.
45
Broadband VPN Gateway User Guide
The "DMZ PC" is effectively outside the Firewall, making it more vulnerable to attacks. For this reason, you should only enable the DMZ feature when required.
URL Filter
The URL Filter allows you to block access to undesirable Web site
To use this feature, you must define "filter strings". If the "filter string" appears in a requested URL, the request is blocked.
Enabling the URL Filter also affects the Internet Access Log. If Enabled, the "Destination" field in the log will display the URL. Otherwise, it will display the IP Address.
The URL Filter can be Enabled or Disabled on the Advanced Internet screen.
URL Filter Screen
Click the "Configure URL Filter" button on the Advanced Internet screen to access the URL Filter screen. An example screen is shown below.
Data - URL Filter Screen
Filter Strings
Current Entries
Add Filter String
This lists any existing entries. If you have not entered any values, this list will be empty.
To add an entry to the list, enter it here, and click the "Add" button. An entry may be a Domain name (e.g. www.trash.com) or simply a string. (e.g. ads/ ) Any URL which contains ANY entry ANYWHERE in the URL will be blocked.
Figure 29: URL Filter Screen
46
Buttons
Advanced Features
Delete/Delete All
Add
Use these buttons to delete the selected entry or all entries, as required. Multiple entries can be selected by holding down the CTRL key while selecting. (On the Macintosh, hold the SHIFT key while selecting.)
Use this to add the current Filter String to the site list.
47
Broadband VPN Gateway User Guide

Dynamic DNS (Domain Name Server)

This free service is very useful when combined with the Virtual Server feature. It allows Internet users to connect to your Virtual Servers using a URL, rather than an IP Address.
This also solves the problem of having a dynamic IP address. With a dynamic IP address, your IP address may change whenever you connect, which makes it difficult to connect to you.
The Service works as follows:
1. You must register for the service at http://www.dyndns.org (Registration is free). Your password will be E-mailed to you.
2. After registration, use the "Create New Host" option (at www.dyndns.org) to request your desired Domain name.
3. Enter your data from www.dyndns.org in the Broadband VPN Router 's DDNS screen.
4. The Broadband VPN Router will then automatically ensure that your current IP Address is recorded at http://www.dyndns.org
5. From the Internet, users will be able to connect to your Virtual Servers (or DMZ PC) using your Domain name, as shown on this screen.
Dynamic DNS Screen
Select Internet on the main menu, then Dynamic DNS, to see a screen like the following:
Figure 30: DDNS Screen
Data - Dynamic DNS Screen
DDNS Service
DDNS Service
You must sign up first to create a new account before using the service. The service is free.
Your initial password will be E-mailed to you; you can change this later if you wish.
48
DDNS Data
Advanced Features
After registration, use the "Create New Host" link to request a domain name.
DDNS Service Web Site
Button User Name
Password Domain Name
DDNS Status
Select the desired DDNS Service provider. Click this button to open a new window and connect to the Web site
for the selected DDNS service provider. Enter the "User name" specified at the www.dyndns.org Web site
when you registered. Enter your current password for www.dyndns.org
Enter your domain name, as allocated at www.dyndns.org.
The name should consist only of letters and the hyphen (dash).
Using any other characters may cause problems..
This message is returned by the DDNS Server at www.dyndns.org
Normally, this message should be "Update successful" (current IP address was updated on the www.dyndns.org server).
If the message is "No host", this indicates the host name entered was not allocated to you. You need to connect to www.dyndns.org and correct this problem.
49
Broadband VPN Gateway User Guide

Virtual Servers

This feature allows you to make Servers on your LAN accessible to Internet users. Normally, Internet users would not be able to access a server on your LAN because:
Your Server does not have a valid external IP Address.
Attempts to connect to devices on your LAN are blocked by the firewall in this device.
The "Virtual Server" feature solves these problems and allows Internet users to connect to your servers, as illustrated below.
Figure 31: Virtual Servers
IP Address seen by Internet Users
Note that, in this illustration, both Internet users are connecting to the same IP Address, but using different protocols.
To Internet users, all virtual Servers on your LAN have the same IP Address. This IP Address is allocated by your ISP.
This address should be static, rather than dynamic, to make it easier for Internet users to connect to your Servers.
However, you can use the DDNS (Dynamic DNS) feature to allow users to connect to your Virtual Servers using a URL, instead of an IP Address.
50
Advanced Features
Using the DMZ port for Virtual Servers
You should connect your Virtual Servers to the DMZ port, for the following reasons:
Traffic passing between the DMZ and LAN passes through the firewall. The firewall will protect your LAN if your Server is compromised and used to launch an attack on your LAN.
For each enabled Virtual Server, a firewall rule to allow incoming traffic from the Internet (WAN) to the DMZ is automatically created. If the Server is connected to the LAN (hub) ports, you must add the firewall rule manually.
Note that the DMZ port is a normal port, not an "uplink" port. If connecting to a hub, connect to the standard port on the hub.
Virtual Servers Screen
The Virtual Servers screen is reached by the Virtual Servers link on the Internet menu. An example screen is shown below.
Figure 32: Virtual Servers Screen
This screen lists a number of pre-defined Servers,. providing a quick and convenient method to set up the common server types.
Data - Virtual Servers Screen
Servers
Servers
This lists a number of pre-defined Servers, plus any Servers you have defined. Details of the selected Server are shown in the "Properties" area.
51
Broadband VPN Gateway User Guide
Properties
Enable
PC (Server)
Protocol Internal Ports
External Ports
Buttons
Disable All
Update Selected Server
Use this to Enable or Disable support for this Server, as required.
If Enabled, any incoming connections will be forwarded to the selected PC.
If Disabled, any incoming connection attempts will be blocked.
Select the PC for this Server. The PC must be running the appropriate Server software.
Select the protocol (TCP or UDP) used by the Server. Enter the range of port numbers which the Server software is
configured to use. If only 1 port number is required, enter it in both the start and finish fields.
The port numbers used by Internet users when connecting to the Server. These are normally the same as the Internal Port Numbers. If it is different, this device will perform a "mapping" or "translation" function, allowing the server to use one port address, while clients use a different port address.
This will cause the "Enable" setting of all Virtual Servers to be set OFF.
Update the current Virtual Server entry, using the data shown in the "Properties" area on screen.
Add as new Server
Delete
Clear Form
Add a new entry to the Virtual Server list, using the data shown in the "Properties" area on screen. The entry selected in the list is ignored, and has no effect.
Delete the current Virtual Server entry. Note that the pre-defined Servers can not be deleted. Only Servers you have defined yourself can be deleted.
Clear all data from the "Properties" area, ready for input of a new Virtual Server entry.
Defining your own Virtual Servers
If the type of Server you wish to use is not listed on the Virtual Servers screen, you can use the Firewall Rules to allow particular incoming traffic and forward it to a specified PC (Server).
Connecting to the Virtual Servers
Once configured, anyone on the Internet can connect to your Virtual Servers. They must use the Internet IP Address (the IP Address allocated to you by your ISP). e.g.
http://203.70.212.52 ftp://203.70.212.52
It is more convenient if you are using a Fixed IP Address from your ISP, rather than Dynamic. However, you can use the Dynamic DNS feature, described in the following section, to allow users to connect to your Virtual Servers using a URL, rather than an IP Address.
52
Advanced Features

Access Control

This feature is accessed by the Access Control link on the Security menu. The Access Control feature allows administrators to restrict the level of Internet Access
available to PCs on your LAN. With the default settings, everyone has unrestricted Internet access.
To use this feature:
1. Set the desired restrictions on the "Default" group. All PCs are in the "Default" group unless explicitly moved to another group.
2. Set the desired restrictions on the other groups ("Group 1", "Group 2", "Group 3" and "Group 4") as needed.
3. Assign PC to the groups as required.
Restrictions are imposed by blocking "Services", or types of connections. All common Services are pre-defined. If required, you can also define your own Services.
Access Control Screen
To view this screen, select the Access Control link on the Security menu.
Figure 33: Access Control Screen
53
Broadband VPN Gateway User Guide
Data - Access Control Screen
Group
Group
"Members" Button
Internet Access
Restrictions
Select the desired Group. The screen will update to display the settings for the selected Group. Groups are named "Default", "Group 1", "Group 2", "Group 3" and "Group 4", and cannot be re­named.
Click this button to add or remove members from the current Group.
If the current group is "Default", then members can not be added or deleted. This group contains PCs not allocated to any other group.
To remove PCs from the Default Group, assign them to another Group.
To assign PCs to the Default Group, delete them from the Group they are currently in.
See the following section for details of the Group Members screen.
Select the desired options for the current group:
None - Nothing is blocked. Use this to create the least restrictive group.
Block all Internet access - All traffic via the WAN port is blocked. Use this to create the most restrictive group.
Block selected Services - You can select which Services are to block. Use this to gain fine control over the Internet access for a group.
Block by Schedule
Services
Buttons
Members
Save Cancel View Log
If Internet access is being blocked, you can choose to apply the blocking only during scheduled times. (If access is not blocked, no Scheduling is possible, and this setting has no effect.)
This lists all defined Services. Select the Services you wish to block. To select multiple services, hold the CTRL key while selecting. (On the Macintosh, hold the SHIFT key rather than CTRL.)
Click this button to add or remove members from the current Group.
If the current group is "Default", then members can not be added or deleted. This group contains PCs not allocated to any other group.
See the following section for details of the Group Members screen. Save the data on screen. Reverse any changes made since the last "Save". Click this to open a sub-window where you can view the "Access
Control" log. This log shows attempted Internet accesses which have been blocked by the Access Control feature.
54
Advanced Features
Clear Log
Click this to clear and restart the "Access Control" log, making new entries easier to read.
Group Members Screen
This screen is displayed when the Members button on the Access Control screen is clicked.
Figure 34: Group Members
Use this screen to add or remove members (PCs) from the current group.
The "Del >>" button will remove the selected PC (in the Members list) from the current group.
The "<< Add" button will add the selected PC (in the Other PCs list) to the current group.
PCs not assigned to any group will be in the "Default" group. PCs deleted from any other Group will be added to the "Default" group.
Access Control Log
To check the operation of the Access Control feature, an Access Control Log is provided. Click the View Log button on the Access Control screen to view this log.
This log shows attempted Internet accesses which have been blocked by the Access Control function.
Data shown in this log is as follows:
Date/Time Name
Source IP address
MAC address
Date and Time of the attempted access. If known, the name of the PC whose access was blocked. This
name is taken from the Network Clients database The IP Address of the PC or device whose access request was
blocked The hardware or physical address of the PC or device whose access
55
Broadband VPN Gateway User Guide
request was blocked
Destination
The destination URL or IP address
56
Advanced Features

Firewall Rules

For normal operation and LAN protection, it is not necessary to use this screen. The Firewall will always block DoS (Denial of Service) attacks. A DoS attack does not attempt
to steal data or damage your PCs, but overloads your Internet connection so you can not use it
- the service is unavailable.
As well, you can use this screen to create Firewall rules to block or allow specific traffic. But Incorrect configuration may cause serious problems.
This feature is for advanced administrators only!
Firewall Rules Screen
Click the Firewall Rules option on the Security menu to see a screen like the following example. This example contains two (2) rules for outgoing traffic.
Since the default rule for outgoing (LAN => WAN) traffic is "Allow", having an "Allow" rule for LAN => WAN only makes sense in combination with another rule.
For example, the screen below shows a rule blocking all traffic to a MSN Game Server, followed by another rule allowing access by a specific PC.
Figure 35: Firewall Rules Screen
Data - Firewall Rules Screen
Rule List
View Rules for ..
Select the desired option; the screen will update and list any current rules. If you have not defined any rules, the list will be empty.
57
Broadband VPN Gateway User Guide
Data
Add
Edit Move
Delete
For each rule, the following data is shown:
Name - The name you assigned to the rule.
Source - The traffic covered by this rule, defined by the source IP
address. If the IP address is followed by ... this indicates there is range of IP addresses, rather than a single address.
Destination - The traffic covered by this rule, defined by
destination IP address. If the IP address is followed by ... this indicates there is range of IP addresses, rather than a single address.
Action - Action will be "Forward" or "Block" To add a new rule, click the "Add" button, and complete the resulting
screen. See the following section for more details. To Edit or modify an existing rule, select it and click the "Edit" button.
There are 2 ways to change the order of rules
Use the up and down indicators on the right to move the selected rule. You must confirm your changes by clicking "OK". If you change your mind before clicking "OK", click "Cancel" to reverse your changes.
Click "Move" to directly specify a new location for the selected rule.
To delete an existing rule, select it and click the "Delete" button.
View Log
System Rules
Clicking the "View Log" button will open a new window and display the Firewall log.
Clicking the "System Rules" button will open a new window and display the default firewall rules currently applied by the system. These rules cannot be edited, but any rules you create will take precedence over the default rules.
58
Advanced Features
Add/Edit Firewall Rule
Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below.
Figure 36: Add/Edit Firewall Rule
Data - Add/Edit Firewall Rule Screen
Name Type
Source IP
Enter a suitable name for this rule. This determines the source and destination ports for traffic
covered by this rule. Select the desired option. These settings determine which traffic, based on their source IP
address, is covered by this rule. Select the desired option:
Any - All traffic from the source port is covered by this rule.
Single address - Enter the required IP address in the "Start IP
address" field". You can ignore the "Subnet Mask" field.
Range address - If this option is selected, you must complete both the "Start IP address" and "Finish IP address" fields. You can ignore the "Subnet Mask" field.
Subnet address - If this option is selected, enter the required mask in the "Subnet Mask" field.
59
Broadband VPN Gateway User Guide
Dest IP
Services
Action Log
These settings determine which traffic, based on their destination IP address, is covered by this rule.
Select the desired option:
Any - All traffic from the source port is covered by this rule.
Single address - Enter the required IP address in the "Start IP
address" field". You can ignore the "Subnet Mask" field.
Range address - If this option is selected, you must complete both the "Start IP address" and "Finish IP address" fields. You can ignore the "Subnet Mask" field.
Subnet address - If this option is selected, enter the required mask in the "Subnet Mask" field.
Select the desired Service or Services. This determines which packets are covered by this rule, based on the protocol (TPC or UDP) and port number. If necessary, you can define a new Service on the "Services" screen, by defining the protocols and port numbers used by the Service.
Select the desired action for packets covered by this rule: This determines whether packets covered by this rule are logged.
Select the desired option.
60
Advanced Features

Scheduling

This schedule can be (optionally) applied to any Access Control Group.
Blocking will be performed during the scheduled time (between the "Start" and "Finish"
times.)
Two (2) separate sessions or periods can be defined.
Times must be entered using a 24 hr clock.
If the time for a particular day is blank, no action will be performed.
Define Schedule Screen
This screen is accessed by the Scheduling link on the Security menu.
Figure 37: Define Schedule Screen
Data - Define Schedule Screen
Day Session 1
Session 2 Start Time Finish Time
Each day of the week can scheduled independently. Two (2) separate sessions or periods can be defined. Session 2 can be
left blank if not required. Enter the start using a 24 hr clock. Enter the finish time using a 24 hr clock.
61
Broadband VPN Gateway User Guide

Services

Services are used in defining traffic to be blocked or allowed by the Access Control or Firewall Rules features. Many common Services are pre-defined, but you can also define your
own services if required. To view the Services screen, select the Services link on the Security menu.
Data - Services Screen
Available Services
Available Services "Delete" button
Add New Service
Name Type
Start Port
Finish Port
ICMP Type
This lists all the available services. Use this to delete any Service you have added. Pre-defined Services
can not be deleted.
Enter a descriptive name to identify this service. Select the protocol (TCP, UDP, ICMP) used to the remote system or
service. For TCP and UDP Services, enter the beginning of the range of port
numbers used by the service. If the service uses a single port number, enter it in both the "Start" and "Finish" fields.
For TCP and UDP Services, enter the end of the range of port numbers used by the service. If the service uses a single port number, enter it in both the "Start" and "Finish" fields.
For ICMP Services, enter the type number of the required service.
Figure 38: Services Screen
62
Buttons
Advanced Features
Delete Add
Cancel
Delete the selected service from the list. Add a new entry to the Service list, using the data shown in th e "Add
New Service" area on screen. Clear the " Add New Service " area, ready for entering data for a new
Service.
63
Chapter 7
VPN
This Chapter describes the VPN capabilities and configuration required for common situations.
7

Overview

This section describes the VPN (Virtual Private Network) support provided by your Broadband VPN Router.
A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network - typically the Internet. This secure connection is called a VPN Tunnel.
There are many standards and protocols for VPNs. The standard implemented in the Broadband VPN Router is IPSec.
IPSec
IPSec is a near-ubiquitous VPN security standard, designed for use with TCP/IP networks. It works at the packet level, and authenticates and encrypts all packets traveling over the VPN Tunnel. Thus, it does not matter what applications are used on your PC. Any application can use the VPN like any other network connection.
IPsec VPNs exchange information through logical connections called SAs (Security Associations). An SA is simply a definition of the protocols, algorithms and keys used between the two VPN devices (endpoints).
Each IPsec VPN has two SAs - one in each direction. If IKE (Internet Key Exchange) is used to generate and exchange keys, there are also SA's for the IKE connection as well as the IPsec connection.
There are two security modes possible with IPSec:
Transport Mode - the payload (data) part of the packet is encapsulated through
encryption but the IP header remains in the clear (unchanged).
The Broadband VPN Router does NOT support Transport Mode.
Tunnel Mode - everything is encapsulated, including the original IP header, and a new IP
header is generated. Only the new header in the clear (i.e. not protected) This system provides enhanced security.
The Broadband VPN Router always uses Tunnel Mode.
IKE
IKE (Internet Key Exchange) is an optional, but widely used, component of IPsec. IKE provides a method of negotiating and generating the keys and IDs required by IPSec. If using IKE, only a single key is required to be provided during configuration. Also, IKE supports using Certificates (provided by CAs - Certification Authorities) to authenticate the identify of the remote user or gateway.
If IKE is NOT used, then all keys and IDs (SPIs) must be entered manually, and Certificates can NOT be used. This is called a "Manual Key Exchange".
When using IKE, there are 2 phases to establishing the VPN tunnel:
64
VPN
Phase I is the negotiation and establishment up of the IKE connection.
Phase II is the negotiation and establishment up of the IPsec connection.
Because the IKE and IPsec connections are separate, they have different SAs (security associations).
Policies
VPN configuration settings are stored in Policies. Each policy defines:
The address of the remote VPN endpoint
The traffic which is allowed to use the VPN connection.
The parameters (settings) for the IPsec SA (Security Association)
If IKE is used, the parameters (settings) for the IKE SA (Security Association)
Generally, you will need at least one (1) VPN Policy for each remote site for which you wish to establish VPN connections.
It is possible, and sometimes necessary, to have multiple Policies for the same remote site. In this case, the order (sequence) of the policies is important. The policies are examined in turn, and the first matching policy will be used.
VPN Configuration
The general rule is that each endpoint must have matching Policies, as follows:
Remote VPN address
Traffic Selector
IKE parameters
IPsec parameters
Each VPN endpoint must be configured to initiate or accept connections to the remote VPN client or Gateway.
Usually, this requires having a fixed Internet IP address. However, it is possible for a VPN Gateway to accept incoming connections from a remote client where the client's IP address is not known in advance.
This determines which outgoing traffic will cause a VPN connection to be established, and which incoming traffic will be accepted. Each endpoint must be configured to pass and accept the desired traffic from the remote endpoint.
If connecting 2 LANs, this requires that:
Each endpoint must be aware of the IP addresses used on the other endpoint.
The 2 LANs MUST use different IP address ranges.
If using IKE (recommended), the IKE parameters must match (except for the SA lifetime, which can be different).
The IPsec parameters at each endpoint must match.
65
Broadband VPN Gateway User Guide

Common VPN Situations

VPN Pass-through
Figure 39: VPN Pass-through
Here, a PC on the LAN behind the Router/Gateway is using VPN software, but the Router/Gateway is NOT acting as a VPN endpoint. It is only allowing the VPN connection.
The PC software can use any VPN protocol supported by the remote VPN.
The remote VPN Server must support client PCs which are behind a NAT router, and so
have an IP address which is not valid on the Internet.
The Router/Gateway requires no VPN configuration, since it is not acting as a VPN endpoint.
Client PC to VPN Gateway
Figure 40: Client PC to VPN Server
In this situation, the PC must run appropriate VPN client software in order to connect, via the Internet, to the Broadband VPN Router. Once connected, the client PC has the same access to LAN resources as PCs on the local LAN (unless restricted by the network administrator).
IPsec is not the only protocol which can be used in this situation, but the Broadband VPN Router supports IPsec ONLY.
Windows 2000 and Windows XP include a suitable IPsec VPN client program. Configuration of this client program for use with the Broadband VPN Router is covered later in this document.
66
VPN
Connecting 2 LANs via VPN
Figure 41: Connecting 2 VPN Gateways
This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN.
The 2 LANs MUST use different IP address ranges.
The VPN Policies at each end determine when a VPN tunnel will be established, and what
systems on the remote LAN can be accessed once the VPN connection is established.
It is possible to have simultaneous VPN connections to many remote sites.
67
Broadband VPN Gateway User Guide

VPN Configuration

This section covers the configuration required on the Broadband VPN Router when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies).
Details of using Certificates are covered in a later section.
VPN Policies Screen
To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies. If no policies exist, the list will be empty.
Figure 42: VPN Policies
Note that the order of policies is important if you have more than one policy for particular traffic. In that case, the first matching policy (for the traffic under consideration) will be used.
Data - VPN Policies Screen
VPN List
Policy Name
Enable
Remote VPN Endpoint
Key Type
Operations
Edit
The name of the policy. When creating a policy, you should select a suitable name.
This indicates whether or not the policy is currently enabled. Use the "Enable/Disable" button to toggle the state of the selected policy.
The IP address of the remote VPN endpoint (Gateway or client).
This will indicate "Manual" (manual key exchange) or "IKE" (Internet Key Exchange)
To Edit or modify an existing policy, select it and click the "Edit" button.
68
VPN
Move
There are 2 ways to change the order of policies:
Use the up and down indicators on the right to move the selected row. You must confirm your changes by clicking "OK". If you change your mind before clicking "OK", click "Cancel" to reverse your changes.
Click "Move" to directly specify a new location for the selected policy.
Enable/Disable Copy
Use this to toggle the On/Off state of the selected policy. If you wish to create a policy which is similar to an existing policy,
select the policy and click the "Copy" button. Remember that the new policy must have a different name, and there can
only be one active (enabled) policy for each remote VPN endpoint.
Delete Add New
Policy View Log
To delete an exiting policy, select it and click the "Delete" button. To add a new policy, click the "Add New Policy" button. See the
following section for details. Clicking the "View Log" button will open a new window and display the
VPN log.
Adding a New Policy
1. To create a new VPN Policy, click the "Add New Policy" button on the VPN Policies
screen. This will start the VPN Wizard, as shown below.
Figure 43: VPN Wizard - Start
If you prefer to use a single setup screen instead of a Wizard, click the Setup Screen button. This is recommended for experienced users only.
69
Broadband VPN Gateway User Guide
Otherwise, click Next to continue. You will see a screen like the following.
Figure 44: VPN Wizard - General
General Settings
Policy Name
Enter a suitable name. This name is not supplied to the remote VPN. It is used only to help you manage the policies.
Enable Policy
Enable or disable the policy as required. For each remote VPN, only 1 policy can be enabled at any time.
Remote Endpoint Address
The Internet IP address of the remote VPN endpoint (Gateway or client).
Dynamic. Select this if the Internet IP address is unknown. In this
case, only incoming connections are possible.
Fixed. Select this if the remote endpoint has a fixed Internet IP
address.
Domain Name. Select this if the remote endpoint has a domain
name.
Keys
Select Manually assigned or IKE (Internet Key Exchange) as required. If you are setting up both endpoints, using IKE is recommended.
2. Click Next to continue. You will see a screen like the following:
70
Figure 45: VPN Wizard - Traffic Selector
VPN
For outgoing VPN connections, these settings determine which traffic will cause a VPN tunnel to be created, and which traffic will be sent through the tunnel.
For incoming VPN connections, these settings determine which systems on your local LAN will be available to the remote endpoint.
The 2 VPN endpoints MUST use different address ranges. If the addresses were in the same range, traffic intended for the remote VPN would be considered local LAN traffic. So it would not be forwarded to the Gateway.
Local IP addresses
Type
Any - no additional data is required. Any IP address is
acceptable.
For outgoing connections, this allows any PC on the LAN to use the VPN tunnel.
For incoming connections, this allows an PC using the remote endpoint to access any PC on your LAN.
Single address - enter an IP address in the "Start IP address"
field.
Range address - enter the starting IP address in the "Start IP
address" field, and the finish IP address in the "Finish IP address" field.
Subnet address - enter the desired IP address in the "Start IP
address" field, and the network mask in the "Subnet Mask" field.
The remote VPN must have these IP addresses entered as it's "Remote" addresses.
71
Broadband VPN Gateway User Guide
Remote IP addresses
Type
Single address - enter an IP address in the "Start IP address"
field.
Range address - enter the starting IP address in the "Start IP
address" field, and the finish IP address in the "Finish IP address" field.
Subnet address - enter the desired IP address in the "Start IP
address" field, and the network mask in the "Subnet Mask" field.
The remote VPN should have these IP addresses entered as it's "Local" addresses.
3. Click Next to continue. The screen you will see depends on whether you previously selected "Manual Key Exchange" or "IKE".
Manual Key Exchange
Figure 46: VPN Wizard - Manual Key Exchange
72
These settings must match the remote VPN. Note that you cannot use both AH and ESP.
Manually assigned Keys
VPN
AH Authentication
ESP Encryption
AH (Authentication Header) specifies the authentication protocol for the VPN header, if used. (AH is often NOT used)
If AH is not enabled, the following settings can be ignored.
Keys
The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
Keys can be in ASCII or Hex (0..9 A..F)
For MD5, the keys should be 32 hex/16 ASCII characters.
For SHA-1, the keys should be 40 hex/20 ASCII characters.
SPI
Each SPI (Security Parameter Index) must be unique.
The "in" SPI here must match the "out" SPI on the remote
VPN, and the "out" SPI here must match the "in" SPI on the remote VPN.
Each SPI should be at least 3 characters.
ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication.
The "3DES" algorithm provides greater security than "DES", but is slower.
Select the key size from the drop-down list if “AES” is selected.
The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
ESP Authentication
Generally, you should enable ESP Authentication. There is little difference between the available algorithms. Just ensure each endpoint use the same setting.
The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
Keys can be in ASCII or Hex (0..9 A..F)
For MD5, the keys should be 32 hex/16 ASCII characters.
For SHA-1, the keys should be 40 hex/20 ASCII characters.
ESP SPI This is required if either ESP Encryption or ESP
Authentication is enabled.
Each SPI (Security Parameter Index) must be unique.
The "in" SPI here must match the "out" SPI on the remote
VPN, and the "out" SPI here must match the "in" SPI on the remote VPN.
Each SPI should be at least 3 characters.
73
Broadband VPN Gateway User Guide
For Manual Key Exchange, configuration is now complete.
Click "Next" to view the final screen.
On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard.
IKE Phase 1
If you selected IKE, the following screen is displayed after the Traffic Selector screen.
IKE Phase 1 (IKE SA)
Local Identity
This setting must match the "Remote Identity" on the remote VPN. IP address is the more common method.
Remote Identity
This setting must match the "Local Identity" on the remote VPN. IP address is the more common method.
Authentication
Encryption
RSA Signature requires that both VPN endpoints have valid
For Pre-shared key, enter the same key value in both endpoints.
Select the desired method, and ensure the remote VPN endpoint uses the same method. The "3DES" algorithm provides greater security than "DES", but is slower.
Figure 47: VPN Wizard - IKE Phase 1
Certificates issued by a CA (Certification Authority).
The key should be at least 8 characters (maximum is 128 characters). Note that this key is used for the IKE SA only. The keys used for the IPsec SA are automatically generated.
74
VPN
IKE Exchange Mode
Direction
IKE SA Life Time
DH Group
IKE PFS
Select the desired option, and ensure the remote VPN endpoint uses the same mode. Main Mode provides identity protection for the hosts initiating the IPSec session, but takes slightly longer to complete. Aggressive Mode provides no identity protection, but is quicker.
Select the desired option:
Initiator - Only outgoing connections will be created. Incoming
connection attempts will be rejected.
Responder - Only incoming connections will be accepted.
Outgoing traffic which would otherwise result in a connection will be ignored.
Both Directions - Both incoming and outgoing connections are
allowed.
This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is common to use time periods of several hours, such 28,800 seconds.
Select the desired method, and ensure the remote VPN endpoint uses the same method. The smaller bit size is slightly faster.
If enabled, PFS (Perfect Forward Security) enhances security by changing the IPsec key at regular intervals, and ensuring that each key has no relationship to the previous key. Thus, breaking 1 key will not assist in breaking the next key.
This setting should match the remote endpoint.
IKE Keep Alive
Enable this if you want to use this feature. Enter the value in the "Ping IP Address" fields.
Click Next to see the following IKE Phase 2 screen.
Figure 48: VPN Wizard - IKE Phase 2
75
Broadband VPN Gateway User Guide
IKE Phase 2 (IPsec SA)
IPsec SA Life Time
IPSec PFS
AH Authentication
ESP Encryption
ESP Authentication
This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is common to use time periods of several hours, such 28,800 seconds.
If enabled, PFS (Perfect Forward Security) enhances security by changing the IPsec key at regular intervals, and ensuring that each key has no relationship to the previous key. Thus, breaking 1 key will not assist in breaking the next key.
AH (Authentication Header) specifies the authentication protocol for the VPN header, if used.
AH is often NOT used. If you do enable it, ensure the algorithm selected matches the other VPN endpoint.
ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both ESP Encryption and ESP Authentication.
Select the desired method, and ensure the remote VPN endpoint uses the same method. The "3DES" algorithm provides greater security than "DES", but is slower.
Generally, you should enable ESP Authentication. There is little difference between the available algorithms. Just ensure each endpoint use the same setting.
For IKE, configuration is now complete.
Click "Next" to view the final screen.
On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard.
76
VPN

Examples

This section describes some examples of using the Broadband VPN Router in common VPN situations.
Example 1: Connecting 2 Broadband VPN Routers
In this example, 2 LANs are connected via VPN.
Figure 49: Connecting 2 Broadband VPN Routers
Note
The LANs MUST use different IP address ranges.
Both endpoints have fixed WAN (Internet) IP addresses.
Configuration Settings
Setting LAN A
Gateway
Name Policy 1 Policy 1 Name does not affect
Remote Endpoint 205.17.11.43 202.11.13.211 Other endpoint's WAN
Local IP addresses
Remote IP addresses
Key Exchange IKE IKE Must match
IKE SA Parameters
IKE Direction Both ways Both ways Does not have to match.
Local Identity IP address IP address IP address is the most
Any Any Use a more restrictive
192.168.1.1 to
192.168.1.254
LAN B Gateway
192.168.0.1 to
192.168.0.254
Notes
operation. Select a meaningful name.
(Internet) IP address.
definition if possible. Address range on other
endpoint. Use a more restrictive definition if possible.
Either endpoint can block 1 direction.
common ID method
Remote Identity IP address IP address IP address is the most
common ID method
77
Broadband VPN Gateway User Guide
IKE Authentication method
Pre-shared Key Pre-shared Key Certificates are not widely
used. Pre-shared Key Xxxxxxxxxx Xxxxxxxxxx Must match IKE Authentication
MD5 MD5 Must match
algorithm IKE Encryption DES DES Must match IKE Exchange
Main Mode Main Mode Must match
mode DH Group Group 1 (768 bit) Group 1 (768 bit) Must match IKE SA Life time 28800 28800 Does not have to match.
Shorter period will be
used. IKE PFS Disable Disable Must match
IPSec SA Parameters
IPSec SA Life time 28800 28800 Does not have to match.
Shorter period will be
used. IPSec PFS Disabled Disabled Must match AH authentication Disabled Disabled AH is rarely used ESP authentication Enable/MD5 Enable/MD5 Must match ESP encryption Enable/DES Enable/DES Must match
78
VPN
Example 2: Windows 2000/XP Client to LAN
In this example, a Windows 2000/XP client connects to the Broadband VPN Router and gains access to the local LAN.
Figure 50: Windows 2000/XP Client to Broadband VPN Router
To use 3DES encryption on Windows 2000, you need Service Pack 3 or later installed.
Broadband VPN Router Configuration
Setting Value Notes
Name Win Client Name does not affect operation. Select a
meaningful name. Remote Endpoint 172.16.9.10 Other endpoint's WAN (Internet) IP address. Local
IP addresses
Remote IP addresses
Key Exchange IKE Must match client PC
IKE SA Parameters
IKE Direction Responder Only want to accept client connections. Local Identity IP address Required. Remote Identity IP address Required IKE Authentication
method Pre-shared Key Xxxxxxxxxx Must match client PC
Subnet address:
192.168.0.0
255.255.255.0
172.16.9.10 For a single client, this is the same as the
Pre-shared Key Certificates are not widely used.
Allows access to entire LAN. Use a more
restrictive definition if possible.
endpoint.
IKE Authentication algorithm
IKE Encryption 3DES Must match client PC IKE Exchange
mode
SHA-1 Must match client PC
Aggressive Mode Must match client PC
79
Broadband VPN Gateway User Guide
DH Group Group 1 (768 bit) Must match client PC IKE SA Life time 28800 Does not have to match client PC. Shorter
period will be used. IKE PFS Disable Must match client PC
IPSec SA Parameters
IPSec SA Life time 28800 Do not have to match. Shorter period will be
used. IPSec PFS Disable Must match client PC AH authentication Disabled AH is rarely used ESP authentication Enable/MD5 Must match client PC ESP encryption Enab le/DES Must match client PC
Windows Client Configuration
1. Select Start - Programs - Administrative Tools - Local Security Policy.
2. Right click IP Security Policy on Local Machine and select Create IP Security Policy
Figure 51: Windows 2000/XP - Local Security Settings
3. Click "Next", then enter a policy name, for example "DUT To Win2K", then click "Next".
4. Step through the Wizard:
Deselect Activate the default response rule. Click "Next",
Leave Edit Properties checked. Click "Finish".
5. The following "Properties - Rules" screen will be displayed.
80
Figure 52: Windows 2000/XP - Policy Properties
Note that no rules are in use. Two 2 rules are required - incoming and outgoing.
The outgoing rule will be added first.
VPN
6. Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below.
Figure 53: IP Filter List
7. Type "To DUT" for the name, then click "Add" to see a screen like the following.
81
Broadband VPN Gateway User Guide
Figure 54: Filter Properties: Addressing
8. Enter the Source IP address and the Destination IP address.
Since this is the outgoing filter, the Source IP address is "My IP address" and the Destination IP address is the address range used on the remote LAN.
Ensure the Mirrored option is checked.
9. Click "OK" to save your settings and close this dialog.
Figure 55: New Rule Properties: IP Filter List
10. On the resulting screen (above), ensure the "To DUT" filter is selected, then click the Filter Action tab to see a screen like the following
82
Figure 56: New Rule Properties: Filter Action
11. Select Require Security, then click the "Edit" button, to view the Require Security Properties screen.
VPN
Figure 57: Require Security Properties
12. Select Negotiate security (this selects IKE), then click "Add".
83
Broadband VPN Gateway User Guide
Figure 58: Modify Security Method
13. On the resulting screen (above), select High [ESP] then click "OK" to save your changes and return to the Require Security Properties screen.
Figure 59: Require Security Properties
14. Ensure the following settings are correct, then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen.
VPN Setting Windows Setting
IKE enabled Negotiate security AH disabled AH Integrity: <None> ESP encryption: Enable/DES ESP Confidentially: DES ESP authentication: Enable/MD5 ESP Integrity: MD5
84
15. Click the Tunnel Setting tab, then select The tunnel endpoint is specified by this IP address. Enter the WAN (Internet) IP address of the Broadband VPN Router, as shown below.
VPN
Figure 60: Tunnel Setting
16. Click the Authentication Methods tab, then click the "Edit" to see the screen like the example below.
Figure 61: Authentication Method
17. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided.
18. Click "OK" to save your changes and return to the Authentication Methods tab of the Edit Rule Properties screen.
85
Broadband VPN Gateway User Guide
19. Click "Close" to return to the DUT to Win2K properties screen. The "To DUT" filter should now be listed, as shown below.
Figure 62: Windows 2000/XP Client to Broadband VPN Router
20. To add the second (incoming) rule, click "Add". For the name, enter "To Win2K", then click "Add".
Figure 63: Windows 2000/XP Client to Broadband VPN Router
21. Enter the Source IP address and the Destination IP address as shown below.
Since this is the incoming filter, the Source IP address is the address range used on
the remote LAN and the Destination IP address is "My IP address".
Ensure the Mirrored option is checked.
86
Figure 64: Filter Properties: Addressing
22. Click "OK" to save your changes, then "Close".
VPN
Figure 65: Filter List
23. Ensure the "To Win2K" filter is selected, then click the Filter Action tab.
87
Broadband VPN Gateway User Guide
Figure 66: Filter Action
24. Select Require Security, then click "Edit". On the Require Security Methods screen below, select Negotiate security.
Figure 67: Security Methods
25. Click the "Add" button. On the resulting Modify Security Method screen below, select High [ESP].
88
Figure 68: Modify Security Method
26. Click "OK" to save your changes, then click "OK" again to return to th e Filter Action screen.
27. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address o f this PC (172.10..9.10 in this example).
VPN
Figure 69: Tunnel Setting
28. Select the Authentication Methods tab, and click the "Edit" button to see the screen below.
89
Broadband VPN Gateway User Guide
Figure 70: Authentication Method
29. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided.
30. Click "OK" to save your settings, then "Close" to return to the DUT to Win2K Properties screen. There should now be 2 IP Filers listed, as shown below.
31. Select the General tab.
Figure 71: DUT to Win2K Properties
90
Figure 72: Properties - General Tab
32. Click the "Advanced" button to see the screen below.
VPN
Figure 73: Key Exchange Settings
33. Click the "Methods" button to see the screen below.
91
Broadband VPN Gateway User Guide
Figure 74: Key Exchange Security Methods
34. Select the first entry, and click the "Edit" button to see the following screen.
Figure 75: IKE Security Algorithms
35. Select "SHA1" for Integrity Algorithm, "3DES" for Encryption algorithm, and "Low(1)" for the Diffie-Hellman Group.
36. Click "OK" to save, then "OK" again, and then "Close" to return to the Local Security Settings screen.
37. Right click the DUT to Win2K Policy and select "Assign" to make your policy active.
Figure 76: Windows 2000/XP Client to Broadband VPN Router
Configuration is now complete.
92
Example 3: Windows 2000 Server to VPN Gateway
In this example, a Windows 2000 Server connects to the Broadband VPN Router. Users on each LAN can then gain access to the remote LAN.
Figure 77: Broadband VPN Router to Windows 2000 Server
Broadband VPN Router Configuration
This is the same as for the client setup earlier, with the exception of the IP address range for the remote endpoint.
Setting Single Client Server/Gateway
VPN
Remote IP addresses
172.16.9.10 For a single client, this is the
same as the Gateway address
Subnet address:
11.5.0.0
255.255.0.0 Address range used on the remote LAN.
93
Broadband VPN Gateway User Guide
Windows 2000 Server Configuration
Configuration is the same as for Example 2: Windows 2000/XP Client to except for specifying the Source and Destination addresses for the "Filter Properties". Instead, for both IP Filters, the Filter Properties- Addressing should be completed as follows.
Figure 78: Windows 2000 Server - Addressing
The Source Address should be set to "A specific IP Subnet", and the IP address and Subnet mask set to the address range used on the Broadband VPN Router's LAN.
The Destination Address should be set to "A specific IP Subnet", and the IP address and Subnet mask set to the address range used on the Windows 2000 LAN.
94

Using Certificates

Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates".
Each CA also issues a certificate to itself. This Certificate is required in order to validate communication with the CA. These certificates are called "Trusted Certificates."
The Certificates screen lists both the Trusted Certificate - the certificates of each CA itself ­and Self Certificates - the certificates issued to you.
VPN
Trusted Certificates
Subject Name (CA)
Issuer Name Expiry Time
Delete button
Self Certificates
Name
Subject Name Issuer Name Expiry Time
Figure 79: Certificates Screen
The "Subject Name" is always the company or person to whom the Certificate is issued. For trusted certificates, this will be a CA.
The CA (Certification Authority) which issued the Certificate. The date on which the Certificate expires. You should renew the
Certificate before it expires. Use this button to delete a Trusted Certificate. Select the checkbox in
the Delete column for any Certificates you wish to delete, then click the "Delete" button.
The name you assigned to this Certificate. You should select a name which helps to identify this particular certificate.
The company or person to whom the Certificate is issued. The CA (Certification Authority) which issued the Certificate. The date on which the Certificate expires. You should renew the
Certificate before it expires.
Delete button
Use this button to delete a Self Certificate. Select the checkbox in the Delete column for any Certificates you wish to delete, then click the "Delete" button.
95
Broadband VPN Gateway User Guide
Adding a Trusted Certificate
1. After obtaining a new Certificate from the CA, you need to upload it to the Broadband VPN Router.
2. On the "Certificates" screen, click the "Add Trusted Certificate" button to view the Add Trusted Certificate screen, shown below.
Figure 80: Add Trusted Certificate
3. Click the "Browse" button, and locate the certificate file on your PC
4. Select the file. The name will appear in the "Certificate File" field.
5. Click "Upload" to upload the certificate file to the Broadband VPN Router.
6. Click "Back" to return to the Trusted Certificate list. The new Certificate will appear in the list.
Adding a Self Certificate
This process is different to obtaining a Trusted Certificate. The Broadband VPN Router must generate a request for the CA. You cannot request a Certificate directly. The correct procedure is as follows:
1. On the "Certificates" screen, click the "Add Self Certificate" button to view the first screen of the Add Self Certificate procedure, shown below.
Figure 81: Add Self Certificate (1)
2. Complete this screen.
Name
Enter a name which helps to identify this particular certificate. This name is only for your reference.
96
VPN
Subject Name
This is the name which other organizations will see as the Holder (owner) of this Certificate. This should be your registered business name or official company name. Generally, all Certificates should have the same value in the Subject field.
Hash Algorithm Signature Algorithm Signature Key Length
Select the desired option. Select the desired option. RSA is recommended. Select the desired option. Normally, 1024 bits provides
adequate security.
3. Click "Next" to continue to the following screen.
Figure 82: Add Self Certificate (2)
4. Check that the data displayed in the Certificate Details section is correct. This data is used to generate the Certificate request. If the data is not correct, click the "Back" button an d correct the previous screen.
5. If the data is correct, copy the text in the Data to supply to CA panel to the clipboard.
6. Apply for a Certificate:
Connect to the CA's web site.
Start the Self Certificate request procedure.
When prompted for the request data, copy this data (including "-----BEGIN
CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----") from this screen to the CA's form.
Submit the CA's form.
If there are no problems, the Certificate will then be issued.
7. Click "Finished" to return to the Certificate list. The new Certificate will appear in the list.
97
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use