Charles 3641-80, 3648-80 User Manual

Download

Telecommunications Group

3641-80 / 3648-80 Ethernet Routers

Guide and Web Users Manual

Section 364-180-N02 Equipment Issue 1 1st Printing, April, 2006

Section 364-180-N02

Contents

1. About This Manual ..................................................................................................................1

1.1. Revision History........................................................................................................................ 1

1.2. Document Organization.............................................................................................................1

1.3. Glossary of Terms and Acronyms .............................................................................................1

2. General Overview....................................................................................................................3

3. Specifications...........................................................................................................................5

4. Applications.............................................................................................................................7

5. Installation................................................................................................................................9

5.1. Preparing Before Installation..................................................................................................... 9

5.2. Installation Procedures.............................................................................................................. 9

6. Web Configuration Tool.........................................................................................................11

6.1. About the Web Configuration.................................................................................................. 11

6.2. Factory Default Settings.......................................................................................................... 11

6.3. TCP/IP Configuration..............................................................................................................12

6.4. Login to Web Configuration Tool............................................................................................ 17

6.5. Status Menu.............................................................................................................................19

6.6. System Menu...........................................................................................................................22

Error Log......................................................................................................................22

Upgrade 23 Restart 25

6.7. Configuration Menu................................................................................................................26

Save config...................................................................................................................27

Authentication..............................................................................................................29

LAN Connections ........................................................................................................33

WAN Connections .......................................................................................................36

IP routes 52

DHCP Server................................................................................................................54

DNS Client...................................................................................................................61

Section 364-180-N02

DNS Relay...................................................................................................................63

Security 66

VPN Configuration......................................................................................................88

SNTP client................................................................................................................105

Syslog 109 SNMP 110 Port 115

7. CLI Configuration Tool .......................................................................................................117

7.1. Help Text for Using the CLI Commands............................................................................... 118

7.2. Download/Upload Configuration File................................................................................... 119

7.3. Using the source CLI commands.......................................................................................... 122

7.4. CLI Application Examples .................................................................................................... 124

Note: After loading the scripts, save the configuration and restart the routerFrame

Relay - bridged...........................................................................................................124

Frame Relay - routed .................................................................................................127

PPP - bridged .............................................................................................................129

PPP - routed ...............................................................................................................132

7.5. CLI Commands Group..........................................................................................................135

7.6. List of CLI Commands..........................................................................................................136

Appendix: System Limit..............................................................................................................152

Section 364-180-N02

List of Figures

Figure 4-1 Router card point to point application.................................................................................... 7

Figure 4-2 Router card frame relay application....................................................................................... 7

Figure 4-3 Router card VPN application ................................................................................................. 8

Figure 4-4 Router card dual gateway application....................................................................................8

Figure 6-1 Login Web Configuration Tool............................................................................................. 17

Figure 6-2 Web Tool - Welcome page....................................................................................................18

Figure 6-3 Web Tool – Status page ........................................................................................................ 20

Figure 6-4 Web Tool – Error Log page..................................................................................................22

Figure 6-5 Web Tool – Firmware Upgrade page .................................................................................... 23

Figure 6-6 Web Tool – Firmware Upgrade Complete page ................................................................... 24

Figure 6-7 Web Tool – Reset Router page ............................................................................................. 25

Figure 6-8 Web Tool – Save configuration Confirm page ..................................................................... 27

Figure 6-9 Web Tool – Save configuration completed page.................................................................. 28

Figure 6-10 Web Tool – Authentication page........................................................................................ 29

Figure 6-11 Web Tool – Authentication: edit user details page .............................................................30

Figure 6-12 Web Tool – Authentication: create user page..................................................................... 31

Figure 6-13 Web Tool – Authentication: Currently Defined Users page............................................... 32

Figure 6-14 Web Tool – LAN connection page ..................................................................................... 33

Figure 6-15 Web Tool – WAN connections page................................................................................... 36

Figure 6-16 Web Tool – WAN connection: create service page ............................................................ 36

Figure 6-17 Web Tool - WAN connection: Frame Relay routed page ...................................................38

Figure 6-18 Web Tool – WAN connection: frame relay routed: Edit Service page............................... 39

Figure 6-19 Web Tool – WAN connection: Edit Frame Relay channel page.........................................40

Figure 6-20 Web Tool – WAN connection: Edit IP Interface page........................................................41

Figure 6-21 Web Tool – WAN connection: Edit Rip Versions page ...................................................... 42

Figure 6-22 Web Tool – WAN connection: Frame Relay bridged page................................................. 43

Figure 6-23 Web Tool – WAN connections page................................................................................... 44

iii

Section 364-180-N02

Figure 6-24 Web Tool – WAN connection: PPP routed page.................................................................46

Figure 6-25 Web Tool – WAN connections page................................................................................... 47

Figure 6-26 Web Tool – WAN connection: PPP bridged page...............................................................50

Figure 6-27 Web Tool – WAN connections page................................................................................... 51

Figure 6-28 Web Tool – WAN connection: delete ‘Frame Relay routed’ page...................................... 52

Figure 6-29 Web Tool – IP routes: Create Ip V4Route page..................................................................53

Figure 6-30 Web Tool – IP routes: Edit Routes page.............................................................................53

Figure 6-31 Web Tool – DHCP server page........................................................................................... 54

Figure 6-32 Web Tool – DHCP: enable server page..............................................................................56

Figure 6-33 Web Tool – DHCP: enable relay agent page ...................................................................... 59

Figure 6-34 Web Tool – DHCP server: DHCP relay enabled page........................................................60

Figure 6-35 Web Tool – DNS Client page ............................................................................................. 61

Figure 6-36 Web Tool – DNS Client page ............................................................................................. 62

Figure 6-37 Web Tool – DNS relay page............................................................................................... 63

Figure 6-38 Web Tool – DNS: enable relay page .................................................................................. 64

Figure 6-39 Web Tool – DNS relay enabled page.................................................................................. 65

Figure 6-40 Web Tool – Security page................................................................................................... 66

Figure 6-41 Web Tool – Security: Security Interfaces page ..................................................................67

Figure 6-42 Web Tool – Security: Security Interfaces page ..................................................................68

Figure 6-43 Web Tool – Security: Advanced NAT Configuration page ................................................ 69

Figure 6-44 Web Tool – Security: Firewall Add Global Address Pool page..........................................69

Figure 6-45 Web Tool – Security: Advanced NAT Configuration page ................................................ 70

Figure 6-46 Web Tool – Security: Firewall Delete Global Address Pool page......................................71

Figure 6-47 Web Tool – Security: Security Interfaces page ..................................................................72

Figure 6-48 Web Tool – Security: Add Reserved Mappings page......................................................... 72

Figure 6-49 Web Tool – Security: Firewall Add Reserved Mapping page ............................................ 73

Figure 6-50 Web Tool - Security: Reserved Mappings page ................................................................. 74

Figure 6-51 Web Tool – Security: Firewall D elete Reserved Mappings page....................................... 74

Figure 6-52 Web Tool – Security: Firewall Policy Configuration page................................................. 75

Section 364-180-N02

Figure 6-53 Web Tool – Security: Firewall Add TCP Port Filter page ..................................................76

Figure 6-54 Web Tool – Security: Firewall Add Raw IP Filter page..................................................... 77

Figure 6-55 Web Tool – Security: Firewall Add Trigger page............................................................... 81

Figure 6-56 Web Tool – Security: Firewall Configuration Intrusion Detection page............................ 84

Figure 6-57 Web Tool – Security: Alerting Configuration for Intrusion page.......................................86

Figure 6-58 Web Tool – IPSec Configuration page ............................................................................... 93

Figure 6-59 Web Tool – IPSec: Create New IPSec Endpoint page........................................................ 94

Figure 6-60 Web Tool – IPSec: User Certificates page.......................................................................... 98

Figure 6-61 Web Tool – IPSec: Generate Certificate Request page ...................................................... 99

Figure 6-62 Web Tool – IPSec: Add new CA certificate page.............................................................100

Figure 6-63 Web Tool – PPTP Configuration page..............................................................................102

Figure 6-64 Web Tool – PPTP: Authentication: create user page........................................................ 102

Figure 6-65 Web Tool – SNTP client page ..........................................................................................105

Figure 6-66 Web Tool – SNTP client: SNTP Synchronization Mode page......................................... 105

Figure 6-67 Web Tool – SNTP client: Enter Unicast Server IP Address page..................................... 107

Figure 6-68 Web Tool – SNTP client: SNTP Client General Configuration Parameters page............108

Figure 6-69 Web Tool – SNTP client: ISOS Clock Setting page.........................................................109

Figure 6-70 Web Tool – Syslog Client Configuration page................................................................. 109

Figure 6-71 Web Tool – Snmp page..................................................................................................... 111

Figure 6-72 Web Tool – Snmp: select Action page.............................................................................. 112

Figure 6-73 Web Tool – Snmp: Snmp Show Community page........................................................... 112

Figure 6-74 Web Tool – Snmp: Snmp Add Community page ............................................................. 113

Figure 6-75 Web Tool – Snmp: Snmp Add Host page......................................................................... 113

Figure 6-76 Web Tool – Snmp: Snmp Add Trap page ......................................................................... 114

Figure 6-77 Web Tool – Snmp: Snmp Show Host page....................................................................... 114

Figure 6-78 Web Tool – Snmp: Snmp Show Trap page....................................................................... 114

Figure 6-79 Web Tool – Ports: Ethernet Port Configuration page....................................................... 115

Figure 6-80 Web Tool – Ports: Advanced Ethernet Port Configuration page...................................... 116

Figure 7-1 Login CLI Configuration Tool........................................................................................... 117

Section 364-180-N02

List of Tables

Table 1-1 Revision history table ..............................................................................................................1

Table 1-2 Glossary of terms and acronyms.............................................................................................. 1

Table 3-1 Router card specifications........................................................................................................5

Table 6-1 Default user name and password ...........................................................................................29

Table 6-2 User access levels .................................................................................................................. 31

Table 6-3 Syslog severity levels........................................................................................................... 110

Table 7-1 Default names of different Interface/Transport/Port............................................................124

Table 7-2 List of CLI commands ......................................................................................................... 136

vii

Issue 1.0, April 2006 Section 364-180-N02

1. About This Manual

1.1. Revision History

Table 1-1 Revision history table

Revision Date Description

Issue 1.0 April, 2006 Initial release

1.2. Document Organization

About This Manual, Chapter 1, introduces you to the document. General Overview, Chapter 2, provides overview and features of the router card. Specification, Chapter 3, provides the technical specifications. Applications, Chapter 4, introduces some application examples. Installation, Chapter 5, provides the installation procedures. Controls and Indicators, Chapter 6, provides the descriptions of controls and LED activity. Web Configuration Tool, Chapter 7, provides the details of the web configuration. CLI Configuration Tool, Chapter 8, introduces the CLI configuration and provides some setting

examples.

1.3. Glossary of Terms and Acronyms

Table 1-2 Glossary of terms and acronyms

Abbreviations Description

CHAP Challenge-Handshake Authentication Protocol CLI Command Line Interface DCE Data Communication Equipment DHCP Dynamic Host Configuration Protocol DTE Data Terminal Equipment DNS Domain Name System IGMP Internet Group Management Protocol IP Internet Protocol IPSec IP Security Protocol LAN Local Area Network

Issue 1.0, April 2006 Section 364-180-N02

L2TP Layer Two Tunneling Protocol NAT Network Address Translation PAP Password Authentication Procedure PPP Point to Point Protocol PPPoH PPP over High-Level Data Link Control PPTP Point to Point Tunneling Protocol PVC Permanent Virtual Circuit RIP Routing Information Protocol SNTP Simple Network Time Protocol SNMP Simple Network Management Protocol VPN Virtual Private Networking WAN Wide Area Network

Issue 1.0, April 2006 Section 364-180-N02

2. General Overview

This document supports both the 3641-80 Single Port router and the 3648-80 router which includes an 8 port Ethernet switch. The router cards are Ethernet IP routers, which mounts in a full size card slot. The only difference between the 3641-80 and 3648-80 is that the 3648-80 has an unmanaged Ethernet switch to eliminate the need for an external switch. Therefore the routers will be referred to as ‘the router’. The router includes an Ethernet interface to provide data services from the T1/E1 interface. The router can act as a frame relay router, frame relay bridge, firewall, VPN gateway, or IP sharing.

For purposes of understanding, the Ethernet port represents the LAN side of the router and the T1/E1 represents the WAN side of the router.

The router card provides three primary services:

1. Provides a standard T1/E1 gateway function between the customer Ethernet interface and

the WAN data service channel on the T1/E1 interface.

2. Provides the possibility for including voice and data over the same T1/E1 line.

3. Provides a flexible programmable data rate 56/64K x N bps where N = 1…24 for T1, 1…30

for E1 (i.e. 56K ~ 1.536M bps for T1, 56K ~ 1.92M bps for E1).

Equipment Features

 Provide one Ethernet port with 10/100 BaseT auto sensing (3641-80)  Provide Eight Ethernet ports with 10/100 BaseT auto sensing and auto crossover cable

sensing (3648-80 only)

 Provide one female RS-232 DCE console port (also referred to as a craft port) for set up

and management

 Provide management via CLI (by console port or Telnet) and web browser  Support SNMP V1/V2c management (maximum 10 SNMP managers and trap recipients

are allowed at any one time when using the router Ethernet port)

 Support RIP V1 and V2  Support NAT and NAPT

Issue 1.0, April 2006 Section 364-180-N02

 Support DHCP Server / Relay Agent / Client mode  Support DNS Client / Relay mode  Support Frame Relay WAN layer 2 protocol  Support PAP and CHAP  Support all three types of VPN --- IPSec, PPTP, and L2TP  Simple firmware update via web-based GUI interface

NOTE: There are certain features that are only accessible through the Web Configuration To ol:

1. Digital signature certificates of IPSec

2. Remote upgrade firmware (by browser http-upload.tar file)

3. Errorlog

There are certain features that are only accessible through the CLI Configuration Tool:

1. Webserver configuration

2. DHCP client parameters configuration (such as reboot time, retry time, backoff time, etc.)

3. Upload/download the configuration file to/from system/PC

4. Local upgrade firmware (via tftp/bootp protocol)

5. Set rip host route and set rip poison

Issue 1.0, April 2006 Section 364-180-N02

3. Specifications

Table 3-1 Router card specifications

Parameter Specification

Dimension: Height Width Depth

1.9 cm

24.45 cm

23.49 cm

Weight

300 g

Operating Environment

(in service) -40℃ ~ +65℃ < 95﹪RH

Power:

Console port

Less than 1 amp.

DC input voltage range of – 42V to 56V

Standard DB-9 connector, DCE configured with baud rate 9600, 8 bits of data, no parity, and 1 stop bit

Ethernet port RJ-45 connector with IEEE 802.3 compatible,

10/100BaseT auto sensing (both 3641-80 and 3648-80), and auto crossover cable sensing (3648-80 only)

WAN side data rate: 56K to 1.536 M b/s

IP Protocol Su pp ort:

TCP

UDP

ICMP

Meet the requirements of RFC 793 Meet the requirements of RFC 768 Meet the requirements of RFC 792/STD 0005 updated with RFC 950/STD 0005.

Issue 1.0, April 2006 Section 364-180-N02

RIP V1 and V2

Meet the requirements of RFC 10 58 and RFC 2453.

IGMP

Static routing

CIDR

ARP

DHCP

PPP Support:

IPCP BCP

Meet the requirements of RFC 2236 . Supports IGMP Proxy as described in [draft-ietf-idmr-igmp-proxy-03] “IGMP-based Multicast Forwarding (IGMP Proxying)”, W. Fenner, July 2000. Meet the requirements of RFC 34 42 and the current practice defined in RFC 3180/BGP 0053. Meet the Best Current Practice defined in RFC 3180/BGP 0053 and the requirements defined in RFC 1517, RFC 1518 and RFC 1519. Meet the requirements of RFC 826/STD 0037. Meet the requirements of RFC 3022 and 3235.

Meet the PPP IPCP RFC 1332. Meet the requirements of IEEE 802.1D MAC

Bridging and RFC 1638. LCP L2TP PPTP

Meet the requirements of RFC 1570 .

Meet the requirements of RFC 3070 and 3438.

Meet the requirements of RFC 1661/STD0051.

Frame Relay:

Security Support: PAP and CHAP

The system serves as end stations (DTEs) on a

public or private Frame Relay network.

Meet the requirements of RFC 2427/STD 0055.

Meet the current practice defined in RFC1334 for

PAP and RFC 1994 for CHAP.

Issue 1.0, April 2006 Section 364-180-N02

4. Applications

The router card can act as a frame relay router, frame relay bridge, firewall, VPN gateway, or IP sharing. The following figures are application examples.

Point-to-Point application

Figure 4-1 is for either router or bridge applications.

TDM V oi ce

PB X

10/ 100BaseT 10/ 100BaseT

LAN

ICB 360

Figure 4-1 Router card point to point application

Frame Relay application

10/ 100BaseT

I CB 360

LAN

Figure 4-2 Router card frame relay application

VPN application

T1/E1

Point-to-Point

Fr ame Rel ay

T1/E1

ICB 360

I CB 360

TDM Voi ce

PB X

LAN

10/ 100BaseT

LAN

Main Office

FTP

Ser v e r

Swi t c h / H u b

Web

Ser v e r

The availability of features and technical specifications herein subject to change without notice.

10/ 100BaseT

ICB 360

T1/E1

Internet

ICB 360

Di al- up

Connect i on

Remote Si te

Br oadband

Modem

Swi t c h/ H u b

Laptop

Mobi le User

Laptop

Office

Ser v e r

Issue 1.0, April 2006 Section 364-180-N02

Figure 4-3 Router card VPN application

Dual Gateway application

LAN

10/100B aseT

I CB 360

Fr ame R el ay

Seco nd ar y

T1/E1

Pr i m ar y

T1/E1

Fr ame Rel ay

T1/E1

Figure 4-4 Router card dual gateway application

I CB 360

10/100B aseT

LAN

The availability of features and technical specifications herein subject to change without notice.

Issue 1.0, April 2006 Section 364-180-N02

5. Installation

5.1. Preparing Before Installation

The major functions of the Router Card are performed by the Ethernet network interface. Your computer must have an Ethernet Network Interface Card (NIC) installed and set up with the TCP/IP protocol before beginning to use the router. The router also provides a serial console port for monitoring and configuring the router via the built-in command line interface.

You will need to know the Internet Protocol supported by your T1/E1 provider to successfully connect to the Internet. For future troubleshooting or reinstallation, it is important that you retain these details.

Before beginning the hardware installation, please gather the following materials for the setup.  At least one computer running a supported *operating system, with an Ethernet Network

Interface Card (NIC) installed (or more computers if you use an external hub).

 TCP/IP protocol installed for each NIC.  Ethernet straight connect cable (one for each computer you will be connecting)  RS-232 serial cable (Optional)

* The router Web Configuration tool supports browsers that operate under Windows 95, 98, 2000, XP and Unix system. Configuration can also be done via telnet, ftp or through an RS-232 RTR MGMT port.

5.2. Installation Procedures

To install the router card, follow the procedure in the router practice (LT364-180-202) or the router installation guide (LT364-180-802).

Issue 1.0, April 2006 Section 364-180-N02

6. Web Configuration Tool

6.1. About the Web Configuration

The Web Configuration tool provides a series of web pages that you can use to setup and configure your Router card. There are three main menus. You can select each of the following menus from the left frame of the main window:

 Status Menu: Information about the current setup and status of the system and system hardware and options..

 System Menu: Information about the error log, upgrading the firmware and restarting the system.

 Configuration Menu: Information about the current configuration of various system features with options to change the configuration.

NOTE: There are certain features that are only accessible through the Web Configuration Tool:

1. Digital signature certificates of IPSec

2. Remote upgrade firmware (by browser http-upload.tar file)

3. Errorlog

6.2. Factory Default Settings

If your required configuration exactly matches the settings below, the router will work for you as pre-configured. After completing the installation, assigning your static IP address to your computer’s TCP/IP settings, you should be able to make a connection to the Internet.

LAN Port: IP Address: 192.168.0.1 Subnet Mask: 255.255.255.0

DHCP Server: Disabled Loopback: IP Address: 127.0.0.1

Issue 1.0, April 2006 Section 364-180-N02

6.3. TCP/IP Configuration

In order to access the router’s Web GUI to begin your configuration, you must have the TCP/IP protocol installed and configured properly in your computer’s network interface card. Your computer’s TCP/IP settings must allow your computer to obtain an IP address automatically.

To connect to the Internet or configure the router via Ethernet, the TCP/IP protocol must be installed and configured correctly. Follow the steps below to determine if you have TCP/IP installed and configured correctly for Windows 95/98.

Step 1 - Check if TCP/IP is installed

1. From your computer’s desktop, double-click

on My Computer, then Control Panel, and then double-click the Network icon.

2. In the “Network” window, choose the

Configuration tab. Check that TCP/IP is installed and setup for the Ethernet NIC that is installed in your computer. If you see, for example, TCP/IP->Intel 21140 based 10/ 100mbps Ethernet Controller, that means that TCP/IP has been installed.

• If TCP/IP has not been installed for your NIC, proceed to Step 2 as below.

OR –

Issue 1.0, April 2006 Section 364-180-N02

• If TCP/IP has been installed for your NIC, continue with Step 3 - Setup TCP/IP section.

Issue 1.0, April 2006 Section 364-180-N02

Step 2 - Install TCP/IP, if necessary

Install TCP/IP now if it is not previously installed. You may need the Windows Installation CD-ROM.

1. Still in the “Network” window, click the Add

button. The “Select Network Component Type” window will appear. Select Protocol by clicking on it once. Then click Add.

3. Confirm that the TCP/IP protocol has

been correctly set up with your Ethernet. Click OK.

2. The “Select Network Protocol” window will

appear. Choose Microsoft in the “Manufacturers” panel and then TCP/IP in the “Network Protocols” panel. Click OK.

Issue 1.0, April 2006 Section 364-180-N02

Step 3 - Setup TCP/IP

1. In the “Network” window, choose the

Configuration tab. Then double-click the

TCP/IP component for your Ethernet NIC (for example, TCP/IP->Intel 21140 based 10/100mbps Ethernet Controller).

2. In the “TCP/IP Properties” window,

click the Gateway tab. Remove any installed Gateways by selecting them and clicking the Remove button.

Issue 1.0, April 2006 Section 364-180-N02

3. Click the DNS Configuration tab, and then click the Disable DNS button.

NOTE: If you disable the routers DHCP functions, you will be unable to access the router with the setting shown in step 4. You will need to choose the Specify an IP address option in step 4 and then manuall enter an IP address which is on the same subnet as the router and the Subnet Mask. For instance, assuming the router’s default IP address is

192.168.0.1, an IP address on the same subnet would be 192.168.0.2 o

4. Click the IP Address tab. Choose

Obtain an IP address automatically and click OK.

192.168.0.13 .

5. The “System Settings Change” window appears. Click Yes to reboot your system.

Issue 1.0, April 2006 Section 364-180-N02

6.4. Login to Web Configuration Tool

1. Be sure you have configured your computer’s TCP/IP settings as described in the section 6.3.

2. Launch a compatible Internet Browser. In your Browser window, type the default IP address of the router, 192.168.0.1 into the URL bar and click GO or hit the Enter key.

3. You will be prompted to enter a User Name and Password. The default User Name and

Password are:

User Name: admin Password: admin

Figure 6-1 Login Web Configuration Tool

1. After logging into your router, the “Welcome!” page will appear on the screen.

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-2 Web Tool - Welcome page

Issue 1.0, April 2006 Section 364-180-N02

6.5. Status Menu

Login the Web Configuration GUI as described in the previous section. Click the Status link from the left frame, then a “Status” page will appear as below.

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-3 Web Tool – Status page

Issue 1.0, April 2006 Section 364-180-N02

The Status Menu contains information about the current configuration of your router. It contains two sections: Status and Advanced Diagnostics.

The Status section displays:

• WAN IP Address: Current WAN IP address of your router card.

• Local IP Address: Current local IP address of your router card.

The Advanced Diagnostics section displays:

• Port Connection Status: This section displays the type and connection status of ports.

Refer to Table 7-1 for the names of the ports.

• WAN Status: This section displays information about your WAN configuration. It also

provides two hyperlinks: (1) IP Address Settings -- allows you to create, modify or delete your WAN Configuration, (2) DNS Client Settings -- allows you to create, modify or delete your DNS Client configuration.

• LAN Status: This section displays information about your Local Area Network settings. It

also provides a DHCP Server Settings hyperlink that allows you to configure your DHCP server status.

• Software Status: This section displays information about your software version. It provides

a Set Time hyperlink that allows you to set the system time.

• Defined Interfaces: This section lists frame relay (or ppp) and Ethernet interfaces that have

been defined. Each interface listed has a Show Statistics hyperlink that will display more detailed information about the IP interface, physical port, frame relay, or ppp connection.

• Routing Table: This section displays the current routing table.

Issue 1.0, April 2006 Section 364-180-N02

6.6. System Menu

The System menu contains options that describe the system and allow low-level changes to be made. Login the web configuration GUI (refer to the section 6.1). Click the System link from the left frame, and then the following sub-headings will be shown on the left frame.

• Error Log: This page display information about recent configuration errors.

• Upgrade: This page allows you to upgrade your firmware to your router.

WARNING: Do not upgrade firmware unless you have been specifically instructed to do so. It is unnecessary to upgrade the firm ware if y our device is working properly. To do so may cause malfunction to your device.

• Restart: This page allows you to restart your router. It has the same effect as resetting your

router by pressing the front panel RESET button.

Error Log

The Error Log displays any recent configuration errors.

To access the Error Log, simply login to your router. From the left frame, click System, and then from the submenu, click Error Log. Then the following page will appear.

Figure 6-4 Web Tool – Error Log page

Issue 1.0, April 2006 Section 364-180-N02

Upgrade

The remote upgrade firmware can only be accessible through the Web Configuration Tool.

The “Firmware Upgrade” page allows you to upgrade the firmware version of your router. You will need to download the new firmware file (the file name is http-upload.tar and you don’t have to uncompress the file) to your computer in order to upgrade successfully.

The router will preserve your installed configuration during a firmware upgrade and reinstall it once the firmware upgrade is complete. In other words, if you have saved a configuration in the router, you will not need to re-configure the router after upgrading the firmware.

1. Log in to your router. From the left frame, click System and then Upgrade. The “Firmware

Upgrade” page will appear. In the “Select Upgrade File” section, enter the path to your new firmware file, or click the Browse button and browse to it. When you have found the file, click the Upgrade button.

Figure 6-5 Web Tool – Firmware Upgrade page

2. The “Firmware Upgrade” page will refresh and begin installing the new firmware file. It will

show a progress bar, indicating how much data has been installed.

Issue 1.0, April 2006 Section 364-180-N02

3. Once the firmware upgrade is complete, the “Firmware Upgrade” page will refresh and

indicate a successful upgrade. You will need to restart in order for the upgrade to take effect. Click the Restart button.

Figure 6-6 Web Tool – Firmware Upgrade Complete page

4. After the router card is restarted, it will receive the clock speed change message “Change

wan port's clock speed require save and restart” from the primary T1/E1 card (but you won’t

see the message on the web browser). You have to re-login the web browser, save the configuration (refer to 0) and restart (refer to 0) the router card again.

Warning: Do not disturb or power off the router during the upgrade process. Doing so may corrupt the firmware. Users must be patient to wait the result screen appear when they are doing the firmware upgrade and save configuration. If users interrupt the process arbitrarily, system could not run normally, and users have to re-upgrade again.

Issue 1.0, April 2006 Section 364-180-N02

Restart

This page allows you to restart your router. Be sure that you have saved your configuration before restarting to preserve your modifications. Restarting the router will restore the last configuration ‘saved’.

1. Log in to your router. From the left frame, click System and then Restart. The “Restart

Router” page will appear. In the “Restart” section, click the Restart button.

Figure 6-7 Web Tool – Reset Router page

Warning: when you first time login to the W eb browser or first time re-login to the Web browser after the router card is rest arted, you have to wait for sev eral seconds. During the waiting time, don’t restart the router card or pull out the card from the slot. Otherwise, you’ll have to reload the firmware into the router card.

Issue 1.0, April 2006 Section 364-180-N02

6.7. Configuration Menu

The Configuration menu contains options for configuring features on the router including basic LAN and WAN connections, DHCP and DNS settings, and VPN settings. There are sixteen sub-headings on the left frame in the configuration menu.

• Save config: Allows you to save your current configuration to Flash memory.

• Authentication: Allows you to create, edit and delete user accounts for the web configuration

tool.

• LAN connections: Allows you to edit the LAN port IP address, create and edit a secondary

IP address, and modify the RIP options.

• WAN connections: Allows you to create, edit, and delete WAN services.

• IP routes: Allows you to create, edit, and delete IP routers.

• DHCP server:

Allows you to enable, disable and configure your DHCP server.

• DNS client: Allows you to enable, disable and configure your DNS client.

• DNS relay: Allows you to enable, disable and configure your DNS relay.

• Security: Allows you to configure Security, Firewall, NAT, and Intrusion Detection.

• IPSec: Allows you to configure gateway setting, endpoint, and certificate status.

• PPTP: Allows you to configure PPTP IP pool and set users.

• L2TP: Allows you to configure L2TP IP pool and set users.

• SNTP client: Allows you to set time zone, synchronization time from unicast server,

and set the system clock.

• Syslog: Allows you to configure minimum severity threshold.

• SNMP: Allows you to configure read and write community, IP address, and subnet mask.

• Ports: Allows you to configure the Ethernet port available on your router.

For more information, see the following detailed descriptions for each sub-heading.

Issue 1.0, April 2006 Section 364-180-N02

Save config

After configuring or modifying the configuration of your router, and before powering it off or rebooting it, you must save your configuration to the internal flash memory. Should you power off or reboot the router without saving, you will lose the settings previously configured. Be sure to save after making any change to your configuration.

1. Once you have completed configuring your router, click Configuration and then click Save config from the left frame. The “Save configuration” page will appear. You will be asked to

confirm that you are ready to save. Click the Save button. Do not disturb the router while it is writing to the Flash memory, as doing so may corrupt the firmware. Do not turn the power off or disturb the router until the confirmation message has been displayed.

Figure 6-8 Web Tool – Save configuration Confirm page

Issue 1.0, April 2006 Section 364-180-N02

2. The “Save configuration” page will reload stating that it has saved the configuration.

Figure 6-9 Web Tool – Save configuration completed page

Warning: Users must be patient to wait the result screen appear when they are doing the firmware upgrade and save configuration. If users interrupt the process arbitrarily, system will not run normally.

Issue 1.0, April 2006 Section 364-180-N02

Authentication

The User Management section allows you to control the access levels of your defined users. The default user name and password for the router is:

Table 6-1 Default user name and password

User name Password

admin admin

firewall firewall

user user

 To Edit a User, Change the Password , or Delete a User

1. Login to your router. From the left frame, click Configuration and then Authentication from the submenu. The “Authentication” page will appear and show the currently defined users. Click the Edit user link on the right side of the user which you would like to edit or delete.

Figure 6-10 Web Tool – Authentication page

Issue 1.0, April 2006 Section 364-180-N02

2. The “Authentication: Edit User ‘username’ ” page will appear. To delete this user, simply click the Delete this user button near the bottom of the screen. Or you may edit the settings of your choice for the user. You may enter a new password in the password field, which is recommended for the admin user. Then enter the description about the user, and select the access level using the “Access Level” menu.

Figure 6-11 Web Tool – Authentication: edit user details page

• Username: the user that you are editing (not editable)

• Password: This field contains the default password, which matches the username (see

Table 6-1). You may edit this field to be the password of your choice.

• GUI user?: Enable or disable GUI users access the router.

• Dial-in user?: Enable or disable ppp dial-in users access the router.

• pppLogin: Set the ppp authentication protocol. The options are none, chap, or pap.

• Comment: You may change the comment field to whatever you wish.

• Access Level: This will set the level of access that this user has.

The access level determines what a user can do within the configuration. Table 6-2 is a list of

Issue 1.0, April 2006 Section 364-180-N02

the functions users can edit based on their access levels:

Table 6-2 User access levels

Access Level Functions

superuser All configurations

engineer All configurations, except firmware upgrade, and user management

default View status, view error log, system restart

Finally, click the Apply button to apply your new settings.

3. You will be returned to the “Authentication” page. You may now edit another user, or

create a new one, if needed. See the next subsection for instructions on creating a new user.

 To Create a New User

1. Login to your router. From the left frame, click Configuration and then Authentication

from the submenu. The “Authentication” page will appear as shown in Figure 6-10. Click the Create a new user link to add a new user. The page will appear as follows.

Figure 6-12 Web Tool – Authentication: create user page

Issue 1.0, April 2006 Section 364-180-N02

2. In the “Authentication: create user” page, the details for a new user includes the following

items:

• Username: Enter the new username you want to create

• Password: Enter the password of the new user

• GUI user?: Enable or disable GUI users access the router.

• Dial-in user?: Enable or disable ppp dial-in users access the router.

• pppLogin: Set the ppp authentication protocol. The options are none, chap, or pap.

• Access Level: This will set the level of access that this user has. Refer to Table 6-2 for

the access level information.

• Comment: You may edit the comment field to whatever you wish.

After you have entered all the fields, click Create button to create a new user.

3. The “Authentication” page will appear again, showing your newly added user in the list of

currently defined users. You may edit or delete a user or create a new user at any time.

Figure 6-13 Web Tool – Authentication: Currently Defined Users page

Issue 1.0, April 2006 Section 364-180-N02

LAN Connections

The LAN Connections page allows you to change the default and secondary IP address for the LAN port and lets you modify the RIP options.

1. Login to your router. From the left frame, click Configuration and then click LAN

connection. The “LAN connection” page will appear.

Figure 6-14 Web Tool – LAN connection page

RIP Options:

• Accept V1: Set to true if you would like to receive version 1 routing information

packets.

• Accept V2: Set to true if you would like to receive version 2 routing information

packets.

• Send V1: Set to true if you would like to send version 1 routing information

Issue 1.0, April 2006 Section 364-180-N02

packets.

• Send V2: Set to true if you would like to send version 2 routing information

packets.

• Send Multicast: Set to true if you need to send multicast packets (often used when

you obtain your LAN port IP address dynamically). This item is useful only when Send V2 is set to true.

• Enable Password: You may set this to true to require incoming packets to have the

proper password to be recognized.

• Password: Enter your desired password for incoming RIP packets.

<Note: If the router is set in RIP v2 mode, and you still want it to be RIP v1 compatible, you must enable Accept V1, Accept V2, Send V1, Send V2, but disable Send Multicast>

LAN Configuration:

• Primary IP Address setting:

IP address and subnet mask details of your primary LAN connection. To edit these details, click in the appropriate text box and type new primary address details. If the IP address is set to the special value 0.0.0.0, the interface is marked as unconfigured. This value is used when the interface address is obtained automatically.

• Secondary IP Address setting:

A secondary address may be used to create an extra IP address on an interface for management purposes, or to allow the IP stack to route between two subnets on the same interface. The functionality of secondary IP addresses depends on several parameters including the type of IP interface and the subnet mask:

If a secondary address is on the same subnet as the primary interface address, you do not need to specify a subnet mask for that secondary address. This applies to all interface types.

If a secondary address is on a different subnet to the primary address, and the interface is Ethernet or a transport using a bridged encapsulation, you must specify the subnet mask. The IP stack will listen on the new address for connections to local services (e.g., for management purposes), and will also route packets to the new subnet.

If a secondary address is on a different subnet to the primary address, and the interface

Issue 1.0, April 2006 Section 364-180-N02

is a point-to-point interface, specifying a subnet mask is optional. For the same behavior as described for Ethernet interfaces above, the subnet mask should be specified. If the subnet mask is not specified, the IP address will not be associated with any subnet, but will still be recognized as one of the IP stack’s own addresses for local traffic.

• DHCP Client: Set to true if you would like to configure the router as a DHCP client.

After entering your RIP and LAN configuration settings, click Apply. The “LAN Connection” page will appear stating the changes you have just made.

Issue 1.0, April 2006 Section 364-180-N02

WAN Connections

The WAN Connections page allows you to create different kinds of WAN services.

Creating or Editing a WAN service:

1. From the left frame, click the Configuration link, then click WAN connections link.

The “WAN connections” page will appear as below. The page lists all the currently defined

connections (services). You can edit or delete the connections, or you can create a new service but only one WAN service can exist at a time).

Figure 6-15 Web Tool – WAN connections page

2. If there’s no currently defined service, you will see the following page after you click the Create a new service link in the “WAN connections” page:

Figure 6-16 Web Tool – WAN connection: create service page

Issue 1.0, April 2006 Section 364-180-N02

Select the type of service you want to create, and then click the Configure button.

Issue 1.0, April 2006 Section 364-180-N02

Frame Relay routed



1. If you select Frame Relay routed in the “WAN connection: create service” page, the

following page will appear. The option fields include:

Description: Enter a brief description for the service. DLCI: DLCI (data link connection identifier) sets the identifier for the Frame Relay

data link channel that you are using. The range of the DLCI is 16 to 1007.

Encapsulation method: sets the RFC1490 encapsulation method used by Frame Relay. Each

DLCI can be multiplexed further if you are using RFC1490 multi-protocol encapsulation. The choices are: Raw, Routed IP.

Use DHCP or WAN IP address: You must choose “Use DHCP” if you want to set the router

as a DHCP client.

After entering all the fields needed in this page, click Apply button.

Figure 6-17 Web Tool - WAN connection: Frame Relay routed page

Note: The maximum number of Frame Relay DLCI channels that can be created is

14.

Issue 1.0, April 2006 Section 364-180-N02

2. To edit a currently defined frame relay routed service, click “Edit” link for that connection as

in Figure 6-15, then the page will appear as follows.

Figure 6-18 Web Tool – WAN connection: frame relay routed: Edit Service page

To edit the service, click on the links at the top of the edit page. The links include:

Edit ‘Service’, Edit ‘Frame Relay’, Edit ‘Frame Relay Channel’, Edit ‘IP Interface’, Edit ‘Rip Versions’, and Edit ‘Tcp Mss Clamp’.

In “Edit Service” page, you can edit the creator name and the brief description of the service.

In “Edit Frame Relay Channel” page, the option fields include:

DLCI: sets the DLCI; the identifier for the Frame Relay data link channel that you are

using. The range of the DLCI is 16 to 1007.

Rx Max Pdu: sets the maximum Protocol Data Unit (PDU) size that can be received over

Frame Relay. The default value is 8192.

Tx Max Pdu: sets the maximum Protocol Data Unit (PDU) size that can be transmitted

over Frame Relay. The default value is 8192.

Chnl Segment Size: sets the size of the channel segment used by Frame Relay. The default

Issue 1.0, April 2006 Section 364-180-N02

value is 0. If you set this to any number other than 0, DLCI level FRF.12 segmentation is enabled. The range of the segment size recommended is 200 to

1500. For more information on FRF.12, see

http://www.frforum.com.

Port: sets the port that an existing Frame Relay transport uses to transport data. (The port is

always fr for frame relay routed.)

Figure 6-19 Web Tool – WAN connection: Edit Frame Relay channel page

In “Edit Ip Interface” page, the Ipaddr, Mask, and Dhcp are the same meaning as in Figure

. The MTU (maximum transmission unit) is the largest size frame that can be sent in

6-17

transmission. The default MTU is 1500 octets. The Enabled is set to true by default. If the Enabled is set to false, the specified IP interface does not work.

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-20 Web Tool – WAN connection: Edit IP Interface page

In “Edit Rip Versions” page, you can refer to section 0 for the setting rule of RIP options.

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-21 Web Tool – WAN connection: Edit Rip Versions page

In “Edit Tcp Mss Clamp” page, you can set the Tcp Mss Clamp to true or false. The TCP Maximum Segment Size (MSS) Clamp intercepts TCP synchronization (SYN) packets as the router forwards them. These packets advertise the MSS that the host is prepared to accept.

The clamp modifies the MSS of outgoing packets according to the MTU of the interface on which the packet is transmitted. The MSS is modified so that it is no bigger than the interface MTU minus the IP and TCP header. This ensures that once the connection is established, the data packets will not be large enough to require fragmentation when sent over the link with the smaller MTU.

Note – The TCP MSS clamp should be used with care. Allowing the router to change data in the TCP header is against the nature of the protocol stack - the lower IP protocol alters data in the higher level TCP protocol. A TCP stream with IPSec/VPN should never be modified by the MSS clamp.

REMEMBER! When you have completely configured your router, please be sure to save your new configuration by clicking the Save config link from the left frame and follow the steps there within. Please see 0 Save config section for more information regarding save procedures.

Issue 1.0, April 2006 Section 364-180-N02

Frame Relay bridged



1. If you select Frame Relay bridged in the “WAN connection: create service” page, the

following page will appear. The option fields include:

Description: Enter a brief description for the service.

DLCI: DLCI (data link connection identifier) sets the identifier for the Frame Relay data link

channel that you are using. The range of the DLCI is 16 to 1007.

Encapsulation method: sets encapsulation method used by Frame Relay bridged. The

choices are: Bridged Ethernet, Bridged Ethernet with CRC, and Raw.

After entering all the fields needed in this page, click Apply button.

Figure 6-22 Web Tool – WAN connection: Frame Relay bridged page

2. To edit a currently defined frame relay bridged service, click “Edit” link for that connection as

in the figure below. Then the edit page will appear.

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-23 Web Tool – WAN connections page

To edit the service, click on the links at the top of the edit page. The links include:

Edit ‘Service’, Edit ‘Frame Relay’, Edit ‘Frame Relay Channel’, Edit ‘Bridge Interface’, and Edit ‘Spanning Bridge Interface’.

In “Edit Bridge Interface” page, the option fields include:

Ether Filter Type: The value can be All, Ip, or Pppoe. Enabled: true or false.

In “Edit Spanning Bridge Interface” page, the option fields include:

Enabled: specifies whether or not the bridge is to implement the spanning tree protocol

(STP).

Priority: sets the spanning tree protocol priority. Path Cost: sets the cost of the path from all bridges to the root bridge.

In “Edit Frame Relay” page, the option fields include:

DLCI: sets the DLCI; the identifier for the Frame Relay data link channel that you are

using. The range of the DLCI is 16 to 1007.

Rx Max Pdu: sets the maximum Protocol Data Unit (PDU) size that can be received over

Frame Relay. The default value is 8192.

Tx Max Pdu: sets the maximum Protocol Data Unit (PDU) size that can be transmitted

over Frame Relay. The default value is 8192.

Chnl Segment Size: sets the size of the channel segment used by Frame Relay. The default

value is 0. If you set this to any number other than 0, DLCI level FRF.12 segmentation is enabled. The range of the segment size recommended is 200 to

1500. For more information on FRF.12, see

http://www.frforum.com.

Port: sets the port that an existing Frame Relay transport uses to transport data. (The port is

always fb for frame relay bridged.)

For the other Edit items, please refer to the descriptions in the Frame Relay routed subsection.

Note: The maximum number of Frame Relay DLCI channels that can be created is 14.

Issue 1.0, April 2006 Section 364-180-N02

PPP routed



1. If you select PPP routed in the “WAN connection: create service” page, the following page

will appear. The option fields include:

Description: enter a brief description for the service.

WAN IP address: enter the WAN IP address of the router card. WAN IP netmask: enter the WAN IP netmask of the router card. Listening or not: determines whether the router can accept incoming connections from a

remote PPP server. Set to on to accept.

Authentication to log in a remote peer: The choices are None, PAP, and CHAP. User name: sets the dial-out user name. Password: sets the dial-out password.

After entering all the fields needed in this page, click Configure button.

Figure 6-24 Web Tool – WAN connection: PPP routed p age

Issue 1.0, April 2006 Section 364-180-N02

2. To edit the currently defined PPP routed service, click “Edit” link for the connection as in the

figure below. Then the edit page will appear.

Figure 6-25 Web Tool – WAN connections page

To edit the service, click on the links at the top of the edit page. The links include:

Edit ‘Service’, Edit ‘PPP’, Edit ‘Hdlc Channel’, Edit ‘Ip Interface’, Edit ‘Rip Versions’, and Edit ‘Tcp Mss Clamp’.

In “Edit PPP” page, the option fields include:

Server: PPP server true or false. If this is set to true, the router card is configured to be a

PPP server; if false, the router card is configured to be a PPP client.

Note: The two ends of a PPP link must not be PPP servers at the same time.

Create Route: set to true, a route will be created which directs packets to the remote end of

the PPP link.

Specific Route: set to false. Subnet Mask: sets the subnet mask used for the local IP interface connected to the PPP

transport.

Route Mask: sets the subnet mask used by the route that is created when a PPP link comes

up. If it is set to 0.0.0.0, the subnet mask is determined by the IP address of the remote end of the link.

Lcp Max Configure: sets the Link Control Protocol (LCP) maximum parameter for an

existing PPPoH transport.

Lcp Max Failure: sets the Link Control Protocol (LCP) maximum fail parameter for an

existing PPPoH transport.

Issue 1.0, April 2006 Section 364-180-N02

Lcp Max Terminate: sets the Link Control Protocol (LCP) maximum terminate parameter

for an existing PPPoH transport.

Dialin Auth: sets the authentication method that remote PPP clients mu st use to dialin to

the server. The choices are: none, chap, and pap.

Dialout Username: sets the dial-out user name. Dialout Password: sets the dial-out password. Confirmation Password: sets the confirmation password. Dialout Auth: sets the authentication protocol used to connect to external PPP servers

(dial-out). The choices are: none, chap, and pap.

Interface ID: sets the PPP interface ID for an existing PPPoH transport. Remote Ip: sets the IP address supplied to the remote end of the PPP connection during

negotiation. If the remote peer doesn’t set its IP address for PPP connection, it will use the IP set in this field. But if the remote peer already set its IP address for PPP connection, you must not set the Remote IP or the connection can’t be established.

Local Ip: tells the PPP process the local IP address to be associated with the local end of

the WAN interface after a successful connection.

Magic Number: sets the magic number. This option provides a method to detect

looped-back links and other Data Link Layer anomalies. For more information, please refer to RFC 1661 section 6.4 Magic-Number.

MRU: sets the Maximum Receive Unit. Ip Addr From IPCP: sets to true if you want to get your local IP address from the PPP

negotiation or false if you do not want to receive the local IP.

Discovery Primary DNS: enables/disables whether the primary DNS server address is

requested from a remote PPP peer using IPCP.

Discovery Secondary DNS: enables/disables whether the secondary DNS server address is

requested from a remote PPP peer using IPCP.

Give DNS to Relay: controls whether the PPP Internet Protocol Control Protocol (IPCP)

can request the DNS server IP address for a remote PPP Peer.

Give DNS to Client: controls whether the PPP Internet Protocol Control Protocol (IPCP)

can request a DNS server IP address for a remote PPP peer.

Remote DNS: sets the primary local DNS server addresses that will be given to a remote

PPP peer when the peer requests a primary DNS server IP address using IPCP.

Remote Secondary DNS: sets the secondary local DNS server addresses that will be given

Issue 1.0, April 2006 Section 364-180-N02

to a remote PPP peer when the peer requests a secondary DNS server IP address using IPCP.

Lcp Echo Every: tells a specified PPP transport to send an LCP echo request frame at

specified intervals (in seconds). If no reply to the request is received, the PPP connection is torn down.

Auto Connect: sets to true or false. Idle Timeout: sets the idle time out (in minutes). Enabled: enables/disables a PPPoH transport.

In “Edit Hdlc Channel” page, the option fields include:

Port: sets the port that an existing transport uses to transport PPP data. (Currently this can’t

be edited. The value is always hdlc)

For the other Edit items, please refer to the descriptions in the Frame Relay routed subsection.

Issue 1.0, April 2006 Section 364-180-N02

PPP bridged



1. If you select PPP bridged in the “WAN connection: create service” page, the following page

will appear. The option fields include:

Description: Enter a brief description for the service.

WAN IP address: enter the WAN IP address of the router card.

Listening or not: determines whether the router can accept incoming connections from a

remote PPP server. Set to on to accept.

Authentication to log in a remote peer: The choices are None, PAP, and CHAP. User name: sets the dial-out user name. Password: sets the dial-out password.

After entering all the fields needed in this page, click Configure button.

Figure 6-26 Web Tool – WAN connection: PPP bridged pag e

Issue 1.0, April 2006 Section 364-180-N02

2. To edit the currently defined PPP bridged service, click “Edit” link for the connection as in the

figure below. Then the edit page will appear.

Figure 6-27 Web Tool – WAN connections page

To edit the service, click on the links at the top of the edit page. The links include:

Edit ‘Service’, Edit ‘PPP’, Edit ‘Hdlc Channel’, Edit ‘Bridge Interface’, and Edit ‘Spanning Bridge Interface’.

For the Edit ‘PPP’ and Edit ‘Hdlc Channel’ items, please refer to the descriptions in the PPP routed subsection. For the other Edit items, please refer to the descriptions in the Frame Relay bridged subsection.

Issue 1.0, April 2006 Section 364-180-N02

Deleting a WAN service:

If you want to delete a currently defined service, click “Delete” link for that service in “WAN connections” page. The following example is to delete a frame relay routed connection ‘frme-0’. After clicking the “Delete” link, a confirm page will appear as follows. Click the Delete this connection button to delete the connection.

Figure 6-28 Web Tool – WAN connection: delete ‘Frame Relay routed’ page

IP routes

The IP Route Configuration allows you to create static IP routes to destination addresses via an IP interface name or a Gateway address. IP Routes do not need to be configured for dynamic connections.

1. Log-in to your router. From the left frame, click Configuration and then IP Routes. The

“Edit Routes” page will appear, showing all configured routes, if any. Click Create New Ip V4Route, then the page will appear as follows.

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-29 Web Tool – IP routes: Create Ip V4Route page

2. Enter the destination, gateway and netmask for your route. You can also specify the cost and the interface to apply it to. Use the name of your WAN or LAN interface. Click OK, then the “Edit Routes” page will appear and show the configured route. There is a Valid indicator showing the status of each route. If the LED color is red, the route is invalid because of the wrong interface name or the same Destination/Netmask as some already existing route. If the LED color is green, the route is a valid route.

Figure 6-30 Web Tool – IP routes: Edit Routes page

NOTE: To set rip host route or rip poison, you can only do the setting by CLI commands. You cannot access these two IP routes features through Web configuration.

Issue 1.0, April 2006 Section 364-180-N02

DHCP Server

DHCP is a client-server protocol that replies to requests from a DHCP server and provides configuration information to devices on an IP network (the DHCP clients). The DHCP server provides network addresses from a central pool on an as-needed basis. DHCP is very useful for providing IP addresses to devices connected to the network temporarily or for sharing a limited pool of IP addresses among a group of hosts that do not need permanent IP addresses.

1. Log-in to your router. From the left frame, click Configuration and then click DHCP Server from the submenu. The “DHCP Server” page will appear, showing the current Server

status and DHCP Settings. In the DHCP Server Mode section, choose Disabled (disable the DHCP function) or DHCP server or DHCP relay agent, then click the Configure button to edit the settings. The DHCP server is disabled by default.

Figure 6-31 Web Tool – DHCP server page

Issue 1.0, April 2006 Section 364-180-N02

DHCP Server mode



1. If you choose DHCP server in the DHCP Server Mode section, this will provide IP

addresses to computers connected to the router from within the default IP address pool. You can edit your DHCP settings for a custom configuration by clicking the Configure button. The “DHCP: enable server” page will appear then. Make any changes to the configuration that are needed and then click the Apply button. The fields are defined below.

Address Range:

‧Use Default Range: This will enable the use of the router’s default address pool

Figure 6-32 Web Tool – DHCP: enable server page

(as shown). Checking this box will override any settings in the following two fields.

‧Starting IP Address: This field allows you to define the first address of the range

of numbers in your custom address pool. The range will span between this number

Issue 1.0, April 2006 Section 364-180-N02

and the Ending IP Address, defined in the next field.

‧Ending IP Address: This field allows you to define the last address in the range

of numbers in your custom address pool.

Note: The maximum number of DHCP IP addresses supported by the sy stem is 128.

Lease Times:

‧Default Lease Time: You may specify the default time, in seconds, of a typical

DHCP-assigned address.

‧Maximum Lease Time: You may specify the maximum time, in seconds, that a

device can use a DHCP-assigned address.

Domain Name Servers:

‧Use Router as DNS Server: Checking here will enable the router to act as a DNS

server. If this option is checked, you will need to have DNS Relay enabled.

‧Primary DNS Server Address: This is where the router will go looking for DNS

information. Enter your ISP-provided Primary DNS Server Address here.

‧Secondary DNS Server Address: This is where the router will go looking for

DNS information if the primary address is busy or not responding. Enter your ISP-provided Secondary DNS Server Address here.

Default Gateway:

‧Use Router as Default Gateway: It is recommended that you check this field.

2. The “DHCP Server” page will appear again, showing your new changes. Review your new settings. If you should need to modify the settings further, you may click the Configure the DHCP Server button at the bottom of the page.

Issue 1.0, April 2006 Section 364-180-N02

Note: WINS server configuration cannot be made by web browser. Users can only configure the WINS server by using CLI commands. See the following example:

-->dhcpserver subnet 1 add option netbios-node-type 8

-->dhcpserver subnet 1 add option netbios-name-servers 10.10.10.10

-->dhcpserver update

-->dhcpserver subnet 1 list option options for subnet: LAN ID | Identifier | Value

-----|-----------------------|----------------------- 1 | netbios-name-servers | 10.10.10.10 2 | netbios-node-type | 8 1 | domain-name-servers | 55.55.55.55

------------------------------------------------------

For details of the above CLI commands, please refer to the Section 364-180-C01 manual.

Ethernet Router CLI Manual

Issue 1.0, April 2006 Section 364-180-N02

DHCP Relay Agent Mode



If your ISP, or a different server, performs the DCHP server function for your network, then you should configure the router as a DHCP relay agent. When the router receives a request from a computer on your network, it contacts your ISP or the assigned server for the necessary IP information, and then relays the assigned information back to the computer.

1. On the “DHCP Server” page, scroll down to the “DHCP Server Mode” section and select DHCP Relay Agent. Then click the Configure button. The “DHCP: Enable Relay Agent”

page will appear. Enter the IP Address of the DHCP Server you wish to relay to and click the Apply button.

Figure 6-33 Web Tool – DHCP: enable relay agent page

Issue 1.0, April 2006 Section 364-180-N02

2. The “DHCP Server” page will appear showing the IP Address that DHCP will be relayed to. If you should need to RE-CONFIGURE the DHCP server, you may click the Configure the DHCP Server button below the message.

Figure 6-34 Web Tool – DHCP server: DHCP relay enabled page

Issue 1.0, April 2006 Section 364-180-N02

DNS Client

The DNS Client configuration allows you to specify the Domain Name Server that the router will use for Domain Name resolution.

1. Log-in to your router. From the left frame, click Configuration and then DNS Client. The

“DNS Client” page will appear. Enter your DNS server address into the box in the DNS Servers section and click the Add button.

Figure 6-35 Web Tool – DNS Client page

2. The “DNS Client” page will refresh and show your newly assigned DNS address. You may

add another using the procedure from step 1. You may also delete the assigned DNS address at any time by clicking the Delete button to the right of the assigned address.

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-36 Web Tool – DNS Client page

3. Domain search order:

Enter your search order into the box in the Domain search

order section and click the Add button. The ‘DSN Client’ page will refresh and show the newly assigned Domain search order. You may make multiple entries in the list by repeating this procedure. You may delete the assigned search order by clicking the Delete button to the right of the assigned name. Entering a domain search order will create a list that the DNS client will use to attempt to complete an incomplete domain name. It will append each entry in the search order to the incomplete domain name in an attempt to find a valid domain name.

Issue 1.0, April 2006 Section 364-180-N02

DNS Relay

DNS Relay forwards packets to request the DNS information from a specified DNS server. It is possible to enter both a primary and secondary DNS server to contact, which is commonly configured. Replies from the DNS are then forwarded back to the originator of the packets that were made for the original request. UDP and TCP traffic are both supported.

NOTE: When using Routed PPP mode, you do not need to configure DNS Relay. It will be automatically configured upon connection to the PPP server.

1. Log-in to your router. From the left frame, click Configuration and then DNS Relay. The “DNS Relay” page will appear, indicating that the DNS Relay is disabled. In the DNS Relay Mode section, choose the Enabled button and click the Configure button.

Figure 6-37 Web Tool – DNS relay page

2. The “DNS: Enable Relay” page will appear. In the DNS Relay Settings section, enter the address of your DNS server and click the Apply button.

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-38 Web Tool – DNS: enable relay page

Issue 1.0, April 2006 Section 364-180-N02

3. The “DNS Relay” page will appear again stating that the relay has been enabled and will show the address the relay is pointing to. If you should need to RE-CONFIGURE the DNS relay, you may click the Configure the DNS relay button below the message.

Figure 6-39 Web Tool – DNS relay enabled page

Issue 1.0, April 2006 Section 364-180-N02

Security

The “Security Interface Configuration” page allows you to set the Firewall Security Level, the NAT configuration, Policies, Triggers and Intrusion Detection. Click Configuration from the left frame and then click Security link. The following page will be displayed:

Figure 6-40 Web Tool – Security page

Enabling Security



You must enable Security before you can enable Firewall and/or Intrusion Detection. In the “Security State” section, click on the Security Enabled radio button and then click on Change State to update.

Issue 1.0, April 2006 Section 364-180-N02

 Enabling Firewall and/or Intrusion Detection

* Intrusion Detection is for future feature. You must create a security interface before you can enable Firewall and/or Intrusion Detection. Security interfaces are based on existing LAN services. You must create a LAN service for every security interface that you want to configure (From the “Security Interfaces” section, click on “Add Interface”). If you see any error in the content of the security interfaces table, you must delete the interface first and re-add the interface again. When you add the security interface, the Type setting (internal/external) must follow the default rule (if it is a LAN side interface, the Interface Type should be internal; if it is a WAN side interface, the Interface Type should be external).

After the Firewall is enabled, you can set the Security Level. In the Security Level section, click the “Security Level” drop-down list. Then click on the level that you want to set. Finally, click on the Change Level button.

 NAT Configuration

NAT stands for Network Address Translation, which is an Internet standard that enables a local-area network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. NAT, located where the LAN meets the Internet, makes all necessary IP address translations.

1. In the “Security Interfaces” section of the page, you can see the newly created interfaces (see Figure 6-40). To enable NAT, click the Enable NAT to internal interfaces button. Then the page will refresh and the button will now read Disable NAT to internal interfaces.

Figure 6-41 Web Tool – Security: Security Interfaces page

Issue 1.0, April 2006 Section 364-180-N02

Global Address Pools



A Global Address Pool is a pool of addresses seen from the outside network. By default, each outside interface creates a Global Address Pool with a single address – the address assigned to that interface. For outbound sessions, an address is picked from a pool by hashing the source IP address for a pool index and then hashing again for an address index. For inbound sessions, it is necessary to create a reserved mapping. See the following subsection “Nat Reserved Mapping”.

NOTE: NAT must be enabled before you can configure global address pools. It is assumed here that you have previously configured NAT.

1. Login to your router. Click Configuration and then click Security from the left frame. The

“Security Configuration” page will appear. In the “Security Interfaces” section, click the Advanced NAT Configuration link.

Figure 6-42 Web Tool – Security: Security Interfaces page

Issue 1.0, April 2006 Section 364-180-N02

2. The “Advanced NAT Configuration” page will appear. In the “Global Address Pools” section,

click the Add Global Address Pool link.

Figure 6-43 Web Tool – Security: Advanced NAT Configuration page

3. The “Firewall Add Global Address Pool” page will appear. This page allows you to create a pool of network IP addresses that are visible outside your network. Add values for each of the fields. See the table below for a summary of each field. Click the Add Global Address Pool button.

Figure 6-44 Web Tool – Security: Firewall Add Global Address Pool page

Issue 1.0, April 2006 Section 364-180-N02

GLOBAL ADDRESS POOL FIELDS DEFINED: Interface type: The internal address type that you want to map your external global IP

addresses to. Click on the drop-down list and select an interface type. Use Subnet Configuration: There are two ways to specify a range of IP addresses. You can either Use Subnet Mask (specify the subnet mask address of the IP address) or Use IP Address Range (specify the first and last IP address in the range). Click on the drop-down list and select a method.

IP Address: Enter the IP Address that is visible outside the network Subnet Mask/IP Address 2: The value you specify here depends on the Subnet Configuration

that you are using. If you chose Use Subnet Mask, type in the subnet mask of the IP address. If you chose Use IP Address Range, type in the last IP address in the range of addresses that make up the global address pool.

4. The “Advanced NAT Configuration” page will appear again, showing your newly created

Global Address Pool.

Figure 6-45 Web Tool – Security: Advanced NAT Configuration page

5. To delete a Global Address Pool, click on the Delete link on the right side of the Global

Address Pool you wish to delete (see Figure 6-45).

Issue 1.0, April 2006 Section 364-180-N02

6. The “Firewall Delete Global Address Pool” page will appear confirming your deletion. Click

the Delete Global Address Pool button.

Figure 6-46 Web Tool – Security: Firewall Delete Global Address Pool page

 NAT Reserved Mapping

Reserved mapping is used so that NAT knows where to route packets on inbound sessions. The reserved mapping will map a specific global address and port to an inside address and port. Reserved mappings can also be used so that different inside hosts can share a global address by mapping different ports to different hosts. For example, Host A is an FTP server and Host B is a web server. By mapping the FTP port to Host A and the HTTP port to Host B, both inside hosts can share the same global address. Setting the port number to 65535 for TCP or UDP protocols means that the mapping will apply to all port numbers for that protocol. Reserved mapping allows you to map an outside security interface or an IP address from a global pool to an individual IP address inside the network. Mapping is based on transport type and port number.

NOTE: NAT must be enabled before you can configure reserved mapping. It is assumed that you have previously configured NAT.

Issue 1.0, April 2006 Section 364-180-N02

1. Login to your router. Click Configuration and then click Security from the left frame. The

“Security Configuration” page will appear. In the “Security Interfaces” section, click the Advanced NAT Configuration link.

Figure 6-47 Web Tool – Security: Security Interfaces page

2. The “Advanced NAT Configuration” page will appear. Click the Add Reserved Mapping

link.

Figure 6-48 Web Tool – Security: Add Reserved Mappings page

3. The “Firewall Add Reserved Mapping” page will appear. You can configure the details of your reserved mapping here. Add specific values in the table and then click the Add Reserved Mapping button. The table will refresh and the reserved mapping is added to your NAT

Issue 1.0, April 2006 Section 364-180-N02

configuration.

Figure 6-49 Web Tool – Security: Firewall Add Reserved Mapping page

NOTE: Setting the port number to 65535 for TCP or UDP protocols means that the mapping will apply to all port numbers for that protocol.

RESERVED MAPPING FIELDS DEFINED: Global IP Address: If you are mapping from a global IP address, type the address here. If you

are mapping from a security interface, type 0.0.0.0.

Internal IP Address: The IP address of an individual host inside your network.

Transport Type: Specify the transport type that you want to map from the outside interface to

the inside.

Port Number: The port number that your transport uses.

Issue 1.0, April 2006 Section 364-180-N02

4. The “Advanced NAT Configuration” page will appear showing your newly added reserved mapping. You may click the Add Reserved Mapping link to add another mapping if needed.

Figure 6-50 Web Tool - Security: Reserved Mappings page

5. To delete a Reserved Mappings, click on the Delete link on the right side of the Reserved

Mappings you want to delete (see Figure 6-50).

6. The “Firewall Delete Reserved Mapping” page will appear confirming your deletion. Click

the Delete Reserved Mapping button.

Figure 6-51 Web Tool – Security: Firewall Delete Reserved Mappings page

Issue 1.0, April 2006 Section 364-180-N02

Configuring Firewall Policy



A policy is the collective term for the rules that apply to incoming and outgoing traffic between two interface types. Before you can create a Firewall policy, you need to enable Firewall.

1. Go to the Polices, Triggers and Intrusion Detection section of the “Security Interface

Configuration” page. Click on the “Firewall Policy Configuration” link, The Firewall Policy Configuration page is displayed.

Figure 6-52 Web Tool – Security: Firewall Policy Configuration page

2. In the page, you will see the “Current Firewall Policies” table. The table contains details of

each Firewall policy. You can now configure the Port Filters.

 Configuring Port Filters

A port filter is an individual rule that determines what kind of traffic can pass between two interfaces specified in an existing policy.

1. From the Current Firewall Policies table, click on the Port Filters link for the policy that you want to configure. The page displayed contains three Add Filter hyperlinks that allow you to create three different kinds of port filter. For a TCP port filter click on Add TCP Filter. The following page is displayed:

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-53 Web Tool – Security: Firewall Add TCP Port Filter page

Specify the start and end of the port range for the TCP protocol that you want to filter. Then use the Direction drop-down lists to specify whether you want to allow/block inbound traffic, and allow/block outbound traffic. Click on Apply. The Firewall Port Filters page is displayed, containing details of the TCP portfilter that you have just added.

For a UDP portfilter, click on Add UDP Filter. The Firewall Add UDP Port Filter page is

displayed. For details on how to complete the table, follow the above instructions for adding a TCP portfilter.

For a non-TCP/UDP portfilter, click on Add Raw IP Filter. The following page is displayed:

Issue 1.0, April 2006 Section 364-180-N02

Figure 6-54 Web Tool – Security: Firewall Add Raw IP Filter page

Specify the protocol number in the Transport Type text box, for example, for IGMP, enter protocol number 2. For more information on protocol numbers, see http://www.ietf.org/rfc/rfc1700.txt. Then use the Direction drop-down lists to specify whether you want to allow/block inbound traffic, and allow/block outbound traffic. Click on Apply. The Firewall Port Filters page is displayed, containing details of the IP portfilter that you have just added.

2. Each portfilter displayed in the Firewall Port Filters page has a Delete hyperlink assigned to it. To delete a portfilter, click on this link, then at the confirmation page, click on the Delete button. The portfilter is removed from the Firewall configuration. These actions have the same effect as typing the following CLI commands:

firewall add portfilter firewall list portfilters firewall delete portfilter

NOTE: If the firewall is enabled, RIP is by default disabled for the route card. If you want RIP to work when the firewall is enabled, you must add a UDP port filter – Port Range: 520 ~ 520, Inbound/Outbound Allow.

3. Portfilter’s default items are different that will be according to the security level.

 Security Level = low

--> firewall list portfilters pex_in

Firewall Port Filters:

ID | Name | Type | Por t Range | In | Out | Raw | TCP | UDP

Issue 1.0, April 2006 Section 364-180-N02

----------------------------------------------------------------------------

 Security Level = medium

--> firewall list portfilters pex_in

Firewall Port Filters:

ID | Name | Type | Port Range | In | Out | Raw | TCP | UDP

Issue 1.0, April 2006 Section 364-180-N02

----------------------------------------------------------------------------

 Security Level = high

--> firewall list portfilters pex_in

Firewall Port Filters:

ID | Name | Type | Port Range | In | Out | Raw | TCP | UDP

Issue 1.0, April 2006 Section 364-180-N02

----------------------------------------------------------------------------

Issue 1.0, April 2006 Section 364-180-N02

Configuring triggers



A trigger allows an application to open a secondary port in order to transport packets. The most common applications that require secondary ports are FTP and NetMeeting. This section assumes that you have followed the instructions in Enabling Security. To configure a trigger:

1. Go to the Policies, Triggers and Intrusion Detection section of the Security Interface Configuration. Click on Firewall Trigger Configuration. The “Firewall Trigger Configuration”

page is displayed. There are no triggers defined at this time. Click on the New Trigger link. The following page is displayed:

Figure 6-55 Web Tool – Security: Firewall Add Trigger page

2. Configure the trigger as follows:

Transport Type; select a transport type from the drop-down list, depending on whether you are adding a trigger for a TCP or a UDP application.

Port Number Start; type the start of the trigger port range that the primary session uses. Port Number End; type the end of the trigger port range that the primary session uses. Allow Multiple Hosts; select allow if you want a secondary session to be initiated to/from

different remote hosts. Select block if you want a secondary session to be initiated only to/from the same remote host. Max Activity Interval; type the maximum interval time (in milliseconds) between the uses of secondary port sessions. Enable Session Chaining; select Allow or Block depending on whether you want to allow multi-level TCP session chaining. Enable UDP Session Chaining; select Allow or Block depending on whether you want to allow

Issue 1.0, April 2006 Section 364-180-N02

multi-level UDP and TCP session chaining. You must set Enable Session Chaining to Allow if you want this to work. Binary Address Replacement; select Allow or Block depending on whether you want to use binary address replacement on an existing trigger. Address Translation Type; specify what type of address replacement is set on a trigger. You must set Binary Address Replacement to Allow if you want this to work.

3. Once you have configured the trigger, click on Apply. The Firewall Trigger Configuration page is displayed, containing details of the trigger that you have just configured.

4. Each trigger displayed in the Firewall Trigger Configuration page has a Delete hyperlink assigned to it. To delete a trigger, click on this link, then at the confirmation page, click on the Delete button. The Firewall Trigger Configuration page is displayed and details of the deleted trigger have been removed. There are two hyperlinks on the page:

a To add a new trigger, click on New Trigger. b To display the Security Interface Configuration page, click on Return to Interface List.

These actions have the same effect as typing the following CLI commands:

security add trigger security list triggers security set trigger endport security set trigger startport security set trigger multihost security set trigger maxactinterval security set trigger sessionchaining security set trigger security set trigger UDPsessionchaining security set trigger binaryaddressreplacement security set trigger addressreplacement

Issue 1.0, April 2006 Section 364-180-N02

5. Default firewall triggers

Issue 1.0, April 2006 Section 364-180-N02

Configuring Intrusion Detection Settings



Intrusion Detection settings allow you to protect your network from intrusions such as denial of service (DOS) attacks, port scanning and web spoofing. This section assumes that you have followed the instructions in Enabling Security and Enabling Firewall and/or Intrusion Detection. To configure Intrusion Detection settings:

1. Go to the Policies, Triggers and Intrusion Detection section of the Security Interface Configuration page. Click on Configure Intrusion Detection. The “Firewall Configure Intrusion Detection” page is displayed:

Figure 6-56 Web Tool – Security: Firewall Configuration Intrusion Detection page

2. Configure Intrusion Detection as follows:

Use Blacklist; select true or false depending on whether you want external hosts to be blacklisted if the Firewall detects an intrusion from that host. Click on the Clear Blacklist button at the bottom of the page to clear blacklisting of an external host. The Security Interface Configuration page is displayed. Use Victim Protection; select true or false depending on whether you want to protect a victim from an attempted web spoofing attack. DOS Attack Block Duration; type the length of time (in seconds) that the Firewall blocks suspicious hosts for once a DOS attack attempt has been detected. Scan Attack Block Duration; type the length of time (in seconds) that the Firewall blocks suspicious hosts for after it has detected scan activity.

Issue 1.0, April 2006 Section 364-180-N02

Victim Protection Block Duration; type the length of time (in seconds) that the Firewall blocks packets destined for the victim of a spoofing style attack. Maximum TCP Open Handshaking Count; type in the maximum number of unfinished TCP handshaking sessions (per second) that are allowed by Firewall before a SYN Flood is detected. Maximum Ping Count; type in the maximum number of pings (per second) that are allowed before the Firewall detects an Echo Storm DOS attack. Maximum ICMP Count; type in the maximum number of ICMP packets (per second) that are allowed by the Firewall before an ICMP Flood DOS is detected.

3. Once you have configured Intrusion Detection, click on Apply. The Intrusion Detection settings are applied to the Firewall, and the Security Interface Configuration page is displayed.

These actions have the same effect as typing the following CLI commands:

security enable firewall enable IDS firewall set IDS blacklist firewall set IDS victimprotection firewall set IDS DOSattackblock firewall set IDS SCANattackblock firewall set IDS MaxTCPopenhandshake firewall set IDS MaxPING firewall set IDS MaxICMP firewall set IDS blacklist clear

Issue 1.0, April 2006 Section 364-180-N02

Configuring Alerting



Alerting configuration for Intrusion allows you to send email or paging when there’s intrusion upon your network. The alerting settings will take effect only when intrusion detection is enabled.

1. Go to the Policies, Triggers and Intrusion Detection section of the Security Interface Configuration page. Click on Configure Alerting. The “Alerting Configuration” page is

displayed:

Figure 6-57 Web Tool – Security: Alerting Configuration for Intrusion page

Set Enabled to true if you want to send out email or paging. You have to open the outbound smtp port in the firewall policy if you set Email Enabled to true. You have to open the outbound snpp port in the firewall policy if you set Paging Enabled to true. You can send email to two email

Issue 1.0, April 2006 Section 364-180-N02

addresses or send paging to two recipients at the same time.

Issue 1.0, April 2006 Section 364-180-N02

VPN Configuration

Pre-Shared Key

IPSec is defined by the IETF as a standard approach for establishing a secure connection across an IP network.

IPSec Settings Overview (Example):

LAN/WAN Settings for Branch

Negotiation ID: remote@ABCD.com Intranet address: 192.168.1.0 Intranet subnet mask: 255.255.255.0 Endpoint ID: main@ABCD.com Termination address: 66.122.47.30 Authentication Method: Pre-shared Key Tunnel shared key: test Tunnel type: Public IKE life duration: 3600 IKE hash: SHA IKE encryption: DES IPSec operation: ESP ESP transform: DES ESP AUTH: Null or HMAC_MD5

Office LAN/WAN Settings for Main Office

Negotiation ID: main@ABCD.com Intranet address: 192.168.2.0 Intranet subnet mask: 255.255.255.0 Endpoint ID: remote@ABCD.com Termination address: 66.122.62.184 Authentication Method: Pre-shared Key Tunnel shared key: test Tunnel type: Public IKE life duration: 3600 IKE hash: SHA IKE encryption: DES IPSec operation: ESP ESP transform: DES ESP AUTH: Null or HMAC_MD5

Issue 1.0, April 2006 Section 364-180-N02



Site to Site VPNs

Traditionally, connecting two branch offices of the same company required leasing a dedicated private circuit or a frame relay permanent virtual circuit (PVC) between two locations. By using virtual private networking (VPN) to link two offices together, as show above, can offer considerable savings, while offering a competitive alternative to leased lines or PVCs.

 Basic Ter ms and concepts

• VPN Tunnel: VPN tunnels are created from site to site pair and secure encrypted connection between two points thru a public or third party network.

• Encryption: Is a mathematical operation that transforms data from “clear text” (something that a human or a program can interpret) to “cipher test” (something that cannot be interpreted). Usually the mathematical operation requires that an alphanumeric “key” be supplied along with the clear text. The key and clear text are processed by the encryption operation which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is the mathematical operation that transforms cipher text to clear text. Decryption also requires a key.

• Authentication: Before any communication can be called private, each party must know the identity of the other. The same holds true for secure network communication: One network system must make sure that the other network system is the intended correspondent. The process of such identity verification is called authentication.

Issue 1.0, April 2006 Section 364-180-N02

• Time to live: The time to live (TTL) indicates the maximum amount of time this IP packet is allowed to remain in the network. Each router is required to decrement this value as it routes the packet. The packet is dropped if this value reaches 0.

• Digital Signatures: Is the electronic analogy to a handwritten signature, and in many ways it is an even stronger device. The key is shared by at least one other party.

• IKE: IKE (Internet Key Exchange) is a protocol negotiation and key exchange protocol that is part of the IPSec protocol suite specified by the Internet Engineering Task Force (IETF). IKE allows communicating parties implementing VPNS to automatically negotiate IPSec SAs to facilitate the implementation of VPNs. With IKE, a separate IKE SA is initially created to provide a secure channel for negotiating an IPSec SAs to facilitate the implementation of VPNs.

• Point-to-Point Protocol (PPP): Point-to-Point Protocol

is the Internet standard for

transmission of IP packets over serial lines. It uses a variation of High Level Data Link

Control (HDLC) for packet encapsulation.

• Point-to-Point Tunneling Protocol (PPTP): A Microsoft-sponsored IETF draft standard for implementing VPNs form the Windows 95/98 operating system to a VPN gateway.

• Layer 2 Tunneling Protocol (L2TP): L2TP is refinement of PPTP and Cisco’s L2F protocol. L2Tp was designed to combine the best features of both PPTP and L2F. L2TP operates, as its name suggests, at Layer 2 in the International Organization for Standardization (ISO) model, and it is a network protocol that creates a tunnel between an L2TP client and an L2TP server, and then encapsulates PPP frames to be sent over tunnel. When using IP as the transport protocol, L2TP can be used as a VPN protocol over the Internet. L2TP has been designed so that it can be used directly over various wide area network (WAN) media (such as Frame Relay) without an IP transport layer, which can extend its usefulness in setting up corporate networks.

• Private Key: A digital key code used to decrypt data and verify digital signatures. This key is kept secret, and is known only to its owner.

• Public key: A trusted and efficient key and certificate management system.

• Public key infrastructure: A trusted and efficient key and certificate management system.

• Hash algorithm

: When a provider issues a certificate, it is not generally the overall certificate but a cryptographic check sum from the certificate that is signed. The procedure used for calculating the check sum is referred to as a hash algorithm, and the check sum is called the hash value.

• Security Associations (SA): An SA defines the kinds of security measures that should be applied to packets based on who is sending the packets, where they are going, and what type of

Issue 1.0, April 2006 Section 364-180-N02

payload they are carrying.

• IPSec: IPSec is a protocol suite defined by the IETF to secure communication at layer 3-the network layer between communicating peers.

• ESP: ESP (Encapsulating Security Payload) protocol [RFC2406] can provide confidentiality with authenticity and integrity, or confidentiality only services.

• Data Encryption Standard (DES): DES function can be used for both encryption and decryption. DES is the most widely used shared key cryptographic algorithm and is both a U.S. and an international standard.

• 3DES: An algorithm that uses DES and one, two, or three keys to encrypt/decrypt/encrypt packets of information.

• Authentication Header (AH): The Authentication Header is a mechanism for providing strong integrity and authentication for IP packets. Confidentiality and protection from traffic analysis is not provided by the Authentication Header.

• IP Payload Compression Protocol (IPCOMP): IP payload compression is a protocol to reduce the size of IP datagrams. IP payload compression is especially useful when encryption is applied to IP datagrams.

• Phase 1 negotiation: IKE defines two modes when negotiating a phase 1 SA: main mode and aggressive mode. There are three negotiating rounds in the IKE phase 1 main mode exchange. In the first round, one ISAKMP entity (the initiator) sends multiple SA proposals to another entity (the responder). The responder chooses one proposal and sends it back to the initiator. In the second round, two peers exchange their key exchange parameters and random use once values called nonces. In the third round, all the exchanged information is authenticated through one of the three authentication mechanisms: shared secret, digital signature, or public key encryption. When shared secret mechanism is employed, the two peers use a secret key derived from a shared secret to create the keyed hash. The keyed hash is then exchanged between two peers and serves as the authenticator. With the second alternative digital signature the authentication between the initiator and the responder is carried out using the digital signature of the negotiation entities. Two peers exchange digitally signed hashes of their identities, public key values, and SA proposals. The third alternative is public key encryption. Here, the two peers exchange the public key encrypted value of their IDs and nonce’s, as well as a keyed hash value.

• Phase 2 Negotiation: During phase 2, security associations are negotiated on behalf of services such as IPSec or any other service that needs keying material or parameter negotiation. Because a secure channel has already been established in phase 1, the negotiation can be performed more

Issue 1.0, April 2006 Section 364-180-N02

quickly: thus, it is referred to as quick mode. The identity of the IKE peers has already been verified in phase 1, and the ISAKMP SA already protects exchanges between the IKE peers. Therefore, the identities passed in quick mode are not the identities of the IKE peers but rather the identities of the selectors to be used in the IPSec security policy database. A phase 1 ISAKMP SA is required when negotiating a phase 2 SA. Once established, a phase 2 SA can exist independently of the phase 1 SA that is later destroyed.

• PKCS #10: Certificate Request Syntax Standard

• PKCS #7: Cryptographic Message Syntax Standard

• PKCS #11: Cryptographic Token Interface Standard

 IPSec Configuration

1. Log in to your router. From the left frame, click Configuration and then click the

IPSec link. Set your Negotiation ID.

IKE defines two modes when negotiating a phase 1 SA: main mode and aggressive mode.

• For Aggressive Mode use a string like remote@ABCD.com or

• For Main Mode use the WAN IP address of your Branch Office (remote) VPN router

(our example shows a setup in Aggressive Mode)

arles Industries, Ltd.

s reserved. Printed in United States of America.

f features and technical specifications herein subject to change without notice.

Charles 3641-80, 3648-80 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual