LINKSYS WRT54G3GV2 Users Manual

Chapter 3

Advanced Configuration

IP Addr. Enter the IP address of the remote VPN device.

This can be static or dynamic, depending on the settings of the remote VPN device. The IP address you enter is NOT the IP address of the local Gateway.

IP Address Enter the IP address of the VPN device at

•

the other end of the tunnel.

FQDN Enter the Fully Qualified Domain Name (FQDN) of

the remote VPN device.

Domain Name Enter the domain name of the VPN

•

device at the other end of the tunnel.

Any Select this option to have the Router accept requests

from any IP address.

Encryption Using encryption helps make your connection

more secure. Select DES or 3DES (3DES is recommended because it is more secure). You may choose either of these, but it must be the same type of encryption that is being used by the VPN device at the other end of the tunnel. If you do not choose to encrypt your data, select Disabled.

Authentication Authentication acts as another level

of security. Select MD5 or SHA (SHA is recommended because it is more secure). As with encryption, either of these may be selected, if the VPN device at the other end of the tunnel is using the same type of authentication.

Key Management

A key is a string of letters and/or numbers used for authentication or encryption. Select Auto (IKE) for automatic key management by the Internet Key Exchange (IKE) protocol, or select Manual for manual key management. The two methods are described below.

Auto (IKE)

Manual

VPN> Manual Key Management

Encryption Key If you chose DES for your Encryption

setting, enter 16 hexadecimal characters, or if you chose 3DES, enter 48 hexadecimal characters.

Authentication Key If you chose MD5 for your

Authentication setting, enter 32 hexadecimal characters, or if you chose SHA, enter 40 hexadecimal characters.

Inbound SPI Enter the Inbound Security Parameter Index

(SPI). This is the Outbound SPI for the remote VPN device.

Outbound SPI Enter the Outbound Security Parameter

Index (SPI). This is the Inbound SPI for the remote VPN device.

Status

The status of the connection is shown.

The following settings are available if Auto (IKE) is selected.

Connect Click this button to connect your VPN tunnel.

View Logs To view the logs, click View Logs.

Incoming Log Table

The table shows the Source IP and Destination Port Number of incoming traffic.

PFS PFS (Perfect Forward Secrecy) enables automatic

re-keying to enhance security. Select Enabled to ensure that the initial key exchange and IKE proposals are secure. Otherwise, select Disabled.

Pre-shared Key Enter a series of numbers or letters.

Based on this word, which MUST be entered at both ends of the tunnel if this method is used, a key is generated to scramble (encrypt) the data being transmitted over the tunnel, where it is unscrambled (decrypted). You may use any combination of up to 24 numbers or letters in this field. No special characters or spaces are allowed.

Key Lifetime You may have the key expire at the end

of a time period. Enter the number of seconds you’d like the key to be useful, or leave it blank for the key to last indefinitely. The default is 3600 seconds.

Wireless-G Router for Mobile Broadband

VPN > Incoming Log Table

Click Refresh to update the log. Click Close to return to the VPN screen.

Advanced Settings Before configuring these settings, c

Save Settings on the VPN screen to apply your changes,

or click Cancel Changes to cancel your changes.

Then

click Advanced Settings to configure additional

settings.

lick

Advanced IPSec VPN Tunnel Setup

Phase 1 is when the two endpoints negotiate parameters for key exchange. Phase 2 is when they negotiate parameters for data exchange.

Chapter 3

Advanced Configuration

Key Lifetime You may optionally select to have the key

expire at the end of a time period of your choosing. Enter the number of seconds you’d like the key to be used until a re-key negotiation between each endpoint is completed. The default is 3600 seconds.

Phase 2

Proposal

Encryption The encryption method selected in Phase 1

is displayed.

Authentication The authentication method selected in

Phase 1 is displayed.

PFS The status of PFS is displayed.

Group Select a Diffie-Hellman group, 768-bit or 1024-

bit. Diffie-Hellman refers to a cryptographic technique

that uses public and private keys for encryption and decryption.

Key Lifetime The key lifetime selected in Phase 1 is

displayed.

VPN> Advanced IPSec VPN Tunnel Setup

Phase 1

Phase 1 is used to create a Security Association (SA), often called the IKE SA. After Phase 1 is completed, Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions.

Operation Mode There are two modes: Main and

Aggressive, and they exchange the same IKE payloads in different sequences. Main mode is more common; however, some people prefer Aggressive mode because it is faster. Main mode is for normal usage and includes more authentication requirements than Aggressive mode. Main mode is recommended because it is more secure. No matter which mode is selected, the Router will accept both Main and Aggressive requests from the remote VPN device.

Proposal 1

A proposal is a set of parameters that the initiator sends and the responder examines for acceptability.

Encryption Select the length of the key used to encrypt

and decrypt ESP packets. Select DES or 3DES. 3DES is recommended because it is more secure.

Authentication Select the method used to authenticate

ESP packets. Select MD5 or SHA. SHA is recommended because it is more secure.

Group Select a Diffie-Hellman group, 768-bit or 1024-

bit. Diffie-Hellman refers to a cryptographic technique

that uses public and private keys for encryption and decryption.

Other Setting

NAT Traversal Select this option if the remote device is

behind a Network Address Translation (NAT) device.

NetBIOS broadcast Select this option to enable NetBIOS

traffic to pass through the VPN tunnel. This should be used if the local network does not include a WINS server and the remote device(s) need to find local devices by their NetBIOS names.

Anti-replay Packets sent through an IPSec tunnel

contain sequencing numbers to let the receive detect if a substitution has occurred. Select this option to enable the Anti-replay protection, which keeps track of sequence numbers as packets arrive, ensuring security at the IP packet level.

Keep-Alive Select this option to have the Router

periodically check your Internet connection. If the tunnel is disconnected, then the Router will automatically reestablish your connection.

If IKE failed more than _ times, block this unauthorized IP for __ seconds IKE failure may indicate an intrusion

attempt. You can set a limit on the number of consecutive failed requests allowed from the same IP address. You can also specify the amount of time that the Router ignores further requests from that IP address.

Click Save Settings to apply your changes, or click Cancel Changes to cancel your changes. Then close this screen to return to the VPN screen.

On the VPN screen, click Save Settings to apply your changes, or click Cancel Changes to cancel your changes.

Wireless-G Router for Mobile Broadband

Chapter 3

Access Restrictions > Internet Access

The Internet Access screen allows you to block or allow specific kinds of Internet usage and traffic, such as Internet access, designated services, and websites during specific days and times.

Access Restrictions > Internet Access

Advanced Configuration

Summary

Status Policies are disabled by default. To enable a policy,

select the policy number from the drop-down menu, and select Enabled.

To create a policy, follow steps 1-11. Repeat these steps to create additional policies, one at a time.

Select a number from the Access Policy drop-down

1. menu.

Enter a Policy Name in the field provided.

2. To enable this policy, select Enabled.

3. Click Edit List to select which PCs will be affected by

4. the policy. The List of PCs screen appears. You can select a PC by MAC address or IP address. You can also enter a range of IP addresses if you want this policy to affect a group of PCs. After making your changes, click

Save Settings to apply your changes, or click Cancel Changes to cancel your changes. Then click Close.

Internet Access Policy

Access Policy Access can be managed by a policy. Use the

settings on this screen to establish an access policy (after Save Settings is clicked). Selecting a policy from the dropdown menu will display that policy’s settings. To delete a policy, select that policy’s number and click Delete This Policy. To view all the policies, click Summary.

Summary

The policies are listed with the following information: No., Policy Name, Access, Days, Time, and status (Enabled). To enable a policy, select Enabled. To delete a policy, click

Delete. Click Save Settings to save your changes, or click Cancel Changes to cancel your changes. To return to the

Internet Access Policy screen, click Close.

List of PCs

Select the appropriate option, Deny or Allow,

5. depending on whether you want to block or allow Internet access for the PCs you listed on the List of PCs screen.

Wireless-G Router for Mobile Broadband

Chapter 3

Decide which days and what times you want this policy

6. to be enforced. Select the individual days during which the policy will be in effect, or select Everyday. Then enter a range of hours and minutes during which the policy will be in effect, or select 24 Hours.

You can block websites with specific URL addresses.

7. Enter each URL in a separate Website Blocking by URL Address field.

You can also block websites using specific keywords.

8. Enter each keyword in a separate Website Blocking by Keyword field.

You can filter access to various services accessed

9. over the Internet, such as FTP or telnet. (You can block up to three applications per policy.)

From the Applications list, select the application you want to block. Then click the >> button to move it to the Blocked List. To remove an application from the Blocked List, select it and click the << button.

If the application you want to block is not listed

10. or you want to edit a service’s settings, enter the application’s name in the Application Name field. Enter its range in the Port Range fields. Select its protocol from the Protocol drop-down menu. Then click Add.

To modify a service, select it from the Application list. Change its name, port range, and/or protocol setting. Then click Modify.

To delete a service, select it from the Application list. Then click Delete.

Click Save Settings to save the policy’s settings. To

11. cancel the policy’s settings, click Cancel Changes.

Applications and Gaming > Single Port Forwarding

The Single Port Forwarding screen allows you to customize port services for common applications on this screen.

When users send these types of requests to your network via the Internet, the Router will forward those requests to the appropriate servers (computers). Before using forwarding, you should assign static IP addresses to the designated servers (use the DHCP Reservation feature on the Basic Setup screen).

Advanced Configuration

Applications and Gaming > Single Port Forwarding

Single Port Forwarding

Common applications are available for the first five entries. Select the appropriate application. Then enter the IP address of the server that should receive these requests. Select Enabled to activate this entry.

For additional applications, complete the following fields:

Application Name Enter the name you wish to give the

application. Each name can be up to 12 characters.

External Port Enter the external port number used by

the server or Internet application. Check with the Internet application documentation for more information.

Internal Port Enter the internal port number used by

the server or Internet application. Check with the Internet application documentation for more information.

Protocol Select the protocol used for this application,

either TCP or UDP, or Both.

To IP Address For each application, enter the IP address

of the PC that should receive the requests. If you assigned a static IP address to the PC, then you can click DHCP Reservation on the Basic Setup screen to look up its static IP address.

Enabled For each application, select Enabled to enable

port forwarding.

Click Save Settings to apply your changes, or click Cancel

Changes to cancel your changes.

Wireless-G Router for Mobile Broadband

Applications and Gaming > Port Range Forwarding

The Port Range Forwarding screen allows you to set up public services on your network, such as web servers, ftp servers, e-mail servers, or other specialized Internet applications. (Specialized Internet applications are any applications that use Internet access to perform functions

Chapter 3

Advanced Configuration

such as videoconferencing or online gaming. Some Internet applications may not require any forwarding.)

If you need to forward all ports to one computer, click the DMZ tab.

Applications & Gaming > Port Range Triggering

The Port Range Triggering screen allows the Router to watch outgoing data for specific port numbers. The IP address of the computer that sends the matching data is remembered by the Router, so that when the requested data returns through the Router, the data is pulled back to the proper computer by way of IP address and port mapping rules.

Applications and Gaming > Port Range Forwarding

Port Range Forwarding

To forward a port, enter the information on each line for the criteria required.

Application Name In this field, enter the name you

wish to give the application. Each name can be up to 12 characters.

Start~End Port Enter the number or range of port(s)

used by the server or Internet applications. Check with the Internet application documentation for more information.

Protocol Select the protocol used for this application,

either TCP or UDP, or Both.

To IP Address For each application, enter the IP address

of the PC running the specific application. If you assigned a static IP address to the PC, then you can click DHCP Reservation on the Basic Setup screen to look up its static IP address.

Enabled Select Enabled to enable port forwarding for

the applications you have defined.

Click Save Settings to apply your changes, or click Cancel Changes to cancel your changes.

Applications and Gaming > Port Range Triggering

Port Range Triggering

Application Name Enter the application name of the

trigger.

Triggered Range For each application, enter the starting

and ending port numbers of the triggered port number range. Check with the Internet application documentation for the port number(s) needed.

Forwarded Range For each application, enter the starting

and ending port numbers of the forwarded port number range. Check with the Internet application documentation for the port number(s) needed.

Enabled Select Enabled to enable port triggering for the

applications you have defined.

Click Save Settings to apply your changes, or click Cancel Changes to cancel your changes.

Applications and Gaming > DMZ

The DMZ feature allows one network computer to be exposed to the Internet for use of a special-purpose service such as Internet gaming or videoconferencing. DMZ hosting forwards all the ports at the same time to one PC. The Port Range Forwarding feature is more secure because it only opens the ports you want to have opened, while DMZ hosting opens all the ports of one computer, exposing the computer to the Internet.

Wireless-G Router for Mobile Broadband

Chapter 3

Applications and Gaming > DMZ

DMZ

Any PC whose port is being forwarded must have its DHCP client function disabled and should have a new static IP address assigned to it because its IP address may change when using the DHCP function.

Enabled/Disabled To disable DMZ hosting, select

Disabled. To expose one PC, select Enabled. Then

configure the following settings:

Source IP Address If you want any IP address to be the

source, select Any IP Address. If you want to specify an IP address or range of IP addresses as the designated source, select and complete the IP address range fields.

Destination If you want to specify the DMZ host by IP

address, select IP Address and enter the IP address in the field provided. If you want to specify the DMZ host by MAC address, select MAC Address and enter the MAC address in the field provided. To retrieve this information, click DHCP Client Table.

Advanced Configuration

Click Save Settings to apply your changes, or click Cancel Changes to cancel your changes.

Applications and Gaming > QoS

Quality of Service (QoS) ensures better service to high-priority types of network traffic, which may involve demanding, real-time applications, such as videoconferencing.

Applications and Gaming > QoS

QoS (Quality of Service)

Wireless

Wireless QoS If you have other devices on your network

that support Wireless QoS, select Enabled. Otherwise, keep the default, Disabled.

No Acknowledgement If you want to disable the Router’s

Acknowledgement feature, so the Router will not re-send data if an error occurs, then select Enabled. Otherwise, keep the default, Disabled.

DMZ > DHCP Client Table

DHCP Client Table

The DHCP Client Table lists computers and other devices that have been assigned IP addresses by the Router. The list can be sorted by Client Name, Interface, IP Address, or MAC Address. To select a DHCP client, click Select. To retrieve the most up-to-date information, click Refresh. To exit this screen and return to the DMZ screen, click Close.

Wireless-G Router for Mobile Broadband

Internet Access Priority

In this section, you can set the bandwidth priority for a variety of applications and devices. There are four levels priority: High, Medium, Normal, or Low. When you set priority, do not set all applications to High, because this will defeat the purpose of allocating the available bandwidth. If you want to select below normal bandwidth, select Low. Depending on the application, a few attempts may be needed to set the appropriate bandwidth priority.

Enabled/Disabled To use the QoS policies you have set,

keep the default, Enabled. Otherwise, select Disabled.

LINKSYS WRT54G3GV2 Users Manual

Specifications and Main Features

Frequently Asked Questions

User Manual