Manuals / Billion Electric Company / Computer Equipment / Network Card

Billion Electric Company 30 user manual E.2.1.2 Encapsulating Security Payload ESP

Models: 30

1 209

Download 209 pages 59.73 Kb

Page 161

ESP divides its fields into three components…

Next

Header

Payload

Length

Reserved

SPI

Sequence Number

Authentication Data

E.2.1.2 Encapsulating Security Payload (ESP)

Encapsulating Security Payload (ESP) provides privacy for data through encryption. An encryption algorithm combines the data with a key to encrypt it. It then repackages the data using a special format, and transmits it to the destination. The receiver then decrypts the data using the same algorithm. ESP is usually used with AH to provide added data security.

ESP divides its fields into three components…

ESP Header: Placed before encrypted data, the ESP Header contains the SPI and Sequence Number. Its placement depends on whether ESP is used in transport mode or tunnel mode.

ESP Trailer: Placed after the encrypted data, the ESP Trailewwr contains padding that is used to align the encrypted data.

ESP Authentication Data: This contains an Integrity Check Value (ICV) for when ESP's optional authentication feature is used.

ESP provides authentication, integrity, and confidentiality, which provides data content protection, and protects against data tampering. A typical ESP packet looks like this:

161

Image 161

Billion Electric Company 30 E.2.1.2 Encapsulating Security Payload ESP, ESP divides its fields into three components…

Contents

iBusiness Security Gateway SMB User’s Manual Version Release 7.01 FW1.06pBiGuard BiGuard 30 User’s Manual Updated March 28 Copyright InformationDisclaimer TrademarksSafety Warnings 1.3 Package Contents Table of Contents Chapter 1 IntroductionChapter 2 Router Applications 1.1 Overview 1.2 Product Highlights3.1 Overview 3.2 Before You Begin 3.3 Connecting Your Router Chapter 4 Router Configuration3.4 Configuring PCs for TCP/IP Networking 3.5 Factory Default Settings4.3 Quick Start 4.4 Configuration4.4.2.1 ISP Settings 4.4.2.2 Bandwidth Settings 4.4.2.3 WAN IP Alias4.5 Save Configuration To Flash 4.6 Logout Chapter 5 Troubleshooting5.1 Basic Functionality 5.2 LAN Interface5.4 ISP Connection 5.5 Problems with Date and Time Appendix A Product Specifications Appendix B Customer Support5.6 Restoring Factory Defaults E.1 What is a VPN?E.2.1.1 Authentication Header AH E.2 What is IPSec?E.2.1 IPSec Security Components E.2.2 IPSec ModesWhat is Quality of Service? Appendix H Router Setup ExamplesH.7 VPN Configuration H.12 PPTP Remote Access by Windows XP1.2 Product Highlights Chapter 1 Introduction1.1 Overview BiGuard 30 iBusiness Security Gateway SMB 1.3 Package Contents1.3.2 Rear Panel Power StatusWAN1 WAN2 RESET WAN2 WAN1 LAN 1.3.4 Cabling 2.2 Bandwidth Management with QoS 2.1 OverviewChapter 2 Router Applications 2.2.1 QoS TechnologyVoIP Normal PCs Restricted PC 2.2.2 QoS Policies for Different Applicationslow network latencies to function properly. If bandwidth is being used by other applications such as an FTP server, users using VoIP will experience network lag and/or service interruptions during use. To avoid this scenario, this network has assigned VoIP with a guaranteed bandwidth and higher priority to ensure smooth communications. The FTP server, on the other hand, has been given a maximum bandwidth cap to make sure that regular service to both VoIP and normal Internet applications is uninterrupted policies for different PCs on the network. Policy based traffic shaping lets you better manage your bandwidth, providing reliable Internet and network service to your organization 2.2.7 DiffServ DSCP Marking 2.2.6 Management by IP or MAC address2.3.1 Outbound Fail Over 2.2.8 DSCP Matching2.3 Outbound Traffic ISP 2nd connection 1st Connection192.168.2.2 192.168.2.32.4.1 Inbound Fail Over 2.4 Inbound Traffic2.4.2 Inbound Load Balancing Before Fail OverAfter Fail Over HTTP Remote Access from Internet2.5 DNS Inbound 2.5.1 DNS Inbound Fail Over ISP ISPBefore Fail Over After Fail OverHeavy load on WAN Heavy load on WANDNS Request DNS ReplyIn the example above, the client is making a DNS request. The request is sent to the DNS server of BiGuard 30 through WAN2 1. WAN2 will route this request to the embedded DNS server of BiGuard 30 2. BiGuard 30 will analyze the bandwidth of both WAN1 and WAN2 and decide which WAN IP to reply to the request 3. After the decision is made, BiGuard 30 will route the DNS reply to the user through WAN2 4. The user will receive the DNS reply with the IP address of WAN1 5. The browser will initiate an HTTP request to the WAN1 IP address 6. The HTTP request will be send to BiGuard 30’s URL Host Map 7. The Host Map will then redirect the HTTP request to the HTTP server 8. The HTTP server will reply 9. The URL Host Map will route the packet through WAN1 to the user 10. Finally, the client will receive an HTTP reply packet 2.6 Virtual Private NetworkingBiGuard Client 2.6.1 General VPN Setup2.6.2 VPN Planning - Fail Over Before Fail OverAfter Fail Over BiGuard Before Fail OverChapter 3 Getting Started 3.1 Overview3.2 Before You Begin 3.3 Connecting Your Router 3.4.1 Overview 3.4 Configuring PCs for TCP/IP Networking3.4.2 Windows XP 3.4.2.1 Configuring 1. Select Start Settings Network Connections3. Select Internet Protocol TCP/IP and click Properties 5. Click OK to finish the configuration To verify your settings using a command prompt 3.4.2.2 Verifying Settings1. Click Start Programs Accessories Command Prompt 2. In the Command Prompt window, type ipconfig and then press ENTERAn IP address between 192.168.1.1 and A subnet mask of To verify your settings using the Windows XP GUI1. Click Start Settings Network Connections 3. Click the Support tab Have an IP address between 192.168.1.1 and Have a subnet mask of If you are using BiGuard 30’s default settings, your PC should3.4.3.1 Configuring 1. Select Start Settings Control Panel Page 5. Select Internet Protocol TCP/IP and click Properties 4. In the Local Area Connection window, click PropertiesPage 1. Click Start Programs Accessories Command Prompt 7. Click OK to finish the configuration3.4.3.2 Verifying Settings An IP address between 192.168.1.1 and A subnet mask of 2. In the Command Prompt window, type ipconfig and then press ENTERIf you are using BiGuard 30’s default settings, your PC should have 3.4.4 Windows 98 / Me 3.4.4.1 Installing ComponentsYou must have the following installed a. Click Add b. Select Adapter, then Add If you need to install a new Ethernet adapter, follow these stepsAn Ethernet adapter TCP/IP protocol Client for Microsoft Networks If you need TCP/IP a. Click Add b. Select Protocol, then click Add If you need Client for Microsoft Networks a. Click Add c. Select Microsoft. Æ TCP/IP, then OK3. Restart your PC to apply your changes 3.4.4.2 Configuring 1. Select Start Settings Control Panelb. Select Client, then click Add Page Page 6. Click OK to apply the configuration To check the TCP/IP configuration, use the winipcfg.exe utility 3.4.4.3 Verifying Settings1. Select Start Run 2. Type winipcfg, and then click OK 3. From the drop-down box, select your Ethernet adapterA default gateway of 3.5 Factory Default SettingsWeb Interface Username admin Password admin LAN Device IP Settings An IP address between 192.168.1.1 and A subnet mask of3.6 Information From Your ISP IP address Subnet MaskLAN Port WAN PortDHCP Static IP PPPoE PPTP Big Pond 2. Double-click the Network icon 1. Select Start Settings Control Panel3.6.2.1 Windows 4. Select Internet Protocol TCP/IP and click Properties Page 7. Click OK to save your changes server address automatically radio buttonBiGuard 30 includes a Web Configuration Interface for easy administration via virtually any browser on your network. To access this interface, open your web browser, enter the IP address of your router, which by default is 192.168.1.254, and click Go. A user name and password window prompt will appear. Enter your user name and password the default user name and password are admin and admin to access the Web Configuration Interface 3.7 Web Configuration InterfaceChapter 4 Router Configuration 4.1 Overview4.2.1 ARP Table 4.2 Status4.2.2 Routing Table Sessions 4.2.5 IPSec Status 4.2.7 Traffic Statistics 4.2.6 PPTP Status4.2.9 IPSec Log 4.2.8 System Log4.3.1 DHCP 4.3 Quick Start4.3.3 PPPoE 4.3.2 Static IP4.3.5 Big Pond 4.3.4 PPTP4.4 Configuration Address Mapping 4.4.1.1 Ethernet Subnet Mask Enter the subnet mask 255.255.255.0 by defaultRIP RIP v2 Broadcast and RIP v2 Multicast. Check to enable RIP 4.4.1.2 DHCP Server WAN IP Alias 4.4.1.3 LAN Address MappingPlease click Create to create a LAN Address Mapping rule IP Alias 4.4.2.1 ISP Settings 4.4.2.1.1 DHCP 4.4.2.1.2 Static IP 4.4.2.1.3 PPPoE 4.4.2.1.4 PPTP Settings 4.4.2.1.5 Big Pond Settings 4.4.2.2 Bandwidth Settings 4.4.2.3 WAN IP Alias 4.4.3 Dual WAN 4.4.3.1 General Settings4.4.3.2 Outbound Load Balance Choose one by clicking the corresponding radio button 1. By session mechanism 2. By IP address hash mechanism4.4.3.3 Inbound Load Balance Serial Number It is the version number that keeps in the SOA record Admin. Mail Box The administrator’s email account.e.gadmin@abc.comRefresh Interval The interval refreshes are done. Denoted in seconds Retry Interval The interval retries are done. Denoted in secondsDomain Name The domain name of the local host To add a host mapping URL to the list, click CreateHost URL The URL to be mapped Private IP Address The IP address of the local host4.4.3.4 Protocol Binding Source IP Range All Source IP Click it to specify all source IPs Interface Choose which WAN port to use WAN1, WAN2Destination IP Range All Destination IP Click it to specify all source IPs4.4.4.1 Time Zone 4.4.4.2 Remote Access 4.4.4.3 Firmware Upgrade Allow Remote Access ByOnly the PC Please specify the IP Address that is allowed to access 4.4.4.4 Backup / Restore 4.4.4.5 Restart 4.4.4.6 Password4.4.4.7 System Log Server Click Reset to reset to the default administration password admin4.4.4.8 E-mail Alert 4.4.5.1 Packet Filter When the entry is upper, the priority is higher 4.4.5.2 URL Filter Source IP Select Any, Subnet, IP Range or Single AddressDestination IP Select Any, Subnet, IP Range or Single Address URL Filtering You can choose to Enable or Disable this feature Domains Filtering Click the top checkbox to enable this feature. You can also choose to disable all web traffic except for trusted sites by clicking the bottom checkbox. To edit the list of filtered domains, click Details 4.4.5.3 LAN MAC Filter 4.4.5.4 Block WAN Request 4.4.5.5 Intrusion Detection 4.4.6.1.1 IPSec Wizard You can find two items under the VPN section IPSec and PPTP4.4.6.1 IPSec Connection Name A user-defined name for the connection Back Back to the Previous page Next Go to the next page Back Back to the Previous page Next Go to the next page Next Go to the next page Done Click Done to apply the rule Back Back to the Previous page Next Go to the next page4.4.6.1.2 IPSec Policy Configuring a New VPN ConnectionConnection Name A user-defined name for the connection interface if Auto is selected Any Local Address Will enable any local address on the network DPD Setting DPD, Dead Peer Detection 4.4.6.2 PPTP Peer Encryption Mode Only Stateless or Allow Stateless and StatefulClick Create to create a new PPTP VPN connection account 4.4.7 QoS WAN1 Outbound Creating a New QoS Rule For IP Address Bandwidth TypeFor MAC Address 4.4.8 Virtual Server4.4.8.1 DMZ 4.4.8.2 Port Forwarding Table 4.4.9 Advanced 4.4.9.1 Static Route 4.4.9.2 Dynamic DNS Wildcard Select this check box to enable the DYNDNS Wildcard SNMP Access Control Web Server Settings4.4.9.3 Device Management Device Name4.4.9.4 IGMP SNMP V1 andSNMP 4.4.9.5 VLAN Bridge 4.6 Logout 4.5 Save Configuration To Flash5.1 Basic Functionality Chapter 5 Troubleshooting5.1.1 Router Won’t Turn On 5.1.2 LEDs Never Turn Off5.2.1 Can’t Access BiGuard 30 from the LAN 5.1.4 Forgot My Password5.2 LAN Interface 5.2.2 Can’t Ping Any PC on the LANCheck the corresponding LAN LEDs on your PC’s Ethernet device are on 4. Click OK under Internet Options to close the dialogue Enabling Pop-up Blockers with Exceptions Disabling All Pop-upsIf you only want to allow pop-up windows with your BiGuard 5.2.3.1 Pop-up Windows5.2.3.3 Java Permissions 4. Ensure that Scripting of Java applets is set to Enabled4. Click OK to close the dialogue 5.4 ISP Connection5.3 WAN Interface If an IP address cannot be obtained If an IP address can be obtained, but your PC cannot load any web pages from the Internet 5.5 Problems with Date and Time5.6 Restoring Factory Defaults Virtual Private Network Appendix A Product SpecificationsAvailability and Resilience Quality of Service Control Content FilteringNetwork Protocols and Features FirewallPower Requirement Physical SpecificationsPhysical Interface Operating EnvironmentContact Billion Appendix B Customer SupportThis device may not cause harmful interference Appendix C FCC Interference StatementD.1.1.1 Net mask Appendix D Network, Routing, and Firewall BasicsD.1 Network Basics 10.0.0.0 172.16.0.0 192.168.0.0 D.1.1.2 Subnet AddressingD.1.1.3 Private IP Addresses from these ranges D.2 Router Basics Routers can vary in performance and scale, the types of physical WAN connection they support, and the number of routing protocols supported. BiGuard 30 offers a convenient and powerful way for small-to-medium businesses to connect their networksD.3.1.1 Stateful Packet Inspection D.3.1.2 Denial of Service DoS AttackD.3 Firewall Basics With a LAN connected to the Internet through a router, there is a chance for hackers to access or disrupt your network. A simple NAT router provides a basic level of protection by shielding your network from the outside Internet. Still, there are ways for more dedicated hackers to either obtain information about your network or disrupt your network’s Internet access. Your BiGuard 30 provides an extra level of protection from such attacks with its built-in firewall E.2 What is IPSec? E.1 What is a VPN?Appendix E Virtual Private Networking VPNs are traditionally used three waysThere are three major functions of IPSec E.2.1.1 Authentication Header AHESP divides its fields into three components… E.2.1.2 Encapsulating Security Payload ESPSA is identified by 3 parameters E.2.1.3 Security Associations SAAH/E E.2.3 Tunnel Mode AHTC Dat AH/EESP Authentication Aggressive Mode Main ModeQuick Mode With PFS Quick Mode Without PFSF.2 IPSec Log Event Table F.1 IPSec Log Event Categoriesencryption algorithm, hash algorithm, and authentication method encryption algorithm, hash algorithm, and authentication methodReceived the third message of main mode. Done for authentication Sending the third message of main mode. Done for authenticationSend Aggressive mode first Received Aggressive mode firstIKE Negotiated Status Messages Rejected IKE MessagesISAKMP SA Established IPsec SA Established Main/Aggressive mode peer ID is identifier stringReceived Delete SA payload Deleting ISAKMP State integer G.1 Overview G.2 What is Quality of Service?G.3 How Does QoS Work? Appendix G Bandwidth Management with QoSG.4.1 Home Users G.4 Who Needs QoS?Data Ratio % ApplicationPriority ApplicationAppendix H Router Setup Examples H.1 Outbound Fail OverPage H.2 Outbound Load Balancing Step 2 Configure your WAN2 ISP settings and click Apply Step 6 Click Save Config to save all changes to flash memory General Settings. Select the Fail Over radio button H.3 Inbound Fail OverStep 2 Configure Fail Over options if necessary Step 5 Click Save Config to save all changes to flash memory Step 4 From the same menu, set the WAN2 DDNS settingsBefore Fail Over H.4 DNS Inbound Fail OverAfter Fail Over 1st connectionStep 3 Input DNS Server 1 settings and click Apply Enable radio button and configure DNS Server 1 by clicking EditHeavy load on WAN H.5 DNS Inbound Load BalancingHeavy load on WAN DNS RequestBalance radio button Step 3 Go to Configuration Dual WAN Inbound Load Balance Host URLStep 5 Click Save Config to save all changes to flash memory Mapping and configure your FTP mappingStep 4 Next configure your HTTP mapping Remote Access from Internet H.6 Dynamic DNS Inbound Load Balancinginbound and outbound bandwidth HTTPStep 2 Go to Configuration Dual WAN General Settings and enable Load Balance mode. You may then decide whether to enable Service Detection or not WAN1 Page H.7.1 LAN to LAN H.7 VPN ConfigurationHead Office Branch OfficeLocal RemoteHead Office H.7.2 Host to LANSingle client Before Fail Over H.8 IP Sec Fail Over Gateway to GatewayAfter Fail Over ProposalPage Page BiGuard H.9 VPN ConcentratorBranch A BiGuardand configure the and configure the Balancing radio button H.10 Protocol BindingStep 5 Click Save Config to save all changes to flash memory Step 2 Go to Configuration Dual WAN Protocol Binding and configure settings for WAN1 H.12 PPTP Remote Access by Windows XP H.11 Intrusion DetectionInternet InternetStep3 Click Apply, you can see the account is successfully created ApplyStep2 Click Create to create a PPTP Account Step5 In Windows XP, go Start Settings Network Connections Step4 Click Save Config to save all changes to flash memoryStep7 Select Connect to the network at my workplace and press Next Step6 In Network Tasks, Click Create a new connection, and press NextStep9 Input the user-defined name for this connection and press Next Step8 Select Virtual Private Network connection and press NextStep11 Please press Finish Step10 Input PPTP Server Address and press NextStep12 Double click the connection, and input Username and Password that defined in BiGuard PPTP Account Settings Internet H.13 PPTP Remote Access by BiGuardInternet Branch OfficeStep3 Click Apply, you can see the account is successfully created Step4 Click Save Config to save all changes to flash memoryStep2 Click Create to create a PPTP Account Step6 Click Apply, and Save CONFIG