343, IP-Passthrough, VPN IPSec Pass Through | Netopia 2200 specs

Security

IP-Passthrough

Netopia OS now offers an IP passthrough feature. The IP passthrough feature allows a sin- gle PC on the LAN to have the Gateway’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet.

VPN IPSec Pass Through

This Netopia service supports your independent VPN client software in a transparent man- ner. Netopia has implemented an Application Layer Gateway (ALG) to support multiple PCs running IP Security protocols.

This feature has three elements:

1.On power up or reset, the address mapping function (NAT) of the Gate- way’s WAN conﬁguration is turned on by default.

2.When you use your third-party VPN application, the Gateway recognizes the trafﬁc from your client and your unit. It allows the packets to pass through the NAT “protection layer” via the encrypted IPSec tunnel.

3.The encrypted IPSec tunnel is established “through” the Gateway.

A typical VPN IPSec Tunnel pass through is diagrammed below:

Netopia

Gateway

343

Image 343

Netopia 2200 manual 343, IP-Passthrough, VPN IPSec Pass Through

Contents

Netopia Software User Guide Copyright Table of Contents Expert Mode Security 146 Basic Troubleshooting Command Line Interface 221 Table of Contents Glossary Overview of Major Capabilities Index What’s New Introduction Intended Audience About Netopia Documentation Internal Web Interface Command Line InterfaceDocumentation Conventions General Bold terminal type User-entered text face Word About Example Screens OrganizationPage Basic Mode Setup Power Supply Installation Important Safety Instructions Achtung Wichtige SicherheitshinweiseBewahren Sie diese Anweisungen auf Microsoft Windows Setting up the Netopia Gateway Then go to Step Macintosh MacOS 8 or higher or Mac OS Proceed to Conﬁguring the Netopia Gateway on Conﬁguring the Netopia Gateway Click the Connect to the Internet button MiAVo Vdsl and Ethernet WAN models Quickstart PPPoE Quickstart Configuring the Netopia Gateway Netopia Gateway Status Indicator Lights Home Page Basic Mode DNS Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Open the Web Connection Accessing the Expert Web InterfacePage Home Page Expert Mode Summary Information Home Page InformationField Status and/or Description Dhcp Navigating the Web Interface ToolbarLink Breadcrumb Trail Button Restart Restart Link Alert Symbol Button Help Help Button Conﬁgure ConﬁgureLink Quickstart Click Connect to the Internet Link LAN Configure Page Wireless supported models Privacy Configure Page Advanced Page About Closed System Mode Page WPA Version Allowed Examples Multiple SSIDs Wireless MAC Authorization Page Configure Use Radius Server Advanced Network Conﬁguration page appears IP Gateway WAN IP InterfacesOther WAN Options Available Multiplexing types Available Encapsulation types Sustained Cell Rate SCR Transmit Priority Comments Class Link Advanced IP Static Route Entry page appears Link IP Static RoutesPage Link Pinholes Link IP Static ARP TCP Tips for making Pinhole Entries Gateway Pinhole Conﬁguration Procedure. Use the following steps Page Configure Link IPMaps Ple static 192.168.1.2 IPMaps Block DiagramNetopia Gateway WAN Interface LAN Interface 192.168.1.1 Link Default Server NAT LAN STN #2 Internet Gateway Configure Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link Dhcp Server Link DNS Configure Link Radius Server Link Snmp Page Link Igmp Internet Group Management Protocol Page Configure 100 Link UPnP 101 Link LAN Management 102 Link Advanced Ethernet Bridge 103 Conﬁguring for Bridge Mode 104 Enable Concurrent Bridging/Routing checkbox 105 106 Link Vlan 107 108 Enable Multiple Wireless IDs onVlan Port Conﬁguration screen appears 109 110 111 Link Syslog Parameters 112 System Log Messages Administration Related Log MessagesLog Event Messages 113 114 Access-related Log MessagesDSL Log Messages most common Mented packet 115 Link Software Hosting Link Internal Servers116 List of Supported Games and Software 117 FTP 118 119 Rename a UserPC 120 Link Clear Options 121 Link Time Zone Button Security Security122 123 Link Passwords 124 Use a Netopia Firewall Conﬁguring for a BreakWater SettingLink Firewall 125 126 Tips for making your BreakWater Basic Firewall Selection 127Basic Firewall Background 128 BreakWater Setting ClearSailing SilentRunning LANdLocked 129 130 Link IPSec 131 SafeHarbour IPSec VPN Conﬁguring a SafeHarbour VPN 132 133 IPSec Tunnel Details Parameter Setup Worksheet Parameter Descriptions on page 136 as required 134 Make the Tunnel Details entries 135 Parameter Descriptions 136Field Description PAT Address 137 Soft MBytes 138 139 Link Stateful Inspection Stateful Inspection Firewall installation procedure140 141 Exposed Addresses 142 143 144 Stateful Inspection Options 145 Open Ports in Default Stateful Inspection InstallationPort Protocol Description LAN Private WAN Public Interface 146 Firewall TutorialGeneral ﬁrewall terms Basic IP packet components 147 Basic protocol types Firewall Logic Example TCP/UDP Ports TCP Port ServiceFirewall design rules 148 Implied rules 149 Example ﬁlter set 150 Example network Filter basics151 What it means 152 Example ﬁltersExample 153 154 Link Packet Filter How ﬁlter sets work What’s a ﬁlter and what’s a ﬁlter set?155 156 How individual ﬁlters workFilter priority ﬁltering rule 157Parts of a ﬁlter Port numbers 158Port number comparisons Other ﬁlter attributes 159Putting the parts together Filtering example #1 160 161 Filtering example #2 162 Design guidelines An approach to using ﬁlters163 Adding a ﬁlter set Working with IP Filters and Filter Sets164 165 Adding ﬁlters to a ﬁlter set Netopia Router 166 167 Enter the Source Mask for the source IP address 168 Viewing ﬁlters 169 Deleting ﬁlters Deleting a ﬁlter set170 Modifying ﬁlters 171 Associating a Filter Set with an Interface 172 TOS ﬁeld matching Policy-based Routing using Filtersets173 174 175 Link Security Log Using the Security Monitoring Log176 177 Timestamp Background 178 Button Install Install179 180 Link Install Software Netopia ﬁrmware Image File Required Files181 182 Click the Install Software button Verify the Netopia Firmware Release 183 Procedure Install a New Feature Key File Link Install KeysUse Netopia Software Feature Keys Obtaining Software Feature Keys 185 186 To check your installed features 187 188 Link Install Certiﬁcate 189 190 191 Basic Troubleshooting Ethernet Status Indicator Lights192 Action Ethernet 1, 2, 3 193 194 Wireless DSL Sync 195 196 Special patterns 197 LAN 1, 2, 3 198 DSL Sync 199 200 Front View 201 LED Function Summary Matrix Link 202EN Link Unlit Active 203 Factory Reset Switch 2240N 3397GP2247NWG 3347W/3357W 205 Advanced Troubleshooting 206 Home Status of Connection 207 Button Troubleshoot Expert Mode208 209 Link System Status 210 Link Ports Ethernet 211 Link Ports DSL 212 Link IP Interfaces 213 Link DSL Circuit Conﬁguration 214 Link System Log Entire 215 Link Diagnostics 216 Link Network Tools 217 If Ping is not successful, possible causes are 218 219 220 221 Command Line Interface 222 Overview 223 Command Verbs Status and/or DescriptionKeywords 224 Starting and Ending a CLI SessionLogging Ending a CLI Session Shell Command Shortcuts Using the CLI Help FacilityAbout Shell Commands Saving Settings Common Commands Shell Commands 227 DiagnoseDownload serveraddress ﬁlename conﬁrm Download -cert serveraddress ﬁlename conﬁrm 228 Install serveraddress ﬁlename conﬁrmLicense key Loglevel level Netstat -r Netstat229 Reset dhcp server Reset arpReset atm Reset crash Reset wan-users all ip-address Reset ipmapReset log Reset security-log Show dhcp agent Show featuresShow conﬁg Show crash Show ip ﬁrewall Show ip igmpShow ip interfaces Show ip ipsec Show memory all Show wireless allShow wireless clients MACaddress Show log 235 Upload serveraddress ﬁlename conﬁrmView conﬁg Who WAN Commands Config Mode Prompt About Config CommandsNavigating the Config Hierarchy 238 Netopia-3000/9437188 top quit 239 Entering Commands in Config ModeSet ip ethernet a ipaddress Set ip ethernet a 240 Guidelines Config CommandsDisplaying Current Gateway Settings Step Mode a CLI Conﬁguration Technique 241 Validating Your Conﬁguration DSL Commands Config Commands Set atm vcc n vci 0 Set atm vcc n qos sustained-cell-rate 1 ...nSet atm vcc n qos max-burst-size 1 ...n Set atm vcc n vpi 0 Set bridge concurrent-bridging-routing on off Bridging SettingsSet atm vccn pppoe-sessions 1 Set bridge sys-bridge on off Set bridge dsl vccn option on off Set bridge table-timeout 30Dhcp Settings Set bridge ethernet option on off Set dhcp server-address ipaddress Set dhcp start-address ipaddressSet dhcp end-address ipaddress Set dhcp lease-time lease-time Set dmt autoConﬁg off on DMT SettingsSet dmt wiringMode auto tipring AA1 Set dmt metallic-termination auto disabled alwayson Set dns primary-address ipaddress Domain Name System SettingsSet dns proxy-enable Set dns domain-name domain-name Set igmp query-intvl value Igmp SettingsSet igmp snooping off on Set igmp robustness value Set ip dsl vccn address ipaddress IP SettingsSet ip arp-timeout 60 Set ip option on off Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5 Set ip dsl vccn restriction admin-disabled noneSet ip dsl vccn netmask netmask Set ip dsl vccn addr-mapping on off Set ip ethernet a broadcast broadcastaddress Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5Set ip ethernet a option on off Set ip ethernet a address ipaddress 253 Set ip ethernet a restrictions none admin-disabledSet ip ethernet a netmask netmask Set ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 Set ip ip-ppp vccn option on off Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5Set ip gateway option on off Set ip gateway interface ip-address ppp-vccn Set ip ip-ppp vccn addr-mapping on off Set ip ip-ppp vccn restriction admin-disabled noneSet ip ip-ppp vccn address ipaddress Set ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5 Set ip ip-ppp vccn rip-send off v1 v2 v1-compat v2-MD5256 257 Set ip static-arp ip-addressipaddressSet ip igmp-forwarding off on Set ip ipsec-passthrough off on 258 Set ip prioritize off onSet diffserv option off on Set diffserv lohi-ratio 60 100 percent 259 Set ip static-routes destination-networknetaddress Set ip sip-passthrough on off260 261 Delete ip static-routes destination-network netaddress Network Address Translation NAT Default Settings IPMaps Settings Set pinhole name name protocol-select tcp udp Set nat-default host-hardware-address MACaddressNetwork Address Translation NAT Pinhole Settings Set pinhole name name PPPoE /PPPoA Settings Set ppp module vccn lcp-echo-requests on off Set ppp module vccn mru integerSet ppp module vccn magic-number on off Set ppp module vccn protocol-compression on off Set ppp module vccn connection-type instant-on always-on Set ppp module vccn restart-timer integerSet ppp module vccn conﬁgure-max integer Set ppp module vccn terminate-max integer Command Line Interface Preference Settings Set ppp module vccn port-authentication username usernameSet ppp module vccn port-authentication password password Ethernet Port Settings 268 Set preference more lines 269 Port Renumbering SettingsSet servers web-http 1 Set servers telnet-tcp 1 270 Security SettingsSet security ipsec option off on off Set security ipsec tunnels name 271 Set security ipsec tunnels name 123 tun-enable on on off 272 Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 Set security ipsec tunnels name 123 xauth username username Set security ipsec tunnels name 123 xauth enable off onSet security ipsec tunnels name 123 xauth password password Set security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 remote-id idvalue Set security ipsec tunnels name 123 local-id idvalue274 275 276 Set security state-insp tcp-timeout 30 Set security state-insp xposed-addr exposed-address# n Set security state-insp udp-timeout 30277 278 Packet Filtering Settings 279 280 281 Snmp Settings 283 System SettingsSet snmp notify type v1-trap v2-trap inform Set system name name Set system persistent-log off on Set system idle-timeout telnet 1...120 http 1Set system username administrator name user name Set system log-size 10240 Sleep Contact-email string@domainname location string Set system password admin user285 286 Set system zerotouch redirect-url redirection-URL Set system zerotouch option on off287 Syslog Set security state-insp eth B option on 289 Wireless Settings supported models Set wireless multi-ssid option on off Set wireless mode both-b-and-g b-only g-only291 292 Set wireless tx-power full medium fair low minimal Set wireless no-bridging off on293 Set wireless network-id privacy default-keyid Set wireless network-id privacy pre-shared-key string294 Example 40bit key 02468ACE02 295Example 256bit key Set radius alt-radius-name servernamestring Set wireless mac-auth option on offSet radius radius-name servernamestring Set radius radius-secret sharedsecret Set vlan name string Set radius radius-port portnumber297 To make the Vlan vlan1 routable add the port lan-uplink 298 Set dslf-lanmgmt option off on Set upnp option on off299 300 301 302 Vdsl Settings 303 Vdsl Parameter Defaults Vdsl Parameters Accepted Values 304 Parameter 305 Etsi M2 CAB 306 307 308 309 310 311 Glossary 312 313 314 315 Ethernet crossover cable. See crossover cable 316 317 318 319 320 321 322 323 324 325 326 327 Description Software and protocols 328 International Agency approvals329 North America 330 Manufacturer’s Declaration of Conformance Declaration for Canadian users 331 332 Important Safety InstructionsAustralian Safety Information Telecommunication installation cautions 333 CFR Part 68 Information 334 Electrical Safety Advisory 335 Overview of Major Capabilities 336 Wide Area Network TerminationPPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM Instant-On PPP 337 Simpliﬁed Local Area Network SetupDhcp Dynamic Host Conﬁguration Protocol Server DNS Proxy 338 DiagnosticsManagement Embedded Web Server Network Address Translation NAT Remote Access ControlPassword Protection 339 340 Netopia Gateway Pinholes Netopia Advanced Features for NAT341 Internal Servers 342 Default ServerCombination NAT Bypass Conﬁguration IP-Passthrough 343VPN IPSec Pass Through SSL Certiﬁcate Support 344VPN IPSec Tunnel Termination Stateful Inspection Firewall 345 Index 346 347 NAT 255, 262 348 NTP 349 350