Manuals / TP-Link / Computer Equipment / Network Router

TP-Link TL-ER6020 manual  IKE Mode, policy on VPN→IKE→IKE Policy page

Models: TL-ER6020

1 168

Download 168 pages 1.21 Kb

Page 94

Mode:	Select the network mode for IPsec policy. Options include:
	 LAN-to-LAN: Select this option when the client is a
	network.
	 Client-to-LAN: Select this option when the client is a host.
Local Subnet:	Specify IP address range on your local LAN to identify which
	PCs on your LAN are covered by this policy. It's formed by IP
	address and subnet mask.
Remote Subnet:	Specify IP address range on your remote network to identify
	which PCs on the remote network are covered by this policy. It's
	formed by IP address and subnet mask.
WAN:	Specify the local WAN port for this Policy. The "Remote
	Gateway" of the remote peer should be set to the IP address of
	this WAN port.
Remote Gateway:	Enter the Remote Gateway. It can be IP address or Domain
	name.
Policy Mode:	Select the negotiation mode for the policy.
	 IKE: The parameters for the VPN tunnel are generated
	automatically via IKE negotiations.
	 Manual: All settings (including the keys) for the VPN tunnel
	are manually inputted and no key negotiation is needed.
 IKE Mode
IKE Policy:	It is available when IKE is selected as the negotiation mode.
	Specify the IKE policy. If there is no policy selection, add new
	policy on VPN→IKE→IKE Policy page.
IPsec Proposal:	Select IPsec Proposal on IKE mode. Up to four IPsec Proposals
	can be selected on IKE mode.
PFS:	Select the PFS (Perfect Forward Security) for IKE mode to
	enhance security. This setting should match the remote peer.
	With PFS feature, IKE negotiates to create a new key in
	-89-

Image 94

TP-Link TL-ER6020 manual  IKE Mode, policy on VPN→IKE→IKE Policy page

Contents

TL-ER6020 Gigabit Dual-WAN VPN Router REV1.0.1 1910010852FCC STATEMENT COPYRIGHT & TRADEMARKSCE Mark Warning CONTENTS Chapter 1 About this GuideChapter 4 Application Network RequirementsGlossary Hardware SpecificationsChapter 5 CLI  Two mounting brackets and other fittings  Installation Guide Package Contents One TL-ER6020 Router  One Power Cord  One Console Cable The following items should be found in your package1.1 Intended Readers SymbolChapter 1 About this Guide 1.2 ConventionsAppendix B FAQ Lists the hardware specifications of this RouterSpecifications Provides the possible solutions to the problems that may occur duringChapter 2 Introduction  Powerful Data Processing Capability Powerful Firewall 2.1 Overview of the Router Easy-to-use 2.2 Features Dual-WAN Ports HardwareTraffic Control 2.3 Appearance2.3.1 Front Panel SecurityStatus  Reset button LEDs Indication Grounding Terminal  Power Socket2.3.2 Rear Panel  Kensington Security Slot3.1 Network Chapter 3 Configuration3.1.2 System Mode 3.1.1 StatusFigure 3-2 Network Topology - NAT Mode Figure 3-3 Network Topology - Non-NAT Mode NAT Mode 3.1.3 WAN  Non-NAT Mode Classic Mode 1 Static IP Static IP Downstream 2 Dynamic IPUpstream Bandwidth Specify the bandwidth for receiving packets on the port Dynamic IP  Dynamic IP Status 3 PPPoEFigure 3-8 WAN - PPPoE 576-1492. The default MTU is 1480. It is recommended to keep the  PPPoE Settingson. The connection can be re-established automatically when it Enter the Account Name provided by your ISP. If you are not clearHere allows you to configure the secondary connection. Dynamic IP Dynamic IP is selected, the obtained subnet address of WAN port is4 L2TP  PPPoE Statuscorrect and your network is connected well. Consult your ISP if Figure 3-9 WAN - L2TP  L2TP SettingsThe following items are displayed on this screen Internet connection by the Connect or Disconnect button. It Secondary DNS  L2TP StatusPrimary DNS Upstream BandwidthFigure 3-10 WAN - PPTP  PPTP Settings5 PPTP The following items are displayed on this screenAccount Name 6 BigPond  PPTP Status StatusPrimary DNS Secondary DNS Upstream Bandwidth Downstream Bandwidth  BigPond Settings IP Address  BigPond StatusStatus Subnet Mask3.1.4.2 DHCP 3.1.4 LAN3.1.4.1 LAN  LAN DHCP Settings 3.1.4.3 DHCP Client 3.1.4.4 DHCP Reservation DHCP Reservation 3.1.5 DMZ List of Reserved Address 3.1.5.1 DMZ  DMZ 3.1.6 MAC AddressTips Set the MAC Address for DMZ port Set the MAC Address for LAN portSet the MAC Address for WAN port  MAC Address3.1.7 Switch 3.1.7.1 Statistics Statistics 3.1.7.2 Port MirrorTips Mode GeneralPort Mirror Mirroring Port3.1.7.3 Rate Control Application Example3.1.7.4 Port Config  Rate Control Port Config 3.1.7.5 Port Status Port VLAN 3.2 User Group3.1.7.6 Port VLAN Tips3.2.2 User  Group Config3.2.1 Group  List of Group3.2.3 View  User Config View Config  List of User3.3 Advanced 3.3.1.1 NAT Setup3.3.1 NAT  NAT-DMZ 3.3.1.2 One-to-One NAT NAPT  One-to-One NAT List of Rules 3.3.1.3 Multi-Nets NAT Multi-Nets NAT  list of Rules Application Example Network RequirementsConfiguration procedure 3.3.1.4 Virtual Server Protocol  Virtual ServerInterface Status Port Triggering 3.3.1.5 Port Triggering List of Rules Status  List of Rules3.3.1.6 ALG 3.3.2 Traffic Control ALG  Default Limit 3.3.2.1 Setup General 3.3.2.2 Bandwidth Control  Interface Bandwidth List of Rules  Bandwidth Control Ruledata flow might pass. Individual WAN port cannot be selected if 3.3.3.1 Session Limit 3.3.3 Session Limit General 3.3.3.2 Session List 3.3.4.1 Configuration3.3.4 Load Balance  Session Limit3.3.4.2 Policy Routing  General 3.3.4.3 Link Backup List of Rules You can select Timing or Failover Mode  GeneralFailover 3.3.4.4 ProtocolTiming Status ： Protocol 3.3.5 Routing3.3.5.1 Static Route  List of Protocol Static Route  List of Rules3.3.5.2 RIP Application ExampleChoose the menu Advanced→Routing→RIP to load the following page  General3.3.5.3 Route Table  List of RIP3.4.1 Anti ARP Spoofing 3.4 Firewall3.4.1.1 IP-MAC Binding IP Address  IP-MAC Binding General Status3.4.1.2 ARP Scanning 3.4.2 Attack Defense 3.4.1.3 ARP ListThe following items are displayed on this screen Figure 3-49 Attack Defense General Enable Attack 3.4.3 MAC Filtering MAC Filtering Packet Anomaly URL Filtering Rule 3.4.4 Access Control3.4.4.1 URL Filtering  List of Rules List of Rules Configuration ProcedureSelect the mode for URL Filtering. “Keyword’’ indicates that all the Application Example Network Requirements Access Rules 3.4.4.3 Access Rules3.4.4.2 Web Filtering other service types can still pass through the Router. You can add group on3.2.1 GroupSelect the service for the entry. Only the service belonging to the Select the Source IP Range for the entries, including the followingPriority 3.4.4.4 Service List of Rules  Service  List of Service Control Rules 3.4.5 App Control3.4.5.1 Control Rules  General3.4.5.2 Database  List of Rules3.5 VPN 3.5.1 IKE3.5.1.1 IKE Policy  IKE PolicySA Lifetime Specify ISAKMP SA Lifetime in IKE negotiation  List of IKE Policy 3.5.1.2 IKE Proposal IKE Proposal 3.5.2 IPsec  List of IKE Proposal General 3.5.2.1 IPsec Policy IPsec Policy Policy Namewhich PCs on the remote network are covered by this policy. Its  IKE Modepolicy on VPN→IKE→IKE Policy page Gateway of the remote peer should be set to the IP address ofde-encrypted. Without PFS, the key in Phase2 is created based  Manual ModePhase2. As it is independent of the key created in Phase1, this de-encrypted, the key in Phase2 is easy to be de-encrypted, in List of IPsec Policy IPsec 3.5.2.2 IPsec ProposalTips  IPsec Proposal 3.5.2.3 IPsec SA  List of IPsec Proposal3.5.3.1 L2TP/PPTP Tunnel Authentication3.5.3 L2TP/PPTP ProtocolProtocol  L2TP/PPTP Tunnel General ModeEnter the account name of L2TP/PPTP tunnel. It should be configured Select the IP Pool Name to specify the address range for the servers IP Address Pool  List of Configurations3.5.3.2 IP Address Pool  List of IP Pool3.5.3.3 List of L2TP/PPTP Tunnel 3.6 Services3.6.1 PPPoE Server 3.6.1.1 GeneralFigure 3-66 General The following items are displayed on this screen  General3.6.1.2 IP Address Pool  IP Address Pool 3.6.1.3 Account List of IP Pool  Account 3.6.1.4 Exceptional IP is 48. If Enable Advanced Account Features is not selected, the List of Account  Exceptional IP 3.6.2 E-Bulletin3.6.1.5 List of Account  List of AccountInterval  E-Bulletin General Title List of E-Bulletin 3.6.3 Dynamic DNSTips 3.6.3.1 DynDNS  Dyndns DDNS List of DynDNS Account 3.6.3.2 No-IP No-IP DDNS 3.6.3.3 PeanutHull  List of No-IP Account PeanutHull DDNS  List of PeanutHull Account 3.6.3.4 Comexe Comexe DDNS 3.6.4 UPnP  List of Comexe Account3.7.1.1 Administrator 3.7 Maintenance3.7.1 Admin Setup  AdministratorRe-enter the new password for confirmation 3.7.1.2 Login Parameter General  Remote Management 3.7.1.3 Remote Management List of Subnet 3.7.2.2 Export and Import 3.7.2.1 Factory Defaults3.7.2 Management Configuration Procedure Export 3.7.2.3 Reboot Configuration Version  Import3.7.2.4 Firmware Upgrade 3.7.3 License3.7.4.1 Interface Traffic Statistics 3.7.4 Statistics Interface Traffic Statistics 3.7.4.2 IP Traffic Statistics  Advanced WAN Information Traffic Statistics 3.7.5 Diagnostics3.7.5.1 Diagnostics  IP Traffic Statistics Ping  TracertDisplays whether the Online Detection is enabled 3.7.5.2 Online Detection List of WAN status  General3.7.6 Time  Config Current Time  List of Logs 3.7.7 Logs Config Description LevelError conditions SeverityChapter 4 Application 4.1 Network Requirements4.3.1 Internet Setting 4.2 Network Topology 4.3 ConfigurationsTips 4.3.1.3 Link Backup 4.3.1.1 System Mode4.3.1.2 Internet Connection Settings 4.3.2 VPN Setting1 IKE Setting 4.3.2.1 IPsec VPNAuthenticationMD5 Encryption3DES  IKE PolicySettings Settings 2 IPsec Setting IPsec Proposal TipsSettings  IPsec PolicyproposalIPsec1 you just created  IP Address Pool 4.3.2.2 PPTP VPN SettingTips Settings  L2TP/PPTP TunnelL2TP/PPTPEnable ProtocolPPTP ModeServer UsernamePPTP Passwordabcdefg  Group 4.3.3 Network Management4.3.3.1 User Group  UserSettings 4.3.3.2 App Control View Settings1 Enable Bandwidth Control 4.3.3.3 Bandwidth ControlSettings 2 Interface Bandwidth3 Bandwidth Control Rule Keep the default value4.3.3.4 Session Limit 4.3.4 Network SecuritySettings 1 Scan and import the entries to ARP List 4.3.4.1 LAN ARP Defense2 Set IP-MAC Binding Entry Manually Settings 4.3.4.2 WAN ARP Defense3 Set Attack Defense 00-11-22-33-44-aa4.3.4.4 Traffic Monitoring 4.3.4.3 Attack Defense1 Port Mirror 2 Statistics Figure 4-23 IP Traffic Statistics 5.1 Configuration Chapter 5 CLIFigure 5-2 Connection Description Figure 5-3 Select the port to connectFigure 5-4 Port Settings Figure 5-5 Connection Properties Settings 1485.2 Interface Mode enable Accessing PathLogout or Access the next mode adminShow command history enableEnter the privileged mode IP configurationIp-mac Bind Mode normal 5.4 Command IntroductionTP-LINK ip-mac get mode TP-LINK # ip-mac set mode restrictThis command will restore system, Continue?Y/N TP-LINK # sys reboot This command will reboot system, Continue?Y/NTP-LINK # sys restore TP-LINK # sys export configGet configuration file config bin succeed, file size is 7104 bytes Password admin File name config.binTry to get the configuration file config.bin TP-LINK sys show CPU Used Rate 1% TP-LINK # sys updateEnter new password Confirm new password TP-LINK user get Username admin Password adminTP-LINK user set password Enter old password TP-LINK # user get Username admin Password adminTP-LINK history View the history command5.4.6 exit 1. history 2. sys show 3. historyStandards Appendix A Hardware SpecificationsPower PortsAppendix B FAQ 4. Make sure that the NAT DMZ service is disabled AH（Authentication Header） Appendix C GlossaryGlossary data authentication, and anti-replay services. ESP encapsulatesGlossary for services such as IPSec that require keys. Before any IPSecDescription Glossary DescriptionTelnet is used for remote terminal connection, enabling users to GlossaryDescription enterprise