Manuals / TP-Link / Computer Equipment / Network Router

TP-Link TL-ER6120 manual 3.5.1 IKE, IKE Policy

Models: TL-ER6120

1 169

Download 169 pages 57.81 Kb

Page 90

3.5.1 IKE

technology is developed and used to establish the private network through the public network, which can guarantee a secured data exchange.

VPN adopts the tunneling technology to establish a private connection between two endpoints. It is a connection secured by encrypting the data and using point-to-point authentication. The following diagram is a typical VPN topology.

Figure 3-56 VPN – Network Topology

As the packets are encapsulated and de-encapsulated in the Router, the tunneling topology implemented by encapsulating packets is transparent to users. The tunneling protocols supported by TL-ER6120 contain Layer 3 IPsec and Layer 2 L2TP/PPTP.

3.5.1 IKE

In the IPsec VPN, to ensure a secure communication, the two peers should encapsulate and de-encapsulate the packets using the information both known. Therefore the two peers need to negotiate a security key for communication with IKE (Internet Key Exchange) protocols.

Actually IKE is a hybrid protocol based on three underlying security protocols, ISAKMP (Internet Security Association and Key Management Protocol), Oakley Key Determination Protocol, and SKEME Security Key Exchange Protocol. ISAKMP provides a framework for Key Exchange and SA (Security Association) negotiation. Oakley describes a series of key exchange modes. SKEME describes another key exchange mode different from those described by Oakley.

IKE consists of two phases. Phase 1 is used to negotiate the parameters, key exchange algorithm and encryption to establish an ISAKMP SA for securely exchanging more information in Phase 2. During phase 2, the IKE peers use the ISAKMP SA established in Phase 1 to negotiate the parameters for security protocols in IPsec and create IPsec SA to secure the transmission data.

3.5.1.1IKE Policy

On this page you can configure the related parameters for IKE negotiation.

Choose the menu VPN→IKE→IKE Policy to load the following page.

-85-

Image 90

TP-Link TL-ER6120 manual 3.5.1 IKE, IKE Policy

Contents

TL-ER6120 Multi-WAN VPN Router Rev 1910010516COPYRIGHT & TRADEMARKS FCC STATEMENTCE Mark Warning CONTENTS Chapter 1 About this GuideChapter 4 Application Network RequirementsAppendix A Hardware SpecificationsGlossary Appendix BPackage Contents 1.1 Intended Readers SymbolChapter 1 About this Guide 1.2 ConventionsAppendix B FAQ Lists the hardware specifications of this RouterSpecifications Provides the possible solutions to the problems that may occur duringChapter 2 Introduction z Powerful Data Processing Capabilityz Powerful Firewall 2.1 Overview of the Routerz Easy-to-use 2.2 Featuresz Multi-WAN Ports HardwareTraffic Control 2.3 Appearance2.3.1 Front Panel SecurityStatus z Reset buttonz LEDs Indicationz Power Socket 2.3.2 Rear Panelz Grounding Terminal Chapter 3 Configuration 3.1 Network3.1.1 Status 3.1.2 System Mode Figure 3-1 StatusThe TL-ER6120 Router can work in three modes NAT, Non-NAT and Classic Figure 3-2 Network Topology - NAT Mode Figure 3-3 Network Topology - Non-NAT Modez NAT Mode z Non-NAT Mode¾ WAN Mode 3.1.3.1 WAN Modez Classic Mode 3.1.3 WAN3.1.3.2 WAN1 1 Static IPTips ¾ Static IP 2 Dynamic IP¾ Dynamic IP Unicast ¾ Dynamic IP StatusGet IP Address by Use the following DNS3 PPPoE The following items are displayed on this screen ¾ PPPoE SettingsFigure 3-9 WAN - PPPoE Connection Type Select PPPoE if your ISP provides xDSL VirtualOptional. Enter the ISP address provided by your ISP secondaryIP Address ¾ PPPoE StatusConnection Type Subnet Address4 L2TP IP AddressThe following items are displayed on this screen ¾ L2TP SettingsFigure 3-10 WAN - L2TP Account Name Enter the Account Name provided by your ISP. If you areYou can select the proper Active Mode according to your If Static IP is selected, configure the subnet mask of WANPrimary DNS/Secondary DNS Upstream Bandwidth Downstream Bandwidth ¾ L2TP Status5 PPTP Status IP Address Primary DNS Secondary DNS¾ PPTP Settings Figure 3-11 WAN - PPTPThe following items are displayed on this screen Account Name ¾ PPTP Status 6 BigPondz “Disconnected” indicates that the connection has been ¾ BigPond Settings ¾ BigPond Status Status3.1.4 LAN 3.1.4.1 LAN¾ LAN ¾ DHCP Settings 3.1.4.2 DHCP3.1.4.3 DHCP Client 3.1.4.4 DHCP Reservation¾ DHCP Reservation ¾ List of Reserved AddressActivate or Inactivate the corresponding entry 3.1.5 DMZ 3.1.5.1 DMZ3.1.6 MAC Address ¾ DMZTips Set the MAC Address for DMZ port Set the MAC Address for LAN portSet the MAC Address for WAN port ¾ MAC Address3.1.7 Switch 3.1.7.1 Statistics¾ Statistics 3.1.7.2 Port Mirror ¾ General ¾ Port Mirror3.1.7.3 Rate Control Application ExampleTips 3.1.7.4 Port Config ¾ Rate Control¾ Port Config 3.1.7.5 Port Status¾ Port VLAN 3.2 User Group3.1.7.6 Port VLAN Tips3.2.2 User ¾ Group Config3.2.1 Group ¾ List of Group¾ User Config 3.2.3 View¾ List of User 3.3.1 NAT 3.3.1.1 NAT Setup3.3 Advanced ¾ NAPT3.3.1.2 One-to-One NAT ¾ List of Rules3.3.1.3 Multi-Nets NAT ¾ Multi-Nets NAT¾ list of Rules Application Example Network Requirements Configuration procedure 3.3.1.4 Virtual Server ¾ Virtual Server3.3.1.5 Port Triggering ¾ List of Rules3.3.1.6 ALG ¾ Port Triggering¾ List of Rules 3.3.2.1 Setup 3.3.2 Traffic Control¾ ALG ¾ Interface Bandwidth 3.3.2.2 Bandwidth Control ¾ Bandwidth Control Rule ¾ List of RulesSelect the data stream direction for the entry. The direction of arrowhead 3.3.3 Session Limit 3.3.3.1 Session Limit¾ General 3.3.3.2 Session List 3.3.4.1 Configuration3.3.4 Load Balance ¾ Session Limit3.3.4.2 Policy Routing 3.3.4.3 Link Backup ¾ General¾ List of Rules ¾ General 3.3.4.4 Protocol ¾ List of Rules¾ Protocol 3.3.5 Routing3.3.5.1 Static Route ¾ List of Protocol¾ Static Route ¾ List of RulesApplication Example There is a network topology as the following figure shown3.3.5.2 RIP ¾ General3.3.5.3 Route Table ¾ List of RIP3.4 Firewall 3.4.1 Anti ARP Spoofing3.4.1.1 IP-MAC Binding IP Address ¾ IP-MAC Binding¾ General Status3.4.1.2 ARP Scanning ¾ List of Rules3.4.2 Attack Defense 3.4.1.3 ARP ListFigure 3-48 Attack Defense The following items are displayed on this screen¾ General 3.4.3 MAC Filtering ¾ MAC Filtering¾ General ¾ List of Rules 3.4.4 Access Control3.4.4.1 URL Filtering ¾ GeneralSelect the mode for URL Filtering. “Keyword’’ indicates that all the Configuration Procedure¾ URL Filtering Rule ¾ List of Rules3.4.4.3 Access Rules 3.4.4.2 Web Filtering¾ Access Rules Select the service for the entry. Only the service belonging to theother service types can still pass through the Router. You can add group on3.2.1 Group Select the Source IP Range for the entries, including the followingSelect this option to specify the priority for the added entries. The 3.4.4.4 Service ¾ List of Rules3.4.5 App Control ¾ Service¾ List of Service 3.4.5.1 Control Rules¾ Control Rules ¾ General3.5 VPN 3.4.5.2 Database¾ List of Rules 3.5.1 IKE 3.5.1.1 IKE Policy¾ IKE Policy 3.5.1.2 IKE Proposal ¾ List of IKE Policy¾ IKE Proposal 3.5.2 IPsec 3.5.2.1 IPsec Policy¾ List of IKE Proposal ¾ IPsec Policy Select the network mode for IPsec policy. Options include¾ General z IKE Mode Incoming SPI z Manual ModeIPsec Proposal Key-In3.5.2.2 IPsec Proposal ¾ List of IPsec Policy IPsecTips ¾ IPsec Proposal 3.5.2.3 IPsec SA ¾ List of IPsec Proposal3.5.3.1 L2TP/PPTP Tunnel Authentication3.5.3 L2TP/PPTP Protocol¾ L2TP/PPTP Tunnel Specify the working mode for this Router. Options include¾ General TunnelSelect the network mode for the tunnel. Options include tunnel¾ List of Configurations 3.5.3.2 IP Address Pool¾ IP Address Pool 3.5.3.3 List of L2TP/PPTP Tunnel 3.6 Services3.6.1 PPPoE Server ¾ List of IP Pool¾ General PPPoE Server Dial-up Access Only 3.6.1.1 General3.6.1.2 IP Address Pool Idle Timeout Authentication Auth Protocol Radius Server Shared KeyPool Name 3.6.1.3 Account¾ IP Address Pool IP Address Range¾ Account 3.6.1.4 Exceptional IP ¾ List of Account¾ Exceptional IP 3.6.2 E-Bulletin 3.6.1.5 List of Account¾ List of Account Enable Logs ¾ E-BulletinEnable E-Bulletin ¾ GeneralContent Object Effective Time Publisher Description Status 3.6.3 Dynamic DNS¾ List of E-Bulletin Tips3.6.3.1 DynDNS ¾ Dyndns DDNS3.6.3.2 No-IP ¾ List of DynDNS Account¾ No-IP DDNS 3.6.3.3 PeanutHull ¾ List of No-IP Account¾ PeanutHull DDNS 3.6.3.4 Comexe ¾ List of PeanutHull Account¾ Comexe DDNS 3.6.4 UPnP ¾ List of Comexe Account3.7.1.1 Administrator 3.7 Maintenance3.7.1 Admin Setup ¾ List of UPnP Mapping3.7.1.2 Login Parameter ¾ AdministratorTips Web Management Port Enter the Web Management Port for the Router Configuration Procedure¾ General Application Example Network Requirements3.7.1.3 Remote Management 3.7.2.1 Factory Defaults3.7.2 Management ¾ Remote Management3.7.2.2 Export and Import 3.7.2.3 Reboot¾ Configuration Version ¾ Export3.7.2.4 Firmware Upgrade 3.7.3 License3.7.4 Statistics 3.7.4.1 Interface Traffic Statistics¾ Interface Traffic Statistics 3.7.4.2 IP Traffic Statistics ¾ Advanced WAN Information3.7.5 Diagnostics 3.7.5.1 Diagnostics¾ IP Traffic Statistics ¾ Ping 3.7.5.2 Online Detection ¾ Tracert¾ General 3.7.6 Time ¾ List of WAN status¾ Current Time ¾ Config 3.7.7 Logs¾ List of Logs Level Send System LogsDescription Chapter 4 Application 4.1 Network Requirements4.2 Network Topology 4.3 Configurations 4.3.1 Internet SettingTips 4.3.1.1 System Mode 4.3.1.2 WAN Mode4.3.1.3 Internet Connection 4.3.1.4 Link Backup Figure 4-4 Link Backup 131Figure 4-3 WAN - Static IP Settings 4.3.2 VPN Setting1 IKE Setting 4.3.2.1 IPsec VPNPolicy Name Tipsz IPsec Policy 2 IPsec Settingz IPsec Proposal SettingsTips proposalIPsec1 you just createdz L2TP/PPTP Tunnel 4.3.2.2 PPTP VPN Settingz IP Address Pool Settings4.3.3 Network Management 4.3.3.1 User Groupz Group Figure 4-11 Group Config z Userz View Settings4.3.3.3 Bandwidth Control 1 Enable Bandwidth Control4.3.3.2 App Control SettingsSettings 2 Interface Bandwidth3 Bandwidth Control Rule Keep the default value4.3.4 Network Security 4.3.3.4 Session LimitSettings 4.3.4.1 LAN ARP Defense 1 Scan and import the entries to ARP List2 Set IP-MAC Binding Entry Manually Settings 4.3.4.2 WAN ARP Defense3 Set Attack Defense 00-11-22-33-44-aa4.3.4.3 Attack Defense 4.3.4.4 Traffic Monitoring1 Port Mirror 2 Statistics Figure 4-25 IP Traffic Statistics 5.1 Configuration Chapter 5 CLIFigure 5-2 Connection Description Figure 5-3 Select the port to connectFigure 5-4 Port Settings Figure 5-5 Connection Properties Settings 149Logout or Access the next 5.2 Interface ModeAccessing Path Modeadmin 5.3 Online Help5.4 Command Introduction 5.4.2 ip-mac TP-LINK ip-mac get modeTP-LINK # ip-mac set mode restrict 5.4.1 ipTP-LINK # sys restore TP-LINK # sys export configTP-LINK # sys import config 5.4.4 user5.4.5 history TP-LINK user set password Enter old passwordTP-LINK # user set password Enter old password TP-LINK # user set username Enter new username tplinkTP-LINK history clear View the history command5.4.6 exit Exit CLIStandards Appendix A Hardware SpecificationsPower PortsAppendix B FAQ 4. Make sure that the NAT DMZ service is disabled AH （Authentication Header ） Appendix C GlossaryGlossary data authentication, and anti-replay services. ESP encapsulatesfor services such as IPSec that require keys. Before any IPSec GlossaryDescription Glossary DescriptionTelnet is used for remote terminal connection, enabling users to Glossary Description