Manuals / TRENDnet / Computer Equipment / Network Router

TRENDnet BRV204 Authentication, Algorithm, Encryption, IKE Exchange, Mode, Direction, DH Group

Models: BRV204

1 146

Download 146 pages 58.45 Kb

Page 84

Authentication

TW100-BRV204 User Guide

Authentication	• RSA Signature requires that both VPN endpoints have valid
	Certificates issued by a CA (Certification Authority).
	• For Pre-shared key, enter the same key value in both endpoints.
	The key should be at least 8 characters (maximum is 128 charac-
	ters). Note that this key is used for the IKE SA only. The keys
	used for the IPsec SA are automatically generated.
Authentication	Select the desired option, and ensure that both endpoints have the
Algorithm	same settings.
Encryption	Select the desired method, and ensure the remote VPN endpoint uses
Algorithm	the same method.
	• The 3DES algorithm provides greater security than DES, but is
	slower.
	• If using AES, you must select the Key Size. If using DES or
	3DES, this field is ignored.
IKE Exchange	Select the desired option, and ensure the remote VPN endpoint uses
Mode	the same mode.
	• Main Mode provides identity protection for the hosts initiating
	the IPSec session, but takes slightly longer to complete.
	• Aggressive Mode provides no identity protection, but is quicker.
Direction	Select the desired option:
	• Initiator - Only outgoing connections will be created. Incoming
	connection attempts will be rejected.
	• Responder - Only incoming connections will be accepted.
	Outgoing traffic which would otherwise result in a connection
	will be ignored.
	• Both Directions - Both incoming and outgoing connections are
	allowed.
IKE SA Life Time	This setting does not have to match the remote VPN endpoint; the
	shorter time will be used. Although measured in seconds, it is com-
	mon to use time periods of several hours, such 28,800 seconds.
DH Group	Select the desired method, and ensure the remote VPN endpoint uses
	the same method. The smaller bit size is slightly faster.
IKE PFS	If enabled, PFS (Perfect Forward Security) enhances security by
	changing the IPsec key at regular intervals, and ensuring that each
	key has no relationship to the previous key. Thus, breaking 1 key
	will not assist in breaking the next key.
	This setting should match the remote endpoint.
IKE Keep Alive

Click Next to see the following IKE Phase 2 screen.

80

Image 84

TRENDnet BRV204 Authentication, Algorithm, Encryption, IKE Exchange, Mode, Direction, IKE SA Life Time, DH Group, Ike Pfs

Contents

Page Page Table of Contents TW100-BRV204 FeaturesPackage Contents CHAPTER 2 INSTALLATIONVPN Configuration Server SetupWindows Client Setup CHAPTER 10 OTHER FEATURES & SETTINGSTW100-BRV204 Features Internet Access FeaturesIntroduction ChapterLAN Features Configuration & ManagementAdvanced Internet Functions Package Contents Security FeaturesIPSec VPN Gateway Features Microsoft VPN Gateway SupportPhysical Details Front-mounted LEDsPower Figure 2 Front PanelUsing the DMZ Port Rear PanelReset Button To Clear All Data and restore the factory default valuesAdvantages of the DMZ Port Installation ProcedureRequirements This Chapter covers the physical installation of the TW100-BRV2044. Power Up 3. Connect WAN Cable5. Check the LEDs Setup OverviewThis Chapter provides Setup details of the TW100-BRV204 ChapterConfiguration Program PreparationUsing your Web Browser Figure 5 Password DialogIf you cant connect TW100-BRV204 User’s Guide Setup Wizard Common Connection TypesType DetailsOther Modems e.g. Broadband Wireless Big Pond Cable AustraliaSingTel RAS TypeHome Screen Navigation & Data InputFigure 6 Home Screen LAN Screen Save CancelFigure 7 LAN Screen TCP/IPDHCP Using the TW100-BRV204 s DHCP ServerUsing another DHCP Server To Configure your PCs to use DHCPPC Configuration TCP/IP Settings - OverviewWindows Clients ChapterChecking TCP/IP Settings - Windows 9x/ME Using DHCPUsing Specify an IP Address Figure 8 Network ConfigurationFigure 10 Gateway Tab Win 95/98 Figure 11 DNS Tab Win 95/98TW100-BRV204 User Guide Checking TCP/IP Settings - Windows NT4.0 PC ConfigurationFigure 12 Windows NT4.0 - TCP/IP Figure 13 Windows NT4.0 - IP AddressObtain an IP address from a DHCP Server Specify an IP AddressFigure 14 - Windows NT4.0 - Add Gateway PC Configuration Figure 15 Windows NT4.0 - DNSChecking TCP/IP Settings - Windows Figure 16 Network Configuration Win1. Select Control Panel - Network and Dial-up Connection Figure 17 TCP/IP Properties WinUsing DHCP Using a fixed IP Address Use the following IP AddressChecking TCP/IP Settings - Windows XP Figure 18 Network Configuration Windows XP1. Select Control Panel - Network Connection Using DHCP Using a fixed IP Address Use the following IP AddressFigure 19 TCP/IP Properties Windows XP Internet Access Accessing AOL1. Select Start Menu - Settings - Control Panel - Internet Options 2. Select Set up or change your Internet ConnectionMacintosh Clients Linux ClientsOther Unix Systems Ensure you are logged in as root before attempting any changesOperation and Status OperationStatus Screen ChapterInternet Connection MethodBroadband Modem Internet ConnectionConnection Status - PPPoE Figure 21 PPPoE Status ScreenConnection Physical AddressButtons ConnectDisconnect Clear LogConnection Status - PPTP Figure 22 PPTP Status ScreenConnection Physical AddressConnection Status - Telstra Big Pond Clear LogRefresh Figure 23 Telstra Big Pond Status ScreenConnection Details - SingTel RAS Default GatewayConnection Log Connection LogDNS IP Address DHCP Client ButtonsRelease/Renew Button will display EITHER Release OR Renew Refresh Connection Details - Fixed/Dynamic IP Address Physical Address IP Address Network Mask Default GatewayFigure 25 Connection Details - Fixed/Dynamic IP Address InternetUpdate the data shown on screen RefreshOperation and Status Internet Features The following advanced features are provided WAN Port ConfigurationChapter OverviewWAN Port Configuration Figure 26 WAN Port Configuration ScreenIdentification HostnameEnable NAT Disable NATDisabling NAT will disable Internet access, unless all PCs have LoginAdvanced Internet Communication ApplicationsFigure 27 Internet Screen Communication ApplicationsSpecial Applications Use this to Enable or Disable this Special Application as requiredFigure 28 Special Applications Screen CheckboxMulti-DMZ Using a Special ApplicationIncoming Ports Outgoing PortsURL Filter URL Filter ScreenFigure 29 URL Filter Screen Filter StringsDynamic DNS Domain Name Server Dynamic DNS ScreenThe Service works as follows DDNS ServiceDDNS Service User Name Password/Key Domain Name DDNS Status DDNS DataVirtual Servers IP Address seen by Internet UsersFigure 31 Virtual Servers Connecting to the Virtual Servers Virtual Servers ScreenDefining your own Virtual Servers EnableOptions Backup DNSFigure 33 Options Screen IP AddressSecurity Configuration Admin LoginFigure 34 Admin Login Screen ChapterFigure 35 Password Dialog Security ConfigurationAccess Control Access Control ScreenIf required, you can also define your own Services Figure 36 Access Control ScreenInternet Access ServicesCancel Members ButtonAccess Control Log Group Members ScreenPCs not assigned to any group will be in the Default group PCs deleted from any other Group will be added to the Default groupFirewall Rules Firewall Rules ScreenThis feature is for advanced administrators only Figure 38 Firewall Rules ScreenData Add Edit Move Delete View Log System Rules Define Firewall Rule Figure 39 Define Firewall RuleName TypeServices Dest IPAction Logs Enable LogsData - Logs Screen Figure 40 Logs ScreenEnable Syslog System LogRouter operations start up, get time etc - This option will log Connections to the Web - based interface of this Router - ThisE-mail Figure 41 E-Mail ScreenE-Mail Alerts Send E-Mail alertdefault value is SubjectEnter the text string to be shown in the Subject field for the E mailSecurity Options Enable DoS Firewall ThresholdData - Security Options Screen Figure 42 Security Options ScreenOptions Respond to ICMP ping Allow VPN pass- throughDrop fragmented IP packets Block TCP Flood Block UDP Flood Block non- standard packetsScheduling Define Schedule ScreenEnter the start using a 24 hr clock Enter the finish time using a 24 hr clockServices Figure 44 Services ScreenAvailable Services Available ServicesVPN IPSec IPSecThe TW100-BRV204 does NOT support Transport Mode The TW100-BRV204 always uses Tunnel ModeVPN Configuration PoliciesVPN Endpoint addressCommon VPN Situations VPN Pass-throughClient PC to VPN Gateway Figure 45 VPN Pass-throughConnecting 2 LANs via VPN Figure 47 Connecting 2 VPN GatewaysVPN Configuration VPN Policies ScreenEnable Figure 48 VPN Policies ScreenAdding a New Policy Enable/DisableMove CopyGeneral Settings Policy Name Enable Policy Allow NetBIOS traffic Remote VPN EndpointFigure 50 VPN Wizard - General Screen KeysFigure 51 VPN Wizard - Traffic Selector Screen Local IP addressesType Remote IP addresses TypeFigure 52 VPN Wizard - Manual Key Exchange Screen Manually assigned KeysESP Authentication tion is enabledESP Encryption Encryption AlgorithmIKE Phase Figure 53 VPN Wizard - IKE Phase 1 ScreenIKE Phase 1 IKE SA Authentication AuthenticationAlgorithm EncryptionFigure 54 VPN Wizard - IKE Phase 2 Screen IKE Phase 2 IPsec SAAH Authentication ESP AuthenticationFor IKE, configuration is now complete Click Next to view the final screenFigure 55 VPN Wizard - Final Screen TW100-BRV204 User GuideExample 1 Connecting 2 TW100-BRV204 s VPN ExamplesFigure 56 Connecting 2 TW100-BRV204 s SettingIPSec SA Parameters Example 2 Windows 2000/XP Client to LAN SettingFigure 57 Windows 2000/XP Client to TW100-BRV204 ValueWindows Client Configuration Figure 58 Windows 2000/XP - Local Security SettingsDeselect Activate the default response rule. Click Next IPSec SA ParametersFigure 59 Windows 2000/XP - Policy Properties Figure 60 IP Filter ListFigure 61 Filter Properties Addressing 8. Enter the Source IP address and the Destination IP addressFigure 62 New Rule Properties IP Filter List Figure 63 New Rule Properties Filter Action Figure 64 Require Security Properties12. Select Negotiate security this selects IKE, then click Add Microsoft VPNVPN Setting Windows SettingFigure 65 Modify Security Method Figure 66 Require Security PropertiesFigure 67 Tunnel Setting Figure 68 Authentication MethodFigure 69 Windows 2000/XP Client to TW100-BRV204 Figure 70 Windows 2000/XP Client to TW100-BRV204Figure 71 Filter Properties Addressing 22. Click OK to save your changes, then CloseFigure 72 Filter List Microsoft VPNFigure 73 Filter Action Figure 74 Security MethodsFigure 76 Tunnel Setting Figure 75 Modify Security MethodFigure 77 Authentication Method Figure 78 DUT to Win2K Properties31. Select the General tab TW100-BRV204 User GuideFigure 80 Key Exchange Settings Figure 79 Properties - General Tab32. Click the Advanced button to see the screen below 33. Click the Methods button to see the screen belowConfiguration is now complete Figure 81 Key Exchange Security MethodsFigure 82 IKE Security Algorithms Figure 83 Windows 2000/XP Client to TW100-BRV204Example 3 Windows 2000 Server to VPN Gateway SettingFigure 84 TW100-BRV204 to Windows 2000 Server Single ClientWindows 2000 Server Configuration Figure 85 Windows 2000 Server - AddressingCertificates Trusted CertificatesRequesting a Trusted Certificate Issuer NameSelf Certificates Issuer NameFigure 87 Add Trusted Certificate Figure 88 Self Certificates ScreenRequesting a Self Certificate Delete buttonSelf Certificate Requests Request ListName Subject NameHash Algorithm Signature AlgorithmCRLs To add a New CRLFigure 91 Upload Self Certificate Status Figure 92 Certificate Revocation ListsFigure 93 Upload CRL Figure 94 VPN Status ScreenVPN Status Policy NameSA Type VPN EndpointServer Setup Microsoft VPNChapter OverviewClient Database EnableAuthentication PPTP ServerLogin Name Login PasswordVerify Password Update SelectedThis indicates whether or not the PPTP VPN Server is enabled Status ScreenFigure 97 Microsoft VPN Status Screen Server StatusWindows Client Setup Windows 98/ME1. Click Start - Settings - Dial-up Networking 2. Select Make New Connection2. Select Start - Settings - Dial-up Networking To establish a connectionWindows ME VPN Dialing Properties Windows Figure 100 Windows 2000 Network ConnectionFigure 101 Windows 2000 Public Network Figure 102 Windows 2000 VPN Host Click Next to continueFigure 103 Windows 2000 Connection Availability Microsoft VPNFigure 104 Windows 2000 Finish Wizard Windows XP Figure 105 Windows XP Network Connection TypeFigure 106 Windows XP Network Connection Figure 107 Windows XP Connection Name 4. Enter a suitable name for this connection. Click Next to continueFigure 108 Windows XP Public Network Figure 109 Windows XP VPN ServerChanging the connection settings To establish a connectionFigure 110 Windows XP Connection Availability Other Features & Settings Config FileDiagnostics Remote AdminConfig File Data - Config File ScreenFigure 111 Config File Screen Network Diagnostics Figure 112 Network Diagnostics ScreenPing IP AddressPC Database PC Database ScreenFigure 113 PC Database Administration Known PCsName IP AddressPC Database Admin Figure 114 PC Database AdminKnown PCs PC PropertiesUpdate Selected ButtonsAdd as New EntryRemote Administration Figure 115 Remote Administration ScreenSettings EnableAccess To connect from a remote PC via the InternetPort Number Allow RemoteRouting OverviewRouting Screen Open Routing and Remote AccessEnable RIP Data - Routing ScreenFigure 116 Routing Screen Static RoutingConfiguring Other Routers on your LAN Save Add Update Delete Clear Form Generate ReportProperties ButtonsStatic Routing - Example Other Routers on the Local LANFor the TW100-BRV204 s Routing Table Figure 117 Routing ExampleFor Router As Default Route For Router Bs Default RouteOther Features and Settings Upgrade Firmware Figure 118 Upgrade Firmware ScreenUpgrade Firmware PasswordUPnP Enable UPnP Services Allow Configu rationAllow Internet access to be disabled Figure 119 UPnP ScreenTroubleshooting General ProblemsInternet Access Appendix AIt is a security risk, since the firewall is disabled Appendix B Specifications TW100-BRV204FCC Statement CE Marking Warning FCC Radiation Exposure StatementLimited Warranty TW100-BRV204 - 5 Years WarrantyTechnical Support TRENDware Technical Support Tel +1-310-891-1100 Fax +1-310-8911111E-mail support@trendware.com TW100-BRV204 User Guide