Manuals / TRENDnet / Computer Equipment / Network Router

TRENDnet TW100-BRV204 IKE SA Life Time, DH Group, Ike Pfs, VPN Wizard - IKE Phase, IPSec PFS

Models: VPN Firewall Router TW100-BRV204

1 123

Download 123 pages 41.73 Kb

Page 82

IKE SA Life Time

	VPN

IKE SA Life Time	This setting does not have to match the remote VPN endpoint; the
	shorter time will be used. Although measured in seconds, it is com-
	mon to use time periods of several hours, such 28,800 seconds.

DH Group	Select the desired method, and ensure the remote VPN endpoint uses
	the same method. The smaller bit size is slightly faster.

IKE PFS	If enabled, PFS (Perfect Forward Security) enhances security by
	changing the IPsec key at regular intervals, and ensuring that each
	key has no relationship to the previous key. Thus, breaking 1 key
	will not assist in breaking the next key.
	This setting should match the remote endpoint.

Click Next to see the following IKE Phase 2 screen.

	Figure 53: VPN Wizard - IKE Phase 2

IKE Phase 2 (IPsec SA)
IPsec SA Life Time	This setting does not have to match the remote VPN endpoint; the
	shorter time will be used. Although measured in seconds, it is
	common to use time periods of several hours, such 28,800 seconds.

IPSec PFS	If enabled, PFS (Perfect Forward Security) enhances security by
	changing the IPsec key at regular intervals, and ensuring that each
	key has no relationship to the previous key. Thus, breaking 1 key
	will not assist in breaking the next key.

AH Authentication	AH (Authentication Header) specifies the authentication protocol
	for the VPN header, if used.
	AH is often NOT used. If you do enable it, ensure the algorithm
	selected matches the other VPN endpoint.

79

Image 82

TRENDnet TW100-BRV204 manual IKE SA Life Time, DH Group, Ike Pfs, VPN Wizard - IKE Phase, IKE Phase 2 IPsec SA, IPSec PFS

Contents

TW100-BRV204 VPN Firewall Router Cable/DSL Internet Access 4-Port Switching HubUsers Guide Table of Contents P/N 9560KZ0101 Copyright  2003. All Rights Reserved Document Version Introduction TW100-BRV204 FeaturesInternet Access Features ChapterSecurity Features LAN FeaturesConfiguration & Management Advanced Internet FunctionsPackage Contents VPN Gateway FeaturesPhysical Details Front-mounted LEDsRear Panel Requirements InstallationProcedure This Chapter covers the physical installation of the TW100-BRV2043. Connect WAN Cable 4. Power Up5. Check the LEDs This Chapter provides Setup details of the TW100-BRV204 SetupOverview ChapterConfiguration Program PreparationFigure 5 Password Dialog Using your Web BrowserIf you cant connect Type Setup WizardCommon Connection Types DetailsSingTel RAS Other Modems e.g. Broadband WirelessBig Pond Cable Australia TypeHome Screen Navigation & Data InputIdentification WAN Port Configuration ScreenData - WAN Port Screen IP AddressLogin Internet Options screenMAC Address MAC AddressAlso called Network Adapter Address or Physical Address. This is a TCP/IP LAN ScreenData - LAN Screen ButtonsUsing another DHCP Server DHCPUsing the TW100-BRV204 s DHCP Server To Configure your PCs to use DHCPWindows Clients PC ConfigurationTCP/IP Settings - Overview ChapterUsing DHCP Checking TCP/IP Settings - Windows 9x/MEUsing Specify an IP Address Figure 11 Gateway Tab Win 95/98 PC ConfigurationFigure 12 DNS Tab Win 95/98 Figure 13 Windows NT4.0 - TCP/IP Checking TCP/IP Settings - Windows NT4.0TW100-BRV204 User Guide Specify an IP Address Obtain an IP address from a DHCP ServerFigure 14 Windows NT4.0 - IP Address Figure 15 - Windows NT4.0 - Add Gateway PC Configuration Figure 16 Windows NT4.0 - DNSFigure 17 Network Configuration Win Checking TCP/IP Settings - Windows1. Select Control Panel - Network and Dial-up Connection Figure 18 TCP/IP Properties Win Figure 19 Network Configuration Windows XP Checking TCP/IP Settings - Windows XP1. Select Control Panel - Network Connection Using a fixed IP Address Use the following IP Address Using DHCPFigure 20 TCP/IP Properties Windows XP 1. Select Start Menu - Settings - Control Panel - Internet Options Internet AccessAccessing AOL 2. Select Set up or change your Internet ConnectionOther Unix Systems Macintosh ClientsLinux Clients Fixed IP AddressStatus Screen Operation and StatusOperation ChapterSystem Data - Status ScreenInternet ButtonsConnection Connection Status - PPPoEData - PPPoE Screen Connection LogConnect Connection Log MessagesButtons DisconnectConnection Connection Status - PPTPData - PPTP Screen Connection LogData - Telstra Big Pond Screen Connection Status - Telstra Big PondConnection Connection Log Connection Details - SingTel RASData - SingTel RAS Screen ButtonsNetwork Mask ButtonsInternet Connection Details - Fixed/Dynamic IP AddressData - Fixed/Dynamic IP address Screen ButtonsRenew RefreshChapter Internet FeaturesAdvanced Internet Screen OverviewSpecial Applications Screen Communication ApplicationsSpecial Applications Communication ApplicationsFigure 28 Special Applications Screen Using a Special ApplicationData - Special Applications Screen CheckboxURL Filter Filter Strings URL Filter ScreenData - URL Filter Screen ButtonsDynamic DNS Screen Dynamic DNS Domain Name ServerDDNS Service User Name PasswordDDNS Data Domain NameVirtual Servers IP Address seen by Internet UsersDefining your own Virtual Servers Connecting to the Virtual ServersVirtual Servers Screen ServersBackup DNS OptionsData - Options Screen Figure 34 Admin Login Screen Security ConfigurationAdmin Login ChapterFigure 35 Password Dialog Security ConfigurationIf required, you can also define your own Services Access ControlAccess Control Screen GroupCancel Internet AccessServices Members ButtonPCs not assigned to any group will be in the Default group Access Control LogGroup Members Screen PCs deleted from any other Group will be added to the Default groupFirewall Rules Screen Firewall RulesRule List For each rule, the following data is shown Define Firewall Rule Data - Define Firewall Rule ScreenDest IP ServicesAction Enable Logs LogsData - Logs Screen E-Mail Logs TimezoneSyslog Server Data - Security Options Screen Security OptionsSPI Firewall ICMP OptionsRespond to Allow IPsecScheduling Define Schedule ScreenAvailable Services ServicesData - Services Screen Add New ServiceNew Service area on screen Delete the selected service from the listAdd a new entry to the Service list, using the data shown in the Add Clear the Add New Service area, ready for entering data for a newChapter IPSecOverview Remote VPN address VPN ConfigurationPolicies Traffic SelectorVPN Pass-through Common VPN SituationsClient PC to VPN Gateway Connecting 2 LANs via VPN Figure 46 Connecting 2 VPN GatewaysVPN List VPN ConfigurationVPN Policies Screen OperationsMove Adding a New PolicyEnable/Disable CopyGeneral Settings Local IP addresses Remote IP addresses Manual Key ExchangeManually assigned Keys ESP Authenticationtion is enabled KeysIKE Phase 1 IKE SA IKE PhaseFigure 52 VPN Wizard - IKE Phase AuthenticationAH Authentication Figure 53 VPN Wizard - IKE PhaseIKE Phase 2 IPsec SA IKE SA Life TimeFor IKE, configuration is now complete Setting Example 1 Connecting 2 TW100-BRV204sExamples LAN A GateIPSec SA Parameters Setting Example 2 Windows 2000/XP Client to LANTW100-BRV204 Configuration ValueDeselect Activate the default response rule. Click Next Windows Client ConfigurationFigure 56 Windows 2000/XP - Local Security Settings IPSec SA ParametersFigure 57 Windows 2000/XP - Policy Properties Figure 58 IP Filter List8. Enter the Source IP address and the Destination IP address Figure 59 Filter Properties AddressingFigure 60 New Rule Properties IP Filter List Figure 62 Require Security Properties Figure 61 New Rule Properties Filter Action12. Select Negotiate security this selects IKE, then click Add Figure 63 Modify Security Method VPN SettingWindows Setting Figure 64 Require Security PropertiesFigure 65 Tunnel Setting Figure 66 Authentication MethodFigure 67 Windows 2000/XP Client to Broadband VPN Gateway Figure 68 Windows 2000/XP Client to Broadband VPN Gateway22. Click OK to save your changes, then Close Figure 69 Filter Properties AddressingFigure 70 Filter List Figure 71 Filter Action Figure 72 Security MethodsFigure 74 Tunnel Setting Figure 73 Modify Security Method31. Select the General tab Figure 75 Authentication MethodFigure 76 DUT to Win2K Properties TW100-BRV204 User Guide32. Click the Advanced button to see the screen below Figure 78 Key Exchange SettingsFigure 77 Properties - General Tab 33. Click the Methods button to see the screen belowFigure 80 IKE Security Algorithms Configuration is now completeFigure 79 Key Exchange Security Methods Figure 81 Windows 2000/XP Client to Broadband VPN GatewayFigure 82 TW100-BRV204 to Windows 2000 Server Example 3 Windows 2000 Server to VPN GatewaySetting Single ClientWindows 2000 Server Configuration Figure 83 Windows 2000 Server - AddressingTrusted Certificates Using CertificatesSelf Certificates Adding a Trusted Certificate Adding a Self CertificateSignature Algorithm Subject NameHash Algorithm Signature Key LengthCRLs To add a New CRLClick the Browse button, and locate the CRL file on your PC Figure 90 Upload CRL4. Upload the CRL file Select the file. The name will appear in the File to Upload fieldChapter Other Features and SettingsOverview Config File Data - Config File ScreenPC Database PC Database ScreenData - PC Database Screen Other Features and SettingsButtons Data - PC Database Admin Screen PC Database AdminPC Properties IP Address ButtonsRemote Administration Remote AdministrationData - Remote Administration Screen To connect from a remote PC via the InternetRouting Screen RoutingOverview Open Routing and Remote AccessFigure 95 Routing Screen Enable RIPData - Routing Screen Static RoutingOther Routers on the Local LAN Configuring Other Routers on your LANLocal Router ButtonsFor Router Bs Default Route Static Routing - ExampleFor Router As Default Route For the TW100-BRV204 s Routing TableUpgrade Firmware To perform the Firmware UpgradeUPnP UPNPData - UPNP Screen ertiesInternet Access TroubleshootingGeneral Problems Appendix AIt is a security risk, since the firewall is disabled FCC Statement TW100-BRV204Appendix B Specifications CE Marking Warning FCC Radiation Exposure Statement