6.
Declaration of Conformity We, Manufacturer/Importer OvisLink Corp. 5F., NO.6, Lane 130, Min-Chuan Rd.
AirLive IP-2000VPN CE Declaration Statement Country cs Česky [Czech] Declaration OvisLink Corp. tímto prohlašuje, že tento AirLive IP-2000VPN je ve shodě se základními požadavky a dalšími příslušnými ustanoveními směrnice 1999/5/ES. da Undertegnede OvisLink Corp. erklærer herved, Dansk [Danish] at følgende udstyr AirLive IP-2000VPN overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF. de Hiermit erklärt OvisLink Corp.
Copyright The contents of this publication may not be reproduced in any part or as a whole, stored, transcribed in an information retrieval system, translated into any language, or transmitted in any form or by any means, mechanical, magnetic, electronic, optical, photocopying, manual, or otherwise, without the prior written permission. Trademarks All products, company, brand names are trademarks or registered trademarks of their respective companies. They are used for identification purpose only.
Table of Contents Chapter 1 Introduction................................................................................................................. 4 1.1 Features.............................................................................................................................................. 5 1.2 Installation of the Router ..................................................................................................................... 8 1.3 Front Panel and Rear Panel ...............
Chapter 9 Status....................................................................................................................... 132 9.1 Connection Status – PPPoE ........................................................................................................... 134 9.2 Connection Status – PPTP ............................................................................................................. 136 9.3 Connection Status – Telstra Big Pond ............................................
C Chhaapptteerr 11 IInnttrroodduuccttiioonn The AirLive Internet VPN Router, IP-2000VPN, features IPSec and PPTP VPN Server, to offer the easy installation VPN connection for office-to-office or client-to-office environment. Follow the wizard to configure IPSec VPN, and it will not be the difficult job to set up your own VPN environment.
1.1 Features IPSec VPN Features • IPSec. Support for IPSec standards, including IKE and certificates. • 10 Tunnels. Up to 10 VPN tunnels can be created. • IPSec Authentication and Encryption. Support DES, 3DES, AES-128, 192, 256 bits Encryption, and MD5, SHA-1 Authentication. Microsoft VPN Gateway Support • PPTP Server. The IP-2000VPN emulates a Microsoft PPTP VPN Server, allowing clients to use the Microsoft VPN client provided in Windows. • Windows Client Support.
Advanced Internet Functions • Communication Applications. Support for Internet communication applications, such as interactive Games, Telephony, and Conferencing applications, which are often difficult to use when behind a Firewall, is included. • Special Internet Applications. Applications which use non-standard connections or port numbers are normally blocked by the Firewall. The ability to define and allow such applications is provided, to enable such applications to be used normally.
LAN Features • 3-Port Switching Hub. The IP-2000VPN incorporates a 3-port 10/100BaseT switching hub, making it easy to create or extend your LAN. • DHCP Server Support. Dynamic Host Configuration Protocol provides a dynamic IP address to PCs and other devices upon request. The IP-2000VPN can act as a DHCP Server for devices on your local LAN and WLAN. • Multi Segment LAN Support.
1.2 Installation of the Router Requirement • Network cables. Use standard 10/100BaseT network (UTP) cables with RJ45 connectors. • TCP/IP protocol must be installed on all PCs. • For Internet Access, an Internet Access account with an ISP, and a Broadband modem (usually, DSL or Cable modem). Procedure 1. Choose an Installation Site Select a suitable place on the network to install the IP-2000VPN. Ensure the IP-2000VPN and the DSL/Cable modem are powered OFF. 2.
4. Power Up • Power on the Broadband modem. • Connect the supplied power adapter to the IP-2000VPN and power up. Please note that you should use only the power adapter provided. Using a different one may cause hardware damage. 5. Check the LEDs • The Power LED should be ON. • The Status LED should blink during start up, and then turn Off. If it stays on, there is a hardware error. • For each LAN (PC) connection, the LAN Link/Act LED should be ON (provided the PC is also ON).
1.3 Front Panel and Rear Panel LED Function Color Power Power indication Status System status ● Red WAN WAN port activity Link/Act (LAN/DMZ) Link status 100 (LAN/DMZ) Link rate ● Green Status On Power on On Error condition Blinking On ● Green System starts up The WAN port is linked. Blinking The WAN port is sending or receiving data. On An active station is connected to the corresponding port.
1.4 Packing List The following items should be included: • IP-2000VPN Internet VPN Router • Installation CD-ROM • Quick Installation Guide • AC Adapter When you open your package, make sure all of the above items are included and not damaged. If you see that any components are damaged, please notify your dealer immediately. 1.5 Hardware DMZ Using the DMZ Port The DMZ port is intended for connection of a server you wish to make available to the public.
C Chhaapptteerr 22 D Deeppllooyym meenntt Overview This chapter describes the setup procedure for: • Internet Access • LAN configuration PCs on your local LAN may also require configuration. For details, see Appendix A - PC Configuration. Other configuration may also be required, depending on which features and functions of the IP-2000VPN you wish to use. Use the table below to locate detailed instructions for the required functions. To Do this: Refer to: Configure PCs on your LAN.
Configure or use any of the following: Chapter 10: • Configuration File backup and restore. Other Features and • Network Diagnostic Settings • PC Database • Remote Administration • Routing • Upgrade Firmware • UPnP Configuration Program The IP-2000VPN contains an HTTP server. This enables you to connect to it, and configure it using your Web Browser. Your Browser must support JavaScript. The configuration program has been tested on the following browsers: • Netscape v4.
Using your Web Browser To establish a connection from your PC to the IP-2000VPN: 1. Start your WEB browser. 2. In the Address box, enter "http://" and the IP Address of the IP-2000VPN, as in this example, which uses the IP-2000VPN's default IP Address: http://192.168.1.1 3. You will be prompted for a username and password, as shown below. 4. Enter admin for the User name, and airlive for the Password. 5. These are the default values.
C Chhaapptteerr 33 C Coonnffiigguurree R Roouutteerr Home Screen The first time you connect to the IP-2000VPN, you will see the Home screen shown below: • Use the menu bar on the top of the screen, and the "Back" button on your Browser, for navigation. • Changing to another screen without clicking "Save" does NOT save any changes you may have made. You must "Save" before changing screens or your data will be ignored. • On each screen, clicking the "Help" button will display help for that screen.
3.1 Setup Wizard The main purpose of Setup Wizard works to configure WAN type, when you finish the WAN port’s configuration, you can make the test in the wizard to verify the setting. • You need to know the type of Internet connection service used by your ISP. Check the data supplied by your ISP. • The common connection types are explained in the tables below: Cable Modem Login method Type Details ISP Data required None Dynamic IP Your IP Address is Usually, none.
DSL Modem Login method Type Details ISP Data required PPPoE Dynamic IP Your IP Address is allocated User name and password. Address automatically, when you connect to you ISP. PPTP Static IP Your ISP allocates a permanent IP IP Address, mask, gateway and Address Address to you. DNS address allocated to you. Dynamic IP You connect to the ISP only when • PPTP Server IP Address. Address required. The IP address is usually • User name and password. allocated automatically.
None Dynamic IP You connect to the ISP only when Address required. The IP address is usually Usually, none. allocated automatically. Static IP Your ISP allocates a permanent IP IP Address, mask, gateway and Address Address to you. DNS address allocated to you. Telstra Big Pond Cable (Australia) Type Details ISP Data required Dynamic IP Your IP Address is allocated • Big Pond Server IP Address. Address automatically, when you • User name and password.
SingTel RAS For this connection method, the following data is required: • User Name • Password • RAS Plan 19 AirLive IP-2000VPN User’s Manual
Others (e.g. Fixed Wireless) Type Details ISP Data required Dynamic IP Address Your IP Address is allocated Usually, none. automatically, when you However, some ISP's may require you to use connect to you ISP. a particular Hostname, Domain name, or MAC (physical) address. Static IP Address Your ISP allocates a IP Address, mask, gateway and DNS address permanent IP Address to you. allocated to you.
3.2 LAN Use the LAN link on the main menu to reach the LAN screen. An example screen is shown below. Data - LAN Screen TCP/IP IP Address IP address for the IP-2000VPN, as seen from the local LAN. Use the default value unless the address is already in use or your LAN is using a different IP address range. In the latter case, enter an unused IP Address from within the range used by your LAN. Subnet Mask The default value 255.255.255.0 is standard for small (class "C") networks.
What DHCP Server Can Do A DHCP (Dynamic Host Configuration Protocol) Server allocates a valid IP address to a DHCP Client (PC or device) upon request. • The client request is made when the client device starts up (boots). • The DHCP Server provides the Gateway and DNS addresses to the client, as well as allocating an IP Address.. • The IP-2000VPN can act as a DHCP server. • Windows 2000/XP and other non-Server versions of Windows will act as a DHCP client.
Operation Once both the IP-2000VPN and the PCs are configured, operation is automatic. However, there are some situations where additional Internet configuration may be required: • If using Internet-based Communication Applications, it may be necessary to specify which PC receives an incoming connection. Refer to Chapter 4 - Internet Features for further details. • Applications which use non-standard connections or port numbers may be blocked by the IP-2000VPN's built-in firewall.
C Chhaapptteerr 44 IInntteerrnneett FFeeaattuurreess 4.1 WAN Port Overview The following advanced features are provided. • WAN Port Configuration • Advanced Internet • Communication Applications • Special Applications • Multi-DMZ • URL filter • Dynamic DNS • Virtual Servers • Options WAN Port Configuration The WAN Port Configuration screen provides an alternative to using the Wizard. It can be accessed from the Internet menu. An example screen is shown below.
Data – WAN Port Configuration Screen Identification Hostname Normally, there is no need to change the default name, but if your ISP requests that you use a particular “Hostname”, enter it here. Domain name If your ISP provided a domain name, enter it here. Otherwise, it can be left blank. MAC Address Also called Network Adapter Address or Physical Address. This is a low-level identifier, as seen from the WAN port.
DNS Automatically obtain The DNS (Domain Name Server) address will be obtained automatically from Server from your ISP's server. Note that if using a fixed IP address, with no login (login is set to "None"), then no Server is used, and this option cannot be used. Use this DNS If this option is selected, you must enter the IP address of the DNS (Domain Name Server) you wish to use. Note: If the DNS is unavailable, the "Backup DNS", entered on the Internet - Options screen, will be used.
disconnected by your ISP, the connection will be re-established immediately. (However, this does not ensure that your Internet IP address will remain unchanged.) Auto-disconnect Idle This field has no effect unless the setting above is Automatic Time-out Connect/Disconnect. If Auto-disconnect is being used, enter the desired idle time-out period (in minutes). After the connection to your ISP has been idle for this time period, the connection will be terminated. 4.
Communication Applications Most applications are supported transparently by the IP-2000VPN. But sometimes it is not clear which PC should receive an incoming connection. This problem could arise with the Communication Applications listed on this screen. If this problem arises, you can use this screen to set which PC should receive an incoming connection, as described below.
Data – Special Applications Screen Special Applications Checkbox Use this to Enable or Disable this Special Application as required. Name Enter a descriptive name to identify this Special Application. Incoming Ports • Type - Select the protocol (TCP or UDP) used when you receive data from the special application or service. (Note: Some applications use different protocols for outgoing and incoming data).
This allows unrestricted 2-way communication between the "DMZ PC" and other Internet users or Servers. • This allows almost any application to be used on the "DMZ PC". • The "DMZ PC" will receive all "Unknown" connections and data. • If the DMZ feature is enabled, you must select the PC to be used as the "DMZ PC". • To use more than one (1) DMZ, your ISP must assign multiple fixed IP addresses to you. You must enter each IP address; you can then assign a DMZ PC for each IP address.
Data – URL Filter Screen Filter Strings Current Entries This lists any existing entries. If you have not entered any values, this list will be empty. Add Filter String To add an entry to the list, enter it here, and click the "Add" button. An entry may be a Domain name (e.g. www.trash.com) or simply a string. (e.g. ads/ ). Any URL which contains ANY entry ANYWHERE in the URL will be blocked. Buttons Delete/Delete All Use these buttons to delete the selected entry or all entries, as required.
Dynamic DNS Screen Select Internet on the main menu, then Dynamic DNS, to see a screen like the following: Data – Dynamic DNS Screen DDNS Service DDNS Service • You must register for the service at one of the listed Service Providers. You can reach the Service provider's Web Site by selecting them in the list and clicking the "Web Site" button. • Apply for a Domain Name, and ensure it is allocated to you.
4.4 Virtual Server This feature allows you to make Servers on your LAN accessible to Internet users. Normally, Internet users would not be able to access a server on your LAN because: • Your Server does not have a valid external IP Address. • Attempts to connect to devices on your LAN are blocked by the firewall in this device. The "Virtual Server" feature solves these problems and allows Internet users to connect to your servers, as illustrated below.
Using the DMZ port for Virtual Servers You should connect your Virtual Servers to the DMZ port, for the following reasons: • Traffic passing between the DMZ and LAN passes through the firewall. The firewall will protect your LAN if your Server is compromised and used to launch an attack on your LAN. • For each enabled Virtual Server, a firewall rule to allow incoming traffic from the Internet (WAN) to the DMZ is automatically created.
Data – Virtual Servers Screen Servers Servers This lists a number of pre-defined Servers, plus any Servers you have defined. Details of the selected Server are shown in the "Properties" area. Properties Enable PC (Server) Use this to Enable or Disable support for this Server, as required. • If Enabled, any incoming connections will be forwarded to the selected PC. • If Disabled, any incoming connection attempts will be blocked. Select the PC for this Server.
4.5 Options This screen allows advanced users to enter or change a number of settings. For normal operation, there is no need to use this screen or change any settings. Data – Options Screen Backup DNS IP Address Enter the IP Address of the DNS (Domain Name Servers) here. These DNS will be used only if the primary DNS is unavailable. MTU MTU size MTU (Maximum Transmission Unit) value should only be changed if advised to do so by Technical Support. • Enter a value between 1 and 1500.
C Chhaapptteerr 55 S Seeccuurriittyy Overview The following advanced configurations are provided. • Admin Login • Access Control • Firewall Rules • Logs • E-mail • Security Options • Scheduling • Services 5.1 Admin Login The Admin Login screen allows you to assign a user name and password to the IP-2000VPN. 1. The default login name is "admin". Change this to the desired value. 2. The default password is airlive. Enter the desired password in the New Password and Verify Password fields. 3.
Enter the "User Name" and "Password" you set on the Admin Login screen above.
5.2 Access Control This feature is accessed by the Access Control link on the Security menu. The Access Control feature allows administrators to restrict the level of Internet Access available to PCs on your LAN. With the default settings, everyone has unrestricted Internet access. To use this feature 1. Set the desired restrictions on the "Default" group. All PCs are in the "Default" group unless explicitly moved to another group. 2.
Data – Access Control Screen Group Group Select the desired Group. The screen will update to display the settings for the selected Group. Groups are named "Default", "Group 1", "Group 2", "Group 3" and "Group 4", and cannot be re-named. "Members" Button Click this button to add or remove members from the current Group. • If the current group is "Default", then members can not be added or deleted. This group contains PCs not allocated to any other group.
Group Members Screen This screen is displayed when the Members button on the Access Control screen is clicked. Use this screen to add or remove members (PCs) from the current group. • The "Del >>" button will remove the selected PC (in the Members list) from the current group. • The "<< Add" button will add the selected PC (in the Other PCs list) to the current group. PCs not assigned to any group will be in the "Default" group. PCs deleted from any other Group will be added to the "Default" group.
5.3 Firewall Rule For normal operation and LAN protection, it is not necessary to use this screen. The Firewall will always block DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it - the service is unavailable. As well, you can use this screen to create Firewall rules to block or allow specific traffic. But incorrect configuration may cause serious problems.
Data – Firewall Rules Screen Rule List View Rules Select the desired option; the screen will update and list any current rules. If you for … have not defined any rules, the list will be empty. Data For each rule, the following data is shown: • Name - The name you assigned to the rule. • Source - The traffic covered by this rule, defined by the source IP address. If the IP address is followed by ... this indicates there is range of IP addresses, rather than a single address.
Define Firewall Rule Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below.
Data – Define Firewall Rule Screen Define Firewall Rule Name Enter a suitable name for this rule. Type This determines the source and destination ports for traffic covered by this rule. Select the desired option. Source IP These settings determine which traffic, based on their source IP address, is covered by this rule. Select the desired option: • Any - All traffic from the source port is covered by this rule. • Single address - Enter the required IP address in the "Start IP address" field".
5.4 Logs The Logs record various types of activity on the IP-2000VPN. This data is useful for troubleshooting, but enabling all logs will generate a large amount of data and adversely affect performance. Since only a limited amount of log data can be stored in the IP-2000VPN, log data can also be E-mailed to your PC or sent to a Syslog Server.
Data – Logs Screen Enable Logs Incoming Traffic Select the desired option: • All IP traffic - this will log all incoming TCP/IP connections, of any type. This will generate the largest logs, and fill the internal log buffer more quickly. • All TCP/UDP/ICMP traffic - These 3 protocols are used by most internet traffic. TCP is used by HTTP, FTP, Telnet, E-mail and other common Internet protocols and applications.
System Log Select the desired option: • Router operations (start up, get time etc) - This option will log normal Router operations. • Connections to the Web - based interface of this Router - This option will log each connection to the Router itself, whenever the Web-based management interface is used. • Other connections and traffic to this Router - This option will log other traffic sent to the Router itself, such as "pings" or RIP (Router Information Protocol) packets.
5.5 E-mail Data – E-mail Screen E-Mail Alerts Send E-Mail alert If enabled, an E-mail will be sent immediately if a DoS (Denial of Service) attack is detected. If enabled, the E-mail address information must be provided. E-Mail Logs Send Logs by If enabled, logs will be logs to the specified E-mail address. You need to select E-Mail the Logs to be E-mailed, and complete the E-mail address settings on this screen. Include Select the log items to be included in the E-mail.
Subject Enter the text string to be shown in the "Subject" field for the E-mail. SMTP Server Enter the address or address or IP address of the SMTP (Simple Mail Transport Protocol) Server you use for outgoing E-mail. Port No. Enter the port number used to connect to the SMTP Server. The default value is 25.
5.6 Security Options This screen allows you to set Firewall and other security-related options. Data – Security Options Screen Firewall Enable DoS If enabled, DoS (Denial of Service) attacks will be detected and blocked. The Firewall default is enabled. It is strongly recommended that this setting be left enabled. Note: • A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it - the service is unavailable.
Options Respond to The ICMP protocol is used by the "ping" and "trace route" programs, and by ICMP (ping) network monitoring and diagnostic programs. • If checked, the IP-2000VPN will respond to ICMP packets received from the Internet. • If not checked, ICMP packets from the Internet will be ignored. Disabling this option provides a slight increase in security. Allow VPN If enabled, PCs on the LAN can use VPN software to connect to remote clients via pass-through the Internet connection.
5.7 Scheduling • This schedule can be (optionally) applied to any Access Control Group. • Blocking will be performed during the scheduled time (between the "Start" and "Finish" times). • Two (2) separate sessions or periods can be defined. • Times must be entered using a 24 hr clock. • If the time for a particular day is blank, no action will be performed. Define Schedule Screen This screen is accessed by the Scheduling link on the Security menu.
5.8 Services Services are used in defining traffic to be blocked or allowed by the Access Control or Firewall Rules features. Many common Services are pre-defined, but you can also define your own services if required. To view the Services screen, select the Services link on the Security menu. Data – Services Screen Available Services Available This lists all defined Services. Services Delete Button Use this to delete the selected Service from the list.
C Chhaapptteerr 66 IIP PS Seecc V VP PN N 6.1 Common VPN Situations VPN Pass-through Here, a PC on the LAN behind the Router/Gateway is using VPN software, but the Router/Gateway is NOT acting as a VPN endpoint. It is only allowing the VPN connection. • The PC software can use any VPN protocol supported by the remote VPN. • The remote VPN Server must support client PCs which are behind a NAT router, and so have an IP address which is not valid on the Internet.
Office-to-Office VPN Gateway This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN. • The 2 LANs MUST use different IP address ranges. • The VPN Policies at each end determine when a VPN tunnel will be established, and what systems on the remote LAN can be accessed once the VPN connection is established. • It is possible to have simultaneous VPN connections to many remote sites.
6.2 VPN Configuration This section covers the configuration required on the IP-2000VPN when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies). Details of using Certificates are covered in a later section. VPN Policies Screen To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies. If no policies exist, the list will be empty. The order of policies is important if you have more than one policy for a particular site.
Move The order in which policies are listed is only important if you have multiple polices for the same remote site. In that case, the first matching policy is used. There are 2 ways to change the order of policies: • Use the up and down indicators on the right to move the selected row. You must confirm your changes by clicking "OK". If you change your mind before clicking "OK", click "Cancel" to reverse your changes. • Click "Move" to directly specify a new location for the selected policy.
• If you prefer to use a single setup screen instead of a Wizard, click the Setup Screen button. This is recommended for experienced users only. • Otherwise, click Next to continue. You will see a screen like the following. General Settings Policy Name Enter a suitable name. This name is not supplied to the remote VPN. It is used only to help you manage the policies. Enable Policy Enable or disable the policy as required. For each remote VPN, only 1 policy can be enabled at any time.
2. Click Next to continue. You will see a screen like the following: • For outgoing VPN connections, these settings determine which traffic will cause a VPN tunnel to be created, and which traffic will be sent through the tunnel. • For incoming VPN connections, these settings determine which systems on your local LAN will be available to the remote endpoint. • The 2 VPN endpoints MUST use different address ranges.
Remote IP addresses Type • Single address - enter an IP address in the "Start IP address" field. • Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP address" field. • Subnet address - enter the desired IP address in the "Start IP address" field, and the network mask in the "Subnet Mask" field. The remote VPN should have these IP addresses entered as its "Local" addresses. 3. Click Next to continue.
Manually assigned Keys AH Authentication AH (Authentication Header) specifies the authentication protocol for the VPN header, if used. (AH is often NOT used) If AH is not enabled, the following settings can be ignored. Keys • The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN. • Keys can be in ASCII or Hex (0 ~ 9 A ~ F) • For MD5, the keys should be 32 hex/16 ASCII characters.
ESP SPI This is required if either ESP Encryption or ESP Authentication is enabled. • Each SPI (Security Parameter Index) must be unique. • The "in" SPI here must match the "out" SPI on the remote VPN, and the "out" SPI here must match the "in" SPI on the remote VPN. • Each SPI should be at least 3 characters. For Manual Key Exchange, configuration is now complete. • Click "Next" to view the final screen. • On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard.
IKE Phase 1 (IKE SA) Local Identity This setting must match the "Remote Identity" on the remote VPN. Select the desired option, and enter the required data in the "Local Identity Data" field. • WAN IP Address - This is the most common method. If selected, no input is required. • Fully Qualified Domain Name - enter the Domain Name assigned to this device. • Fully Qualified User name - This name does not have to a valid Internet Domain Name. E-mail addresses are often used for this entry.
Direction Select the desired option: • Initiator - Only outgoing connections will be created. Incoming connection attempts will be rejected. • Responder - Only incoming connections will be accepted. Outgoing traffic which would otherwise result in a connection will be ignored. • IKE SA Life Time Both Directions - Both incoming and outgoing connections are allowed. This setting does not have to match the remote VPN endpoint; the shorter time will be used.
IKE Phase 2 (IPSec SA) IPSec SA Life This setting does not have to match the remote VPN endpoint; the shorter time Time will be used. Although measured in seconds, it is common to use time periods of several hours, such 28,800 seconds. IPSec PFS If enabled, PFS (Perfect Forward Security) enhances security by changing the IPSec key at regular intervals, and ensuring that each key has no relationship to the previous key. Thus, breaking 1 key will not assist in breaking the next key.
6.3 Certificates Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates". Each CA also issues a certificate to itself. This Certificate is required in order to validate communication with the CA. These certificates are called "Trusted Certificates.
Requesting a Trusted Certificate 1. After obtaining a new Certificate from the CA, you need to upload it to the IP-2000VPN. 2. On the "Certificates" screen, click the "Add Trusted Certificate" button to view the Add Trusted Certificate screen, shown below. 3. Click the "Browse" button, and locate the certificate file on your PC. 4. Select the file. The name will appear in the "Certificate File" field. 5. Click "Upload" to upload the certificate file to the IP-2000VPN. 6.
Active Self Certificates Name The name you assigned to this Certificate. You should select a name which helps to identify this particular certificate. Subject Name The company or person to whom the Certificate is issued. Issuer Name The CA (Certification Authority) which issued the Certificate. Expiry Time The date on which the Certificate expires. You should renew the Certificate before it expires. Delete button Use this button to delete a Self Certificate.
2. Complete this screen. Name Enter a name which helps to identify this particular certificate. This name is only for your reference, it is not visible to other people. Subject Name This is the name which other organizations will see as the Holder (owner) of this Certificate. This should be your registered business name or official company name. Generally, all Certificates should have the same value in the Subject field. Hash Algorithm Select the desired option. Signature Select the desired option.
3. Click "Next" to continue to the following screen. 4. Check that the data displayed in the Certificate Details section is correct. This data is used to generate the Certificate request. If the data is not correct, click the "Back" button and correct the previous screen. 5. If the data is correct, copy the text in the Data to supply to CA panel (including "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----") to a new document in a text editor such as Notepad, and save the file. 6.
9. Upload the Certificate: • Click the Browse button, and locate the certificate file on your PC. • Select the file. The name will appear in the Certificate File field. • Click the Upload button to upload the certificate file to the IP-2000VPN. • Click Back to return to the Self Certificates screen. The new Certificate will appear in the Active Self Certificates list 1. For the Certificate example file please refer to Chapter 7.4. 2.
6.4 CLRs • CRLs are only necessary if using Certificates. • CRL (Certificate Revocation List) files show Certificates which have been revoked, and are no longer valid. • Each CA issues its own CRLs. • It is VERY IMPORTANT to keep your CRLs up-to-date. You need to obtain the CRL for each CA regularly. The "Next Update" field in the CRL shows when the next update will be available. To add a New CLRs 1. Obtain the CRL file from your CA. 2. Select CRL from the VPN menu.
6.5 Status This screen lists all VPN SAs (Security Association) which exist at the current time. • If no VPN tunnels exist at the current time, the table will be empty. • To update the display, click the "Refresh" button. • If using IKE, there is one SA for the IKE connection, and another SA for the IPSec connection. • For each VPN SA the following data is displayed. Data – VPN Status Screen VPN Status SPI Each SA (Security Association) has a unique SPI.
C Chhaapptteerr 77 M Miiccrroossoofftt V VP PN N ((P PP PTTP P)) Overview Microsoft VPN uses the Microsoft VPN Adapter which is provided in recent versions of Windows. This feature can be used to provide remote access to your LAN by individual PCs. This method provides an alternative to using IPSec VPN, which is described in the previous chapter. Using Microsoft VPN provides easier setup than using IPSec VPN.
Data – Microsoft VPN Screen PPTP Server Enable Use this checkbox to enable or disable this feature as required. To allow connection by remote Windows clients, you must enable this feature, and enter the client details (on the Clients screen) to allow them to login to this Server. Authentication Enable the desired authentication methods. The methods are listed with the most Methods secure first, least secure last. If multiple methods are checked, the most secure will be tried first.
Data – Microsoft VPN Client Database Screen Existing Users User List All existing users are listed. If you have not added any users, this list will be empty. When a user is selected, their details are displayed in the Properties panel. You can then edit the user's information as required; click Update Selected User to save your changes. (If you select another user before saving your changes, your changes are lost.) Delete Button Use this to delete the selected user if required.
Status Screen The Status screen is accessed by selecting the Status option on the Microsoft VPN menu. Data – Microsoft VPN Status Screen Server Status Status This indicates whether or not the PPTP (VPN) Server is enabled. Current This indicates the number of remote clients currently logged into the PPTP (VPN) Connections Server. Server Log Server Log This displays details of each connection or connection attempt.
7.2 Windows PPTP Clients Setup To connect to the PPTP (VPN) Server in the IP-2000VPN: • The Microsoft VPN feature in the IP-2000VPN must be enabled and configured, as described in the previous section. • Each user must have a login (username and password) on the VPN client database on the IP-2000VPN. • The remote client PC must be configured as described in the following sections. • It is assumed that remote users have a Broadband (not dial-up) connection to the Internet. Windows 98/ME 1.
4. Enter the Internet IP address or domain name of this device. (If you don't have a fixed IP address, you can use a Dynamic DNS service to obtain a domain name). Click "Next" to continue. 5. Click “Finish” to exit the Wizard. The new entry will now be listed in "Dial-up Networking". If necessary, you can change the settings for this connection by right-clicking on it, and selecting Properties.
Windows 2000 Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open "Network Connections", and start the "New Connection" Wizard. 2. Select the VPN option ("Connect to a private network through the Internet"), as shown above, and click Next.
3. On the screen above: • Select "Do not dial the initial connection" if Internet access is via the LAN. • If using a PPPoE software client, select "Automatically dial this initial connection" and select the PPPoE connection. • Click Next to continue. 4. On the screen above, enter the Domain Name or Internet IP address of the IP-2000VPN you wish to connect to. Click Next to continue.
5. Choose whether to allow this connection for everyone, or only for yourself, as required. Click Next to continue. 6. Enter a suitable name, and click "Finish" to save and exit. 7. Setup is now complete. To establish a connection: 1. Right-click the connection in "Network Connections", and select "Connect". 2. You will then be prompted for the username and password. Enter the username and password assigned to you, as recorded in the VPN client database on the IP-2000VPN. 3.
Windows XP Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open Network Connections (Start-Settings-Network Connections), and start the New Connection Wizard. 2. Select the option "Connect to the network at my workplace", as shown above, and click Next.
3. On the next screen, shown above, select the "Virtual Private Network connection" option. Click Next to continue. 4. Enter a suitable name for this connection. Click Next to continue.
5. On the screen above, select "Do not dial the initial connection". Click Next to continue. 6. On the screen above, enter the Domain Name or Internet IP address of the IP-2000VPN you wish to connect to. Click Next to continue.
7. Choose whether to allow this connection for everyone, or only for yourself, as required. Click Next to continue. 8. On the final screen, click Finish to save and exit. 9. Setup is now complete. To establish a connection: 1. Right-click the connection in "Network Connections", and select "Connect". 2. You will then be prompted for the username and password. Enter the username and password assigned to you, as recorded in the VPN client database on the IP-2000VPN. 3.
Windows Vista Ensure you have logged on with Administrator rights before attempting this procedure. 1. Select Control Panel Æ Network and Sharing Center, click “Set up a connection or network”. 2. Select “Connect to a workplace”, and press “Next”.
3. On the next screen, select and press “Use my Internet connection (VPN)”. 4. If PC was configured to dial up ISP with PPPoE or else, system will ask user to verify the connection which Internet connection will be used to connect. Select the specific one and press “Next”.
5. User should fill in the PPTP server IP address in the screen “Type the Internet address to connect to”. 6. Type in the user name and password of PPTP client, and then press “Connect” to connect with PPTP server.
7. If PPTP client connect successfully to PPTP server, user can see the following screen. 8. Ping the IP-2000VPN LAN IP address (192.168.1.1) and the IP address (192.168.1.2) of PC connected to IP-2000VPN, to verify the PPTP connection. The result is fine.
C Chhaapptteerr 88 V VP PN NE Exxaam mppllee This section describes some examples of using the IP-2000VPN in common VPN situations. It is used to create IPSec VPN tunnel between two offices’ sites, and encrypted the data for the access. When the VPN tunnel is created, each user in the office can access another office’s data via VPN tunnel, so no more VPN must be created by individual user.
8.1 Office-to-office IPSec VPN – Connecting to 2 IP-2000VPN In this example, 2 IP-2000VPN will connect VPN with each other and gains access to the both LANs. Environment: IPSec Site A IPSec Site B WAN IP address 60.250.158.64 203.10.66.89 LAN IP Subnet 192.168.1.x 192.168.0.x Pre-shared Key 12345678 12345678 IKE Encryption 3DES 3DES IKE Authentication MD5 MD5 DH Group Group 2 Group 2 ESP Encryption 3DES 3DES ESP Authentication MD5 MD5 The LANs MUST use different IP address ranges.
Data – Network Configuration Setting Type Name Value Notes Policy_A Name does not affect operation. Select a meaningful name. Enable Policy Enable Allow NetBIOS Enable Enable to allow NetBIOS passing through VPN tunnel traffic Remote Endpoint Fixed IP 203.10.66.89 Other endpoint's WAN (Internet) IP address. Local IP addresses Subnet 192.168.1.0 / Use a more restrictive definition if possible. Address 255.255.255.0 Remote IP Subnet 192.168.0.0 / Address range on other endpoint.
Data – Authentication and Encryption Setting Type IKE Direction Both Directions Value Notes Do not have to match with Site B. Either endpoint can block 1 direction. Local Identify WAN IP Address System will detect the IP address and fill in the form automatically. It is the most common ID method. Remote Identify Remote WAN IP System will detect the IP address and fill Address in the form automatically. It is the most common ID method.
Step 3: IPSec VPN Site B – Network Configuration Data – Network Configuration Setting Type Name Value Notes Policy_B Name does not affect operation. Select a meaningful name. Enable Policy Enable Allow NetBIOS Enable Enable to allow NetBIOS passing through VPN tunnel traffic Remote Endpoint Fixed IP 60.250.158.64 Other endpoint's WAN (Internet) IP address. Local IP addresses Remote IP Subnet Address Subnet Address addresses 192.168.0.0 / Use a more restrictive definition if 255.255.
Step 4: IPSec VPN Site B – Authentication and Encryption Data – Network Configuration Setting Type IKE Direction Both Directions Value Notes Do not have to match with Site A. Either endpoint can block 1 direction. Local Identify WAN IP Address System will detect the IP address and fill in the form automatically. It is the most common ID method. Remote Identify Remote WAN IP System will detect the IP address and fill Address in the form automatically. It is the most common ID method.
method IKE Authentication MD5 Must match with Site A 3DES Must match with Site A algorithm IKE Encryption IKE Exchange Main Mode Must match with Site A Group 2 (1024 Bit) Must match with Site A mode DH Group IKE SA Life time IKE Keep Alive Enable 180 Shorter period will be used. 192.168.1.1 Used to set the LAN IP address of IP-2000VPN at Site A. IKE PFS Disable Must match with Site A IPSec SA Parameters 300 IPSec SA Life time Shorter period will be used.
8.2 Office-to-office IPSec VPN – Connecting IP-2000VPN and RS-1200 In this example, IP-2000VPN will connect VPN with RS-1200, and gains access to the both LAN. Environment: IP-2000VPN RS-1200 WAN IP address Airlive98.dyndns.org 60.250.158.64 LAN IP Subnet 192.168.1.x 192.168.100.
Setting Type Name Value Notes To_RS12 Name does not affect operation. Select a meaningful name. Enable Policy Enable Allow NetBIOS Enable Enable to allow NetBIOS passing through VPN tunnel traffic Remote Endpoint Local IP addresses Remote IP Domain Name Subnet Address Subnet Address addresses airlive98.dyndns The domain name resolved the other .org endpoint's WAN (Internet) IP address. 192.168.1.0 / Allows access to entire LAN. Use a 255.255.255.
Setting Type Value Notes IKE Direction Both Directions Using "Responder only" is not possible. Local Identify WAN IP Address System will detect the IP address and fill in the form automatically. It is the most common ID method. Remote Identify Remote WAN IP System will detect the IP address and fill Address in the form automatically. It is the most common ID method. IKE Authentication Pre-shared Key 12345678 Certificates are not widely used. MD5 Must match with RS-1200.
2. Configure DDNS service and fill in the necessary setting, in order to resolve the Dynamic Domain Name (ex. airlive98.dyndns.org) with current IP address. Step 4: Configure RS-1200 IPSec Autokey 1. Select IPSec Autokey in VPN. Click New Entry. 2. In the list of IPSec Autokey, fill in Name with To_IP2KVPN. 3. Select Remote Gateway-Fixed IP or Domain Name in To Destination list and enter the IP Address. 4. Select Preshare in Authentication Method and enter the Preshared Key. 5.
6. Select Data Encryption + Authentication in IPSec Algorithm list. Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make sure the encapsulation way for data transmission. 7. After selecting GROUP2 in Perfect Forward Secrecy, enter 3600 seconds in ISAKMP Lifetime; enter 28800 seconds in IPSec Lifetime, and selecting Main mode in Mode. 8. Complete the IPSec Autokey setting.
Step 6: Configure RS-1200 Outgoing and Incoming Policy 1. Enter the following setting in Outgoing Policy. • Tunnel: Select To_IP2K_Tunnel • Click OK. 2. Enter the following setting in Incoming Policy. • Tunnel: Select To_IP2K_Tunnel. • Click OK.
8.3 Getting into Office Network from Internet (PPTP) – Windows XP PPTP Client In this example, a Windows XP client connects to the IP-2000VPN and gains access to the local LAN. Environment: IP-2000VPN PC with PPTP VPN Software WAN IP address 60.250.158.65 Any LAN IP Subnet 192.168.1.x Encrypted Authentication MS-CHAP v2 Typical User name jacky jacky Password 1234 1234 Step 1: Set up IP-2000VPN PPTP Server 1.
Step 2: Set up IP-2000VPN PPTP Server 1. Select Microsoft VPN Æ Clients, and tick the selection of “Allow Connection” in Properties. 2. Fill in with the form to enter user name and password. For example, user name is jacky, and password is 1234. 3. Click “Add as New User” button to update the account into “Existing Users” list. 4. Complete to set up PPTP VPN of IP-2000VPN. The IP address of IP-2000VPN PPTP Server is exact the same with its WAN IP address.
Step 3: Set up Windows XP PPTP client software Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open Network Connections (Start Æ Settings Æ Network Connections), and start the New Connection Wizard. 2. Select the option "Connect to the network at my workplace", as shown above, and click Next. 3. On the next screen, shown above, select the "Virtual Private Network connection" option. Click Next to continue.
4. Enter a suitable name for this connection. Click Next to continue. 5. On the screen above, select "Do not dial the initial connection". Click Next to continue.
6. On the screen above, enter the Domain Name or Internet IP address of the IP-2000VPN you wish to connect to. Click Next to continue. 7. Choose whether to allow this connection for everyone, or only for yourself, as required. Click Next to continue. 8. On the final screen, click Finish to save and exit. 9. Setup is now complete.
Step 4: Connect Windows XP PPTP client to IP-2000VPN 1. When user finishes Windows XP PPTP client configuration, it will pop up a login windows for user’s access. 2. Enter the user name and password, for example user name with jacky and password with 1234, tick the selection “Save this user name and password for the following users” in order to record the user’s data.
3. Click “Connect” button and start the PPTP connection with IP-2000VPN. 4. After verifying client’s user name and password, if the connection is successful, the right-bottom corner will add another connection icon to indicate the PPTP connection. 5. User can run the Command Prompt in PPTP client’s PC to check the current status of PC’s IP address, and he will find two IP addresses are registered at client’s PC. 6. Try to ping IP-2000VPN LAN IP address (192.168.1.1) and obtain the response.
7. Try to connect the resource PC (192.168.1.4) and search for the shared folder. 8. When you find out the shared folder, PPTP client can access the resource as well.
8.4 Getting into Office Network from Internet (IPSec) – Windows XP IPSec Client In this example, a Windows 2000/XP client connects to the IP-2000VPN and gains access to the local LAN. To use 3DES encryption on Windows 2000, you need Service Pack 3 or later installed. Environment: IP-2000VPN PC with IPSec VPN Software WAN IP address 220.139.232.45 220.139.238.157 LAN IP Subnet 192.168.1.
Step 1: IP-2000VPN – Network Configuration Setting Type Name Value Notes To_XP Name does not affect operation. Select a meaningful name. Enable Policy Enable Allow NetBIOS Enable Enable to allow NetBIOS passing through VPN tunnel traffic Remote Endpoint Fixed IP 220.139.238.157 Other endpoint's WAN (Internet) IP address. Local IP addresses Remote IP Subnet Address Single Address 192.168.1.0 / Allows access to entire LAN. Use a 255.255.255.0 more restrictive definition if possible.
Step 2: IP-2000VPN –Authentication and Encryption Setting Type Value Notes IKE Direction Both Directions Using "Responder only" is not possible. Local Identify WAN IP Address System will detect the IP address and fill in the form automatically. It is the most common ID method. Remote Identify Remote WAN IP System will detect the IP address and fill Address in the form automatically. It is the most common ID method.
IKE Authentication MD5 Must match with Client PC. DES Must match with Client PC. algorithm IKE Encryption IKE Exchange Main Mode Windows 2000/XP only supports Main Mode. mode DH Group Group 1 (768 bit) Must match with Client PC. 180 IKE SA Life time Shorter period will be used. Skip the setting IKE Keep Alive IKE PFS Disable Must match with Client PC. IPSec SA Parameters 300 IPSec SA Life time Shorter period will be used. IPSec PFS Disable Must match with Client PC.
3. Click "Next", and then enter a policy name, for example "2KVPN To XP", then click "Next". 4. Step through the Wizard: • Deselect Activate the default response rule. Click "Next". • Leave Edit Properties checked. Click "Finish". 5. The following "Properties - Rules" screen will be displayed.
1. No rules are in use. Two (2) rules are required - incoming and outgoing. 2. The outgoing rule will be added first. 6. Deselect the "Use Add Wizard" checkbox, and then click "Add" to view the screen below. 7. Click “Add” and type "To 2KVPN" for the name. 8. Deselect “Use Add Wizard” and then to click "Add" to enter the “Filter Properties” setting.
9. Enter the Source IP address and the Destination IP address. • Since this is the outgoing filter, the Source IP address is "My IP address" and the Destination IP address is the address range used on the remote LAN. • Ensure the Mirrored option is checked, and click “OK” to save the setting. 10. Click "OK" to save your settings and close this dialog.
11. On the resulting screen (above), ensure the "To 2KVPN" filter is selected, then click the Filter Action tab to see a screen like the following 12. Select Require Security, then click the "Edit" button, to view the Require Security Properties screen, and select Negotiate Security (this selects IKE), then click "Add".
13. On the resulting screen (above), select Encryption and Integrity then click "OK" to save your changes and return to the Require Security Properties screen.
14. Ensure the following settings are correct, and then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen. VPN Setting Windows Setting IKE enabled Negotiate security AH disabled AH Integrity: ESP encryption: Enable/3DES ESP Confidentially: 3DES ESP authentication: Enable/SHA-1 ESP Integrity: SHA1 15. Click the Tunnel Setting tab, and then select The tunnel endpoint is specified by this IP address.
16. Click the Authentication Methods tab. 17. Click the "Edit" and select Use this string (preshared key), then enter your preshared key in the field provided.
18. Click "OK" to save your changes and return to the Authentication Methods tab of the Edit Rule Properties screen. 19. Click "Close" to return to the 2KVPN To XP properties screen. The "To 2KVPN" filter should now be listed, as shown below. 20. To add the second (incoming) rule, click "Add" to create a new rule.
21. Click “Add” and fill in the name with "To WinXP", and then click "Add". 22. Enter the Source IP address and the Destination IP address as shown below. • Since this is the incoming filter, the Source IP address is the address range used on the remote LAN and the Destination IP address is "My IP address". • Ensure the Mirrored option is checked, and click “OK” to save the setting.
23. Click "OK" to save the setting. 24. Ensure the "To Win2K" filter is selected, and then click the Filter Action tab.
25. Select Require Security, then click "Edit". Check the Negotiate Security is selected. 26. Click "OK" to return to the Filter Action screen. 27. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address of this PC (220.139.238.157 in this example).
28. Select the Authentication Methods tab, and click the "Edit" button. 29. Select Use this string (preshared key), then enter your preshared key in the field provided.
30. Click "OK" to save your settings, then "Close" to return to the 2KVPN to XP Properties screen. There should now be 2 IP Filers listed, as shown below. 31. Select the General tab.
32. Click the "Advanced" button to see the screen below. 33. Click the "Methods" button to see the screen below. 34. Move up the fourth rule to the top, in order to define "MD5" for Integrity Algorithm, "DES" for Encryption algorithm, and "Low(1)" for the Diffie-Hellman Group. 35. Click "OK" to save, then "OK" again, and then "Close" to return to the Local Security Settings screen.
36. Right click the 2KVPN to XP Policy and select "Assign" to make your policy active. 37. Configuration is now complete.
C Chhaapptteerr 99 S Sttaattuuss Status Screen Use the Status link on the main menu to view this screen. Data – Status Screen Internet Connection Method This indicates the current connection method. Broadband Modem This shows the connection status to the modem. Internet Connection Current connection status: • Active • Idle • Unknown • Failed If there is an error, you can click the "Connection Details" button to find out more information.
LAN IP Address The IP Address of the IP-2000VPN. Network Mask The Network Mask (Subnet Mask) for the IP Address above. DHCP Server This shows the status of the DHCP Server function - either "ON" or "OFF". For additional information about the PCs on your LAN, and the IP addresses allocated to them, use the PC Database option on the Other menu. System Device Name This displays the current name of the IP-2000VPN. Firmware Version The current version of the firmware installed in the IP-2000VPN.
9.1 Connection Status – PPPoE If using PPPoE (PPP over Ethernet), a screen like the following example will be displayed when the "Connection Details" button is clicked. Data – PPPoE Screen Connection Physical Address The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN). IP Address The IP Address of this device, as seen by Internet users.
update the messages shown on screen. Buttons Connect If not connected, establish a connection to your ISP. Disconnect If connected to your ISP, hang up the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen. Connection Log Messages Message Description Connect on Demand Connection attempt has been triggered by the "Connect automatically, as required" setting.
9.2 Connection Status – PPTP If using PPTP (Peer-to-Peer Tunneling Protocol), a screen like the following example will be displayed when the "Connection Details" button is clicked. Data – PPTP Screen Connection Physical The hardware address of this device, as seen by remote devices on the Internet. Address (This is different to the hardware address seen by devices on the local LAN.) IP Address The IP Address of this device, as seen by Internet users.
Disconnect If connected to your ISP, hang up the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen.
9.3 Connection Status – Telstra Big Pond Data – Telstra Big Pond Screen Connection Physical Address The hardware address of this device, as seen by remote devices. (This is different to the hardware address seen by devices on the local LAN.) IP Address The IP Address of this device, as seen by Internet users. This address is allocated by your ISP (Internet Service Provider). Connection Status This indicates whether or not the connection is currently established.
Disconnect If connected to Telstra Big Pond, terminate the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen.
9.4 Connection Status – SingTel RAS If using the SingTel RAS access method, a screen like the following example will be displayed when the "Connection Details" button is clicked. Data – SingTel RAS Screen Internet RAS Plan The RAS Plan which is currently used. Physical Address The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.) IP Address The IP Address of this device, as seen by Internet users.
Button will display automatically on connection. (Dynamic IP address). If you have a Fixed (Static) EITHER "Release" IP address, this button has no effect. OR "Renew" • If the ISP's DHCP Server has NOT allocated an IP Address for the IP-2000VPN, this button will say "Renew". Clicking the "Renew" button will attempt to re-establish the connection and obtain an IP Address from the ISP's DHCP Server.
9.5 Connection Status – Fixed/Dynamic IP Address If your access method is "Direct" (no login), a screen like the following example will be displayed when the "Connection Details" button is clicked. Data – Fixed/Dynamic IP Address Screen Internet Physical Address The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.) IP Address The IP Address of this device, as seen by Internet users.
OR "Renew" • If the ISP's DHCP Server has NOT allocated an IP Address for the IP-2000VPN, this button will say "Renew". Clicking the "Renew" button will attempt to re-establish the connection and obtain an IP Address from the ISP's DHCP Server. • If an IP Address has been allocated to the IP-2000VPN (by the ISP's DHCP Server), this button will say "Release". Clicking the "Release" button will break the connection and release the IP Address. Refresh Update the data shown on screen.
9.6 Connection Status – L2TP If using L2TP (Layer 2 Tunneling Protocol), a screen like the following example will be displayed when the "Connection Details" button is clicked. L2TP Data – L2TP Screen Connection Physical The hardware address of this device, as seen by remote devices on the Internet. Address (This is different to the hardware address seen by devices on the local LAN.) IP Address The IP Address of this device, as seen by Internet users.
Buttons Connect If not connected, establish a connection to your ISP. Disconnect If connected to your ISP, hang up the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen.
C Chhaapptteerr 1100 O Otthheerr FFeeaattuurreess & &S Seettttiinnggss Overview Normally, it is not necessary to use these screens, or change any settings. These screens and settings are provided to deal with non-standard situations, or to provide additional options for advanced users. The screens available are: Other Features and Settings Config File Backup or restore the configuration file for the IP-2000VPN. This file contains all the configuration data. Network Ping, DNS Lookup.
Config File Screen Data – Config File Screen Config File Backup Config Use this to download a copy of the current configuration, and store the file on your PC. Click Download to start the download. Restore Config This allows you to restore a previously-saved configuration file back to the IP-2000VPN. Click Browse to select the configuration file, then click Restore to upload the configuration file. WARNING ! ! Uploading a configuration file will destroy (overwrite) ALL of the existing settings.
10.2 Network Diagnostics This screen allows you to perform a "Ping" or a "DNS lookup". These activities can be useful in solving network problems. An example Network Diagnostics screen is shown below. Network Diagnostics Screen Data – Network Diagnostics Screen Ping IP Address Enter the IP address you wish to ping. The IP address can be on your LAN, or on the Internet. Note that if the address is on the Internet, and no connection currently exists, you could get a "Timeout" error.
10.3 PC Database The PC Database is used whenever you need to select a PC (e.g. for the "DMZ" PC). It eliminates the need to enter IP addresses. Also, you do not need to use fixed IP addresses on your LAN. PC Database Screen An example PC Database screen is shown below. • PCs which are "DHCP Clients" are automatically added to the database, and updated as required. • By default, non-Server versions of Windows act as "DHCP Clients"; this setting is called "Obtain an IP Address automatically".
IP Address Enter the IP Address of the PC. The PC will be sent a "ping" to determine its hardware address. If the PC is not available (not connected, or not powered On) you will not be able to add it. Buttons Add This will add the new PC to the list. The PC will be sent a "ping" to determine its hardware address. If the PC is not available (not connected, or not powered On) you will not be able to add it. Delete Delete the selected PC from the list.
Data – PC Database (Admin) Screen PC Database (Admin) Known PCs This lists all current entries. Data displayed is name (IP Address) type. The "type" indicates whether the PC is connected to the LAN. PC Properties Name If adding a new PC to the list, enter its name here. It is best if this matches the PC's "hostname". IP Address Select the appropriate option: • Automatic - The PC is set to be a DHCP client (Windows: "Obtain an IP address automatically").
10.4 Remote Administration Remote Administration allows you to connect to this interface via the Internet, using your Web browser. Data – Remote Administration Screen Information Information To establish a connection from the Internet: 1. Enable Remote Administration and configure this screen. 2. From a remote location, start your Browser. 3.
IP Address To manage this device via the Internet, you need to know the IP Address of this device, as seen from the Internet. This IP Address is allocated by your ISP, and is shown here if you are currently connected to the Internet. But if using a Dynamic IP Address, this value can change each time you connect to your ISP. There are 2 solutions to this problem: • Have your ISP allocate you a Fixed IP address.
10.5 Routing Overview • If you don't have other Routers or Gateways on your LAN, you can ignore the "Routing" page completely. • If the IP-2000VPN is only acting as a Gateway for the local LAN segment, ignore the "Routing" page even if your LAN has other Routers. • If your LAN has a standard Router (e.g. Cisco) on your LAN, and the IP-2000VPN is to act as a Gateway for all LAN segments, enable RIP (Routing Information Protocol) and ignore the Static Routing table.
Data – Routing Screen RIP RIP Select the RIP (Routing Information Protocol) type based on the request and save the setting to enable it. The IP-2000VPN supports RIP 1, RIP 2B, and RIP 2M. Static Routing Static Routing This list shows all entries in the Routing Table. Table Entries • The "Properties" area shows details of the selected item in the list. • Change any the properties as required, then click the "Update" button to save the changes to the selected entry.
Properties • Destination Network - The network address of the remote LAN segment. For standard class "C" LANs, the network address are the first 3 fields of the Destination IP Address. The 4th (last) field can be left at 0. • Network Mask - The Network Mask for the remote LAN segment. For class "C" networks, the default mask is 255.255.255.0 • Gateway IP Address - The IP Address of the Gateway or Router which the IP-2000VPN must use to communicate with the destination above.
Other Routers on the Local LAN Other routers on the local LAN must use the IP-2000VPN's Local Router as the Default Route. The entries will be the same as the IP-2000VPN's local router, with the exception of the Gateway IP Address. • For a router with a direct connection to the IP-2000VPN's local Router, the Gateway IP Address is the address of the IP-2000VPN's local router.
10.6 Upgrade Firmware Use this screen to upgrade your IP-2000VPN's firmware. • You must download the required firmware file, and store it on your PC. • During the upgrade process, all existing Internet connections will be terminated. • The upgrade process must NOT be interrupted. Data – Upgrade Firmware Screen Upgrade Firmware Broadband VPN Enter the current password assigned to the IP-2000VPN. If no password has Router Password been assigned, leave this blank.
10.7 UPnP An example UPnP screen is shown below. Data – UPnP Screen UPnP Enable UPnP • UPnP (Universal Plug and Play) allows automatic discovery and configuration of equipment attached to your LAN. UPnP is by supported by Services Windows ME, XP, or later. • If Enabled, this device will be visible via UPnP. • If Disabled, this device will not be visible via UPnP. Allow • If checked, then UPnP users can change the configuration. Configuration...
A Appppeennddiixx A A P PC CC Coonnffiigguurraattiioonn Overview For each PC, the following may need to be configured: • TCP/IP network settings • Internet Access configuration Windows Clients This section describes how to configure Windows clients for Internet access via the IP-2000VPN. The first step is to check the PC's TCP/IP settings. The IP-2000VPN uses the TCP/IP network protocol for all functions, so it is essential that the TCP/IP protocol be installed and configured on each PC.
3. Click on the Properties button. You should then see a screen like the following. Ensure your TCP/IP settings are correct, as follows: Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting, and it is recommended to use it. By default, the IP-2000VPN will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the IP-2000VPN.
• On the DNS Configuration tab, ensure Enable DNS is selected. If the DNS Server Search Order list is empty, enter the DNS address provided by your ISP in the fields beside the Add button, then click Add. Checking TCP/IP Settings- Windows NT4.0 1. Select Control Panel - Network, and, on the Protocols tab, select the TCP/IP protocol, as shown below. 2. Click the Properties button to see a screen like the one below.
3. Select the network card for your LAN. 4. Select the appropriate radio button - Obtain an IP address from a DHCP Server or Specify an IP Address, as explained below. Obtain an IP address from a DHCP Server This is the default Windows setting, and it is recommended to use it. By default, the IP-2000VPN will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the IP-2000VPN.
6. The DNS should be set to the address provided by your ISP, as follows: • Click the DNS tab. • On the DNS screen, shown below, click the Add button (under DNS Service Search Order), and enter the DNS provided by your ISP.
Checking TCP/IP Settings- Windows 2000 1. Select Control Panel - Network and Dial-up Connection. 2. Right click the Local Area Connection icon and select Properties. 3. Select the TCP/IP protocol for your network card. 4. Click on the Properties button. You should then see a screen like the following. 5. Ensure your TCP/IP settings are correct, as described below.
Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting, and it is recommended to use it. By default, the IP-2000VPN will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the IP-2000VPN. Using a fixed IP Address ("Use the following IP Address") If your PC is already configured, check with your network administrator before making the following changes.
5. Ensure your TCP/IP settings are correct. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting, and it is recommended to use it. By default, the IP-2000VPN will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the IP-2000VPN. Using a fixed IP Address ("Use the following IP Address") If your PC is already configured, check with your network administrator before making the following changes.
4. Close the TCP/IP panel, saving your settings. If using manually assigned IP addresses instead of DHCP, the required changes are: • Set the Router Address field to the IP-2000VPN's IP Address. • Ensure your DNS settings are correct. Linux Clients To access the Internet via the IP-2000VPN, it is only necessary to set the IP-2000VPN as the "Gateway". Ensure you are logged in as "root" before attempting any changes. Fixed IP Address By default, most Unix installations use a fixed IP Address.
A Appppeennddiixx B B V VP PN NO Ovveerrvviieew w This section describes the VPN (Virtual Private Network) support provided by your IP-2000VPN. A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network typically the Internet. This secure connection is called a VPN Tunnel. There are many standards and protocols for VPNs. The standard implemented in the IP-2000VPN is IPSec.
Policies VPN configuration settings are stored in Policies. Note that different vendors use different terms. Generally, the terms "VPN Policy", "IPSec Policy", and "IPSec Proposal" have the same meaning. However, some vendors separate IKE Policies (Phase 1 parameters) from IPSec Policies (Phase 2 parameters). For the IP-2000VPN, each VPN policy contains both Phase 1 and Phase 2 parameters (if IKE is used). Each policy defines: • The address of the remote VPN endpoint.
IPSec The IPSec parameters at each endpoint must match.
A Appppeennddiixx C C TTrroouubblleesshhoooottiinngg Overview This chapter covers some common problems that may be encountered while using the IP-2000VPN and some possible solutions to them. If you follow the suggested steps and the IP-2000VPN still does not function properly, contact your dealer for further advice. General Problems Problem 1: Can't connect to the IP-2000VPN to configure it.
Problem 2: Some applications do not run properly when using the IP-2000VPN. Solution 2: The IP-2000VPN processes the data passing through it, so it is not transparent. Use the Special Applications feature to allow the use of Internet applications which do not function correctly. If this does solve the problem you can use the DMZ function. This should work with almost every application, but: • It is a security risk, since the firewall is disabled. • Only one (1) PC can use this feature.
A Appppeennddiixx D D S Sppeecciiffiiccaattiioonnss Model IP-2000VPN Dimensions 141mm(W) * 100mm(D) * 27mm(H) Operating 0° C to 40° C Temperature Storage Temperature -10° C to 70° C Network Protocol: TCP/IP Network Interface: 5 Ethernet: 3 * 10/100BaseT (RJ45) LAN connection 1 * 10/100BaseT (RJ45) DMZ connection 1 * 10/100BaseT (RJ45) for WAN LEDs 11 Power Adapter 12 V DC External AirLive IP-2000VPN User’s Manual 174
