LevelOne FBR-1404TX Broadband VPN Gateway w/ 4-port Switch User’s Manual Version:1.
Table of Contents CHAPTER 1 INTRODUCTION ............................................................................................. 1 LevelOne Broadband VPN Gateway Features ............................................................... 1 Package Contents .............................................................................................................. 3 Physical Details..................................................................................................................
Certificates ....................................................................................................................... 80 CRLs................................................................................................................................. 84 VPN Status ....................................................................................................................... 85 Examples ................................................................................................
Chapter 1 Introduction This Chapter provides an overview of the LevelOne Broadband VPN Gateway's features and capabilities. Congratulations on the purchase of your new LevelOne Broadband VPN Gateway. The LevelOne Broadband VPN Gateway is a multi-function device providing the following services: • • Shared Broadband Internet Access for all LAN users. 4-Port Switching Hub for 10BaseT or 100BaseT connections.
LevelOne Broadband VPN Gateway User Guide Advanced Internet Functions • Communication Applications. Support for Internet communication applications, such as interactive Games, Telephony, and Conferencing applications, which are often difficult to use when behind a Firewall, is included. • Special Internet Applications. Applications which use non-standard connections or port numbers are normally blocked by the Firewall.
Introduction • Protection against DoS attacks. DoS (Denial of Service) attacks can flood your Internet connection with invalid packets and connection requests, using so much bandwidth and so many resources that Internet access becomes unavailable. The LevelOne Broadband VPN Gateway incorporates protection against DoS attacks. • Rule-based Policy Firewall. To provide additional protection against malicious packets, you can define your own firewall rules.
LevelOne Broadband VPN Gateway User Guide Physical Details Front-mounted LEDs Figure 2: Front Panel Power (Green) On - Power on. Status (Red) On - Error condition. Off - No power. Off - Normal operation. Blinking - This LED blinks during start up. LAN For each port, there are 2 LEDs • • WAN (Green) Link/Act (Green) • On - Corresponding LAN (hub) port is active. • Off - No active connection on the corresponding LAN (hub) port.
Introduction Rear Panel Figure 3: Rear Panel Reset Button This button has two (2) functions: • Reboot. When pressed and released, the LevelOne Broadband VPN Gateway will reboot (restart). • Clear All Data. This button can also be used to clear ALL data and restore ALL settings to the factory default values. To Clear All Data and restore the factory default values: 1. Power Off. 2. Hold the Reset Button down while you Power On. 3.
Chapter 2 Installation This Chapter covers the physical installation of the LevelOne Broadband VPN Gateway. Requirements • Network cables. Use standard 10/100BaseT network (UTP) cables with RJ45 connectors. • TCP/IP protocol must be installed on all PCs. • For Internet Access, an Internet Access account with an ISP, and either of a DSL or Cable modem (for WAN port usage) Procedure Figure 4: Installation Diagram 1.
Installation required. Just connect any LAN port to a normal port on the other hub, using a standard LAN cable. 3. Connect WAN Cable Connect the DSL or Cable modem to the WAN port on the LevelOne Broadband VPN Gateway. Use the cable supplied with your DSL/Cable modem. If no cable was supplied, use a standard cable. 4. Power Up • Power on the Cable or DSL modem. • Connect the supplied power adapter to the LevelOne Broadband VPN Gateway and power up. Use only the power adapter provided.
Chapter 3 Setup This Chapter provides Setup details of the LevelOne Broadband VPN Gateway. Overview This chapter describes the setup procedure for: • Internet Access • LAN configuration PCs on your local LAN may also require configuration. For details, see Chapter 4 - PC Configuration. Other configuration may also be required, depending on which features and functions of the LevelOne Broadband VPN Gateway you wish to use. Use the table below to locate detailed instructions for the required functions.
Setup Configure or use any of the following: • Config File backup/restore • PC Database • Remote Admin • Routing (RIP and static Routing) • Upgrade Firmware • UPnP Chapter 9: Other Features and Settings Where use of a certain feature requires that PCs or other LAN devices be configured, this is also explained in the relevant chapter. Configuration Program The LevelOne Broadband VPN Gateway contains an HTTP server. This enables you to connect to it, and configure it, using your Web Browser.
LevelOne Broadband VPN Gateway User Guide Using your Web Browser To establish a connection from your PC to the LevelOne Broadband VPN Gateway: 1. After installing the LevelOne Broadband VPN Gateway in your LAN, start your PC. If your PC is already running, restart it. 2. Start your WEB browser. 3. In the Address box, enter "HTTP://" and the IP Address of the LevelOne Broadband VPN Gateway, as in this example, which uses the LevelOne Broadband VPN Gateway 's default IP Address: HTTP://192.168.0.
Setup Setup Wizard The first time you connect to the LevelOne Broadband VPN Gateway, the Setup Wizard will run automatically. (The Setup Wizard will also run if the LevelOne Broadband VPN Gateway's default setting are restored.) 1. Step through the Wizard until finished. • 2. 3. You need to know the type of Internet connection service used by your ISP. Check the data supplied by your ISP. • The common connection types are explained in the tables below.
LevelOne Broadband VPN Gateway User Guide PPPoE You connect to the ISP only when required. The IP address is usually allocated automatically. User name and password. PPTP Mainly used in Europe. • PPTP Server IP Address. You connect to the ISP only when required. The IP address is usually allocated automatically, but may be Static (Fixed). • User name and password. • IP Address allocated to you, if Static (Fixed). Other Modems (e.g.
Setup Home Screen After finishing or exiting the Setup Wizard, you will see the Home screen. When you connect in future, you will see this screen when you connect. An example screen is shown below. Figure 6: Home Screen Navigation & Data Input • Use the menu bar on the top of the screen, and the "Back" button on your Browser, for navigation. • Changing to another screen without clicking "Save" does NOT save any changes you may have made.
LevelOne Broadband VPN Gateway User Guide LAN Screen Use the LAN link on the main menu to reach the LAN screen. An example screen is shown below. Figure 7: LAN Screen Data - LAN Screen TCP/IP IP Address IP address for the LevelOne Broadband VPN Gateway, as seen from the local LAN. Use the default value unless the address is already in use or your LAN is using a different IP address range. In the latter case, enter an unused IP Address from within the range used by your LAN.
Setup DHCP What DHCP Does A DHCP (Dynamic Host Configuration Protocol) Server allocates a valid IP address to a DHCP Client (PC or device) upon request. • The client request is made when the client device starts up (boots). • The DHCP Server provides the Gateway and DNS addresses to the client, as well as allocating an IP Address. • The LevelOne Broadband VPN Gateway can act as a DHCP server. • Windows 95/98/ME and other non-Server versions of Windows will act as a DHCP client.
LevelOne Broadband VPN Gateway User Guide Password Screen The Admin Login screen allows you to assign a user name and password to the LevelOne Broadband VPN Gateway. Figure 8: Password Screen 1. 2. 3. The default login name is "admin". Change this to the desired value. The default password is blank (no password). Enter the desired password in the New Password and Verify Password fields. Save your changes. You will see a login prompt when you connect to the LevelOne Broadband VPN Gateway, as shown below.
Chapter 4 PC Configuration This Chapter details the PC Configuration required on the local ("Internal") LAN. Overview For each PC, the following may need to be configured: • TCP/IP network settings • Internet Access configuration Windows Clients This section describes how to configure Windows clients for Internet access via the LevelOne Broadband VPN Gateway. The first step is to check the PC's TCP/IP settings.
LevelOne Broadband VPN Gateway User Guide Checking TCP/IP Settings - Windows 9x/ME: 1. Select Control Panel - Network. You should see a screen like the following: Figure 10: Network Configuration 2. 3. Select the TCP/IP protocol for your network card. Click on the Properties button. You should then see a screen like the following. Figure 11: IP Address (Win 95) Ensure your TCP/IP settings are correct, as follows: Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically.
PC Configuration • On the Gateway tab, enter the LevelOne Broadband VPN Gateway 's IP address in the New Gateway field and click Add, as shown below. Your LAN administrator can advise you of the IP Address they assigned to the LevelOne Broadband VPN Gateway. Figure 12: Gateway Tab (Win 95/98) • On the DNS Configuration tab, ensure Enable DNS is selected. If the DNS Server Search Order list is empty, enter the DNS address provided by your ISP in the fields beside the Add button, then click Add.
LevelOne Broadband VPN Gateway User Guide Checking TCP/IP Settings - Windows NT4.0 1. Select Control Panel - Network, and, on the Protocols tab, select the TCP/IP protocol, as shown below. Figure 14: Windows NT4.0 - TCP/IP 2. Click the Properties button to see a screen like the one below.
PC Configuration Figure 15: Windows NT4.0 - IP Address 3. 4. Select the network card for your LAN. Select the appropriate radio button - Obtain an IP address from a DHCP Server or Specify an IP Address, as explained below. Obtain an IP address from a DHCP Server This is the default Windows setting. Using this is recommended. By default, the LevelOne Broadband VPN Gateway will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the LevelOne Broadband VPN Gateway.
LevelOne Broadband VPN Gateway User Guide Figure 16 - Windows NT4.0 - Add Gateway 2. The DNS should be set to the address provided by your ISP, as follows: • Click the DNS tab. • On the DNS screen, shown below, click the Add button (under DNS Service Search Order), and enter the DNS provided by your ISP.
PC Configuration Figure 17: Windows NT4.
LevelOne Broadband VPN Gateway User Guide Checking TCP/IP Settings - Windows 2000: 1. 2. Select Control Panel - Network and Dial-up Connection. Right - click the Local Area Connection icon and select Properties. You should see a screen like the following: Figure 18: Network Configuration (Win 2000) 3. 4. Select the TCP/IP protocol for your network card. Click on the Properties button. You should then see a screen like the following.
PC Configuration Figure 19: TCP/IP Properties (Win 2000) 5. Ensure your TCP/IP settings are correct, as described below. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the LevelOne Broadband VPN Gateway will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the LevelOne Broadband VPN Gateway.
LevelOne Broadband VPN Gateway User Guide Checking TCP/IP Settings - Windows XP 1. 2. Select Control Panel - Network Connection. Right click the Local Area Connection and choose Properties. You should see a screen like the following: Figure 20: Network Configuration (Windows XP) 3. 4. Select the TCP/IP protocol for your network card. Click on the Properties button. You should then see a screen like the following.
PC Configuration Figure 21: TCP/IP Properties (Windows XP) 5. Ensure your TCP/IP settings are correct. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the LevelOne Broadband VPN Gateway will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from the LevelOne Broadband VPN Gateway.
LevelOne Broadband VPN Gateway User Guide Internet Access To configure your PCs to use the LevelOne Broadband VPN Gateway for Internet access: • Ensure that the DSL modem, Cable modem, or other permanent connection is functional. • Use the following procedure to configure your Browser to access the Internet via the LAN, rather than by a Dial-up connection. For Windows 9x/ME/2000 1. 2. 3. 4. 5. 6. 7. Select Start Menu - Settings - Control Panel - Internet Options.
PC Configuration Macintosh Clients From your Macintosh, you can access the Internet via the LevelOne Broadband VPN Gateway. The procedure is as follows. 1. Open the TCP/IP Control Panel. 2. Select Ethernet from the Connect via pop-up menu. 3. Select Using DHCP Server from the Configure pop-up menu. The DHCP Client ID field can be left blank. 4. Close the TCP/IP panel, saving your settings.
Chapter 5 Operation and Status This Chapter details the operation of the LevelOne Broadband VPN Gateway and the status screens. Operation Once both the LevelOne Broadband VPN Gateway and the PCs are configured, operation is automatic. However, there are some situations where additional Internet configuration may be required: • If using Internet-based Communication Applications, it may be necessary to specify which PC receives an incoming connection.
Operation and Status Data - Status Screen Internet Connection Method This indicates the current connection method, as set in the Setup Wizard. Broadband Modem This shows the connection status of the modem. Internet Connection Current connection status: • Active • Idle • Unknown • Failed If there is an error, you can click the "Connection Details" button to find out more information. Internet IP Address This IP Address is allocated by the ISP (Internet Service Provider).
LevelOne Broadband VPN Gateway User Guide Connection Status - PPPoE If using PPPoE (PPP over Ethernet), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 23: PPPoE Status Screen Data - PPPoE Screen Connection Physical Address The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.
Operation and Status Buttons Connect If not connected, establish a connection to your ISP. Disconnect If connected to your ISP, hang up the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen. Connection Log Messages Message Description Connect on Demand Connection attempt has been triggered by the "Connect automatically, as required" setting.
LevelOne Broadband VPN Gateway User Guide Connection Status - PPTP If using PPTP (Peer-to-Peer Tunneling Protocol), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 24: PPTP Status Screen Data - PPTP Screen Connection Physical Address The hardware address of this device, as seen by remote devices on the Internet. (This is different to the hardware address seen by devices on the local LAN.
Operation and Status Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen. Connection Status - Telstra Big Pond An example screen is shown below. Figure 25: Telstra Big Pond Status Screen Data - Telstra Big Pond Screen Connection Physical Address The hardware address of this device, as seen by remote devices. (This is different to the hardware address seen by devices on the local LAN.
LevelOne Broadband VPN Gateway User Guide Connection Log Connection Log • The Connection Log shows status messages relating to the existing connection. • The Clear Log button will restart the Log, while the Refresh button will update the messages shown on screen. Buttons Connect If not connected, establish a connection to Telstra Big Pond. Disconnect If connected to Telstra Big Pond, terminate the connection. Clear Log Delete all data currently in the Log.
Operation and Status Default Gateway The IP Address of the remote Gateway or Router associated with the IP Address above. DNS IP Address The IP Address of the Domain Name Server which is currently used. DHCP Client This will show "Enabled" or "Disabled", depending on whether or not this device is functioning as a DHCP client. If "Enabled" the "Remaining lease time" field indicates when the IP Address allocated by the DHCP Server will expire.
LevelOne Broadband VPN Gateway User Guide Connection Details - Fixed/Dynamic IP Address If your access method is "Direct" (no login), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 27: Connection Details - Fixed/Dynamic IP Address Data - Fixed/Dynamic IP address Screen Internet Physical Address The hardware address of this device, as seen by remote devices on the Internet.
Operation and Status DHCP Server. • Refresh If an IP Address has been allocated to the LevelOne Broadband VPN Gateway (by the ISP's DHCP Server), this button will say "Release". Clicking the "Release" button will break the connection and release the IP Address. Update the data shown on screen.
Chapter 6 Internet Features This Chapter explains when and how to use the LevelOne Broadband VPN Gateway's "Internet" Features.
Internet Features WAN Port Configuration Screen The WAN Port Configuration screen provides an alternative to using the Wizard. It can be accessed from the Internet menu. An example screen is shown below. Figure 28: WAN Port Screen Data - WAN Port Screen Identification Hostname Normally, there is no need to change the default name, but if your ISP requests that you use a particular “Hostname”, enter it here. Domain name If your ISP provided a domain name, enter it here.
LevelOne Broadband VPN Gateway User Guide Specified IP Address Also called Static IP Address. Select this if your ISP has allocated you a fixed IP Address. If this option is selected, the following data must be entered. • IP Address. The IP Address allocated by the ISP. • Network Mask (Not required for PPPoE) This is also supplied by your ISP. It must be compatible with the IP Address above. • Gateway IP Address (Not required for PPPoE) The address of the router or gateway, as supplied by your ISP.
Internet Features MAC Address MAC Address Also called Network Adapter Address or Physical Address. This is a low-level identifier, as seen from the WAN port. Normally there is no need to change this, but some ISPs require a particular value, often that of the PC initially used for Internet access. You can use the Copy from PC button to copy your PC's address into this field, the Default button to insert the default value, or enter a value directly.
LevelOne Broadband VPN Gateway User Guide Send incoming calls to This lists the PCs on your LAN. • If necessary, you can add PCs manually, using the "PC Database" option on the advanced menu. • For each application listed above, you can choose a destination PC. • There is no need to "Save" after each change; you can set the destination PC for each application, then click "Save".
Internet Features Incoming Ports Outgoing Ports • Type - Select the protocol (TCP or UDP) used when you receive data from the special application or service. (Note: Some applications use different protocols for outgoing and incoming data). • Start - Enter the beginning of the range of port numbers used by the application server, for data you receive. If the application uses a single port number, enter it in both the "Start" and "Finish" fields.
LevelOne Broadband VPN Gateway User Guide URL Filter The URL Filter allows you to block access to undesirable Web site • To use this feature, you must define "filter strings". If the "filter string" appears in a requested URL, the request is blocked. • Enabling the URL Filter also affects the Internet Access Log. If Enabled, the "Destination" field in the log will display the URL. Otherwise, it will display the IP Address. • The URL Filter can be Enabled or Disabled on the Advanced Internet screen.
Internet Features Dynamic DNS (Domain Name Server) This free service is very useful when combined with the Virtual Server feature. It allows Internet users to connect to your Virtual Servers using a URL, rather than an IP Address. This also solves the problem of having a dynamic IP address. With a dynamic IP address, your IP address may change whenever you connect, which makes it difficult to connect to you. The Service works as follows: 1. You must register for the service at http://www.dyndns.
LevelOne Broadband VPN Gateway User Guide DDNS Data User Name Enter the "User name" specified at the www.dyndns.org Web site when you registered. Password Enter your current password for www.dyndns.org Domain Name • Enter your domain name, as allocated at www.dyndns.org. • The name should consist only of letters and the hyphen (dash). Using any other characters may cause problems.. DDNS Status This message is returned by the DDNS Server at www.dyndns.
Internet Features Virtual Servers This feature allows you to make Servers on your LAN accessible to Internet users. Normally, Internet users would not be able to access a server on your LAN because: • Your Server does not have a valid external IP Address. • Attempts to connect to devices on your LAN are blocked by the firewall in this device. The "Virtual Server" feature solves these problems and allows Internet users to connect to your servers, as illustrated below.
LevelOne Broadband VPN Gateway User Guide Virtual Servers Screen The Virtual Servers screen is reached by the Virtual Servers link on the Internet menu. An example screen is shown below. Figure 34: Virtual Servers Screen This screen lists a number of pre-defined Servers,. providing a quick and convenient method to set up the common server types. Data - Virtual Servers Screen Servers Servers This lists a number of pre-defined Servers, plus any Servers you have defined.
Internet Features It is more convenient if you are using a Fixed IP Address from your ISP, rather than Dynamic. However, you can use the Dynamic DNS feature, described in the following section, to allow users to connect to your Virtual Servers using a URL, rather than an IP Address. Internet Options This screen allows advanced users to enter or change a number of settings. For normal operation, there is no need to use this screen or change any settings.
Chapter 7 Security Configuration This Chapter explains the settings available via the security configuration section of the "Security" menu. Overview The following advanced configurations are provided.
Security Configuration Access Control This feature is accessed by the Access Control link on the Security menu. The Access Control feature allows administrators to restrict the level of Internet Access available to PCs on your LAN. With the default settings, everyone has unrestricted Internet access. To use this feature: 1. 2. 3. Set the desired restrictions on the "Default" group. All PCs are in the "Default" group unless explicitly moved to another group.
LevelOne Broadband VPN Gateway User Guide "Members" Button Click this button to add or remove members from the current Group. • If the current group is "Default", then members can not be added or deleted. This group contains PCs not allocated to any other group. • To remove PCs from the Default Group, assign them to another Group. • To assign PCs to the Default Group, delete them from the Group they are currently in. See the following section for details of the Group Members screen.
Security Configuration Group Members Screen This screen is displayed when the Members button on the Access Control screen is clicked. Figure 37: Group Members Use this screen to add or remove members (PCs) from the current group. • The "Del >>" button will remove the selected PC (in the Members list) from the current group. • The "<< Add" button will add the selected PC (in the Other PCs list) to the current group. PCs not assigned to any group will be in the "Default" group.
LevelOne Broadband VPN Gateway User Guide Firewall Rules For normal operation and LAN protection, it is not necessary to use this screen. The Firewall will always block DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it - the service is unavailable. As well, you can use this screen to create Firewall rules to block or allow specific traffic. But Incorrect configuration may cause serious problems.
Security Configuration Data For each rule, the following data is shown: • Name - The name you assigned to the rule. • Source - The traffic covered by this rule, defined by the source IP address. If the IP address is followed by ... this indicates there is range of IP addresses, rather than a single address. • Destination - The traffic covered by this rule, defined by destination IP address. If the IP address is followed by ...
LevelOne Broadband VPN Gateway User Guide Firewall Rule Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below. Figure 39: Firewall Rule Data - Firewall Rule Screen Name Enter a suitable name for this rule. Type This determines the source and destination ports for traffic covered by this rule. Select the desired option. Source IP These settings determine which traffic, based on their source IP address, is covered by this rule.
Security Configuration Dest IP These settings determine which traffic, based on their destination IP address, is covered by this rule. Select the desired option: • Any - All traffic from the source port is covered by this rule. • Single address - Enter the required IP address in the "Start IP address" field". You can ignore the "Subnet Mask" field. • Range address - If this option is selected, you must complete both the "Start IP address" and "Finish IP address" fields.
LevelOne Broadband VPN Gateway User Guide Logs The Logs record various types of activity on the LevelOne Broadband VPN Gateway. This data is useful for troubleshooting, but enabling all logs will generate a large amount of data and adversely affect performance. Since only a limited amount of log data can be stored in the LevelOne Broadband VPN Gateway, log data can also be E-mailed to your PC or sent to a Syslog Server.
Security Configuration E-Mail Logs Send E-mail alert If enabled, an E-mail will be sent immediately if a DoS (Denial of Service) attack is detected. If enabled, the E-mail address information must be provided. E-mail Logs You can choose to have the logs E-mailed to you, by enabling either or both checkboxes. If enabled, the Log will send to the specified E-mail address. The interval between E-mails is determined by the "Send" setting. Send Select the desired option for sending the log by E-mail.
LevelOne Broadband VPN Gateway User Guide Security Options This screen allows you to set Firewall and other security-related options. Figure 41: Security Options Screen Data - Security Options Screen SPI Firewall Enable DoS Firewall If enabled, DoS (Denial of Service) attacks will be detected and blocked. The default is enabled. It is strongly recommended that this setting be left enabled.
Security Configuration Options Respond to ICMP Allow IPsec Allow PPTP Allow L2TP Allow TFTP firmware upgrade The ICMP protocol is used by the "ping" and "trace route" programs, and by network monitoring and diagnostic programs. • If checked, the LevelOne Broadband VPN Gateway will respond to ICMP packets received from the Internet. • If not checked, ICMP packets from the Internet will be ignored. Disabling this option provides a slight increase in security.
LevelOne Broadband VPN Gateway User Guide Scheduling • This schedule can be (optionally) applied to any Access Control Group. • Blocking will be performed during the scheduled time (between the "Start" and "Finish" times.) • Two (2) separate sessions or periods can be defined. • Times must be entered using a 24 hr clock. • If the time for a particular day is blank, no action will be performed. Define Schedule Screen This screen is accessed by the Scheduling link on the Security menu.
Security Configuration Services Services are used in defining traffic to be blocked or allowed by the Access Control or Firewall Rules features. Many common Services are pre-defined, but you can also define your own services if required. To view the Services screen, select the Services link on the Security menu. Figure 43: Services Screen Data - Services Screen Available Services Available Services This lists all the available services. "Delete" button Use this to delete any Service you have added.
LevelOne Broadband VPN Gateway User Guide Cancel Clear the " Add New Service " area, ready for entering data for a new Service.
Chapter 8 VPN This Chapter describes the VPN capabilities and configuration required for common situations. Overview This section describes the VPN (Virtual Private Network) support provided by your LevelOne Broadband VPN Gateway. A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network - typically the Internet. This secure connection is called a VPN Tunnel. There are many standards and protocols for VPNs.
LevelOne Broadband VPN Gateway User Guide • Phase I is the negotiation and establishment of the IKE connection. • Phase II is the negotiation and establishment of the IPsec connection. Because the IKE and IPsec connections are separate, they have different SAs (security associations). Policies VPN configuration settings are stored in Policies. Each policy defines: • The address of the remote VPN endpoint • The traffic which is allowed to use the VPN connection.
VPN Common VPN Situations VPN Pass-through Figure 44: VPN Pass-through Here, a PC on the LAN behind the Router/Gateway is using VPN software, but the Router/Gateway is NOT acting as a VPN endpoint. It is only allowing the VPN connection. • The PC software can use any VPN protocol supported by the remote VPN. • The remote VPN Server must support client PCs which are behind a NAT router, and so have an IP address which is not valid on the Internet.
LevelOne Broadband VPN Gateway User Guide Connecting 2 LANs via VPN Figure 46: Connecting 2 VPN Gateways This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN. • The 2 LANs MUST use different IP address ranges. • The VPN Policies at each end determine when a VPN tunnel will be established, and what systems on the remote LAN can be accessed once the VPN connection is established. • It is possible to have simultaneous VPN connections to many remote sites.
VPN VPN Policies This section covers the configuration required on the LevelOne Broadband VPN Gateway when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies). Details of using Certificates are covered in a later section. VPN Policies Screen To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies. If no policies exist, the list will be empty.
LevelOne Broadband VPN Gateway User Guide Move There are 2 ways to change the order of policies: • Use the up and down indicators on the right to move the selected row. You must confirm your changes by clicking "OK". If you change your mind before clicking "OK", click "Cancel" to reverse your changes. • Click "Move" to directly specify a new location for the selected policy. Enable/Disable Use this to toggle the On/Off state of the selected policy.
VPN Figure 49: VPN Wizard - General General Settings Policy Name Enter a suitable name. This name is not supplied to the remote VPN. It is used only to help you manage the policies. Enable Policy Enable or disable the policy as required. For each remote VPN, only 1 policy can be enabled at any time. Remote VPN Endpoint The Internet IP address of the remote VPN endpoint (Gateway or client). Keys 2. • Dynamic. Select this if the Internet IP address is unknown.
LevelOne Broadband VPN Gateway User Guide Figure 50: VPN Wizard - Traffic Selector • For outgoing VPN connections, these settings determine which traffic will cause a VPN tunnel to be created, and which traffic will be sent through the tunnel. • For incoming VPN connections, these settings determine which systems on your local LAN will be available to the remote endpoint. • The 2 VPN endpoints MUST use different address ranges.
VPN Remote IP addresses Type • Single address - enter an IP address in the "Start IP address" field. • Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP address" field. • Subnet address - enter the desired IP address in the "Start IP address" field, and the network mask in the "Subnet Mask" field. The remote VPN should have these IP addresses entered as it's "Local" addresses. 3. Click Next to continue.
LevelOne Broadband VPN Gateway User Guide These settings must match the remote VPN. Note that you cannot use both AH and ESP. Manually assigned Keys AH Authentication AH (Authentication Header) specifies the authentication protocol for the VPN header, if used. (AH is often NOT used) If AH is not enabled, the following settings can be ignored. Keys • The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
VPN • Click "Next" to view the final screen. • On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard. IKE Phase 1 If you selected IKE, the following screen is displayed after the Traffic Selector screen. Figure 52: VPN Wizard - IKE Phase 1 IKE Phase 1 (IKE SA) Direction Select the desired option: • Initiator - Only outgoing connections will be created. Incoming connection attempts will be rejected. • Responder - Only incoming connections will be accepted.
LevelOne Broadband VPN Gateway User Guide IKE Exchange Mode Select the desired option, and ensure the remote VPN endpoint uses the same mode. Main Mode provides identity protection for the hosts initiating the IPSec session, but takes slightly longer to complete. Aggressive Mode provides no identity protection, but is quicker. IKE SA Life Time This setting does not have to match the remote VPN endpoint; the shorter time will be used.
VPN ESP Encryption ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both ESP Encryption and ESP Authentication. Select the desired method, and ensure the remote VPN endpoint uses the same method. The "3DES" algorithm provides greater security than "DES", but is slower. ESP Authentication Generally, you should enable ESP Authentication. There is little difference between the available algorithms.
LevelOne Broadband VPN Gateway User Guide Certificates Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates". Each CA also issues a certificate to itself. This Certificate is required in order to validate communication with the CA. These certificates are called "Trusted Certificates.
VPN Adding a Trusted Certificate 1. 2. After obtaining a new Certificate from the CA, you need to upload it to the LevelOne Broadband VPN Gateway. On the "Certificates" screen, click the "Add Trusted Certificate" button to view the Add Trusted Certificate screen, shown below. Figure 55: Add Trusted Certificate 3. 4. 5. 6. Click the "Browse" button, and locate the certificate file on your PC Select the file. The name will appear in the "Certificate File" field.
LevelOne Broadband VPN Gateway User Guide 3. Subject Name This is the name which other organizations will see as the Holder (owner) of this Certificate. This should be your registered business name or official company name. Generally, all Certificates should have the same value in the Subject field. Hash Algorithm Select the desired option. Signature Algorithm Select the desired option. RSA is recommended. Signature Key Length Select the desired option.
VPN Figure 58: Add Self Certificate (3) 8. Upload the Certificate: • Click the "Browse" button, and locate the certificate file on your PC • Select the file. The name will appear in the "Certificate File" field. • Click "Upload" to upload the certificate file to the LevelOne Broadband VPN Gateway. • Click "Finished" to return to the Certificate list. The new Certificate will appear in the list.
LevelOne Broadband VPN Gateway User Guide CRLs CRLs are only necessary if using Certificates. CRL (Certificate Revocation List) files show Certificates which have been revoked, and are no longer valid. Each CA issues their own CRLs. It is VERY IMPORTANT to keep your CRLs up-to-date. You need to obtain the CRL for each CA regularly. The "Next Update" field in the CRL shows when the next update will be available. To add a New CRL 1. 2. Obtain the CRL file from your CA. Select CRL from the VPN menu.
VPN VPN Status This screens lists all VPN SAs (Security Association) which exist at the current time. • If no VPN tunnels exist at the current time, the table will be empty. • To update the display, click the "Refresh" button. • If using IKE, there is one SA for the IKE connection, and another SA for the IPSec connection. • For each VPN SA the following data is displayed.
LevelOne Broadband VPN Gateway User Guide Examples This section describes some examples of using the LevelOne Broadband VPN Gateway in common VPN situations. Example 1: Connecting 2 LevelOne Broadband VPN Gateways In this example, 2 LANs are connected via VPN. Figure 62: Connecting 2 LevelOne Broadband VPN Gateways Note • The LANs MUST use different IP address ranges. • Both endpoints have fixed WAN (Internet) IP addresses.
VPN IKE Authentication method Pre-shared Key Pre-shared Key Certificates are not widely used. Pre-shared Key Xxxxxxxxxx Xxxxxxxxxx Must match IKE Authentication algorithm MD5 MD5 Must match IKE Encryption DES DES Must match IKE Exchange mode Main Mode Main Mode Must match DH Group Group 1 (768 bit) Group 1 (768 bit) Must match IKE SA Life time 28800 28800 Does not have to match. Shorter period will be used.
LevelOne Broadband VPN Gateway User Guide Example 2: Windows 2000/XP Client to LAN In this example, a Windows 2000/XP client connects to the LevelOne Broadband VPN Gateway and gains access to the local LAN. Figure 63: Windows 2000/XP Client to LevelOne Broadband VPN Gateway To use 3DES encryption, you need Service Pack 3 or later installed on Windows 2000. LevelOne Broadband VPN Gateway Configuration Setting Value Notes Name Win Client Name does not affect operation. Select a meaningful name.
VPN DH Group Group 1 (768 bit) Must match client PC IKE SA Life time 28800 Does not have to match client PC. Shorter period will be used. IKE PFS Disable Must match client PC IPSec SA Parameters IPSec SA Life time 28800 Do not have to match. Shorter period will be used. IPSec PFS Disable Must match client PC AH authentication Disabled AH is rarely used ESP authentication Enable/MD5 Must match client PC ESP encryption Enable/DES Must match client PC Windows Client Configuration 1. 2.
LevelOne Broadband VPN Gateway User Guide Figure 65: Windows 2000/XP - Policy Properties 6. • Note that no rules are in use. Two 2 rules are required - incoming and outgoing. • The outgoing rule will be added first. Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below. Figure 66: IP Filter List 7. Type "To DUT" for the name, then click "Add" to see a screen like the following.
VPN Figure 67: Filter Properties: Addressing 8. Enter the Source IP address and the Destination IP address. • 9. Since this is the outing filter, the Source IP address is "My IP address" and the Destination IP address is the address range used on the remote LAN. • Ensure the Mirrored option is checked. Click "OK" to save your settings and close this dialog. Figure 68: New Rule Properties: IP Filter List 10.
LevelOne Broadband VPN Gateway User Guide Figure 69: New Rule Properties: Filter Action 11. Select Require Security, then click the "Edit" button, to view the Require Security Properties screen. Figure 70: Require Security Properties 12. Select Negotiate security (this selects IKE), then click "Add".
VPN Figure 71: Modify Security Method 13. On the resulting screen (above), select High [ESP] then click "OK" to save your changes and return to the Require Security Properties screen. Figure 72: Require Security Properties 14. Ensure the following settings are correct, then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen.
LevelOne Broadband VPN Gateway User Guide 15. Click the Tunnel Setting tab, then select The tunnel endpoint is specified by this IP address. Enter the WAN (Internet) IP address of the LevelOne Broadband VPN Gateway, as shown below. Figure 73: Tunnel Setting 16. Click the Authentication Methods tab, then click the "Edit" to see the screen like the example below. Figure 74: Authentication Method 17.
VPN 19. Click "Close" to return to the DUT to Win2K properties screen. The "To DUT" filter should now be listed, as shown below. Figure 75: Windows 2000/XP Client to LevelOne Broadband VPN Gateway 20. To add the second (outgoing) rule, click "Add". For the name, enter "To Win2K", then click "Add". Figure 76: Windows 2000/XP Client to LevelOne Broadband VPN Gateway 21. Enter the Source IP address and the Destination IP address as shown below.
LevelOne Broadband VPN Gateway User Guide Figure 77: Filter Properties: Addressing 22. Click "OK" to save your changes, then "Close". Figure 78: Filter List 23. Ensure the "To Win2K" filter is selected, then click the Filter Action tab.
VPN Figure 79: Filter Action 24. Select Require Security, then click "Edit". On the Require Security Methods screen below, select Negotiate security. Figure 80: Security Methods 25. Click the "Add" button. On the resulting Modify Security Method screen below, select High [ESP].
LevelOne Broadband VPN Gateway User Guide Figure 81: Modify Security Method 26. Click "OK" to save your changes, then click "OK" again to return to the Filter Action screen. 27. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address of this PC (172.10..9.10 in this example). Figure 82: Tunnel Setting 28. Select the Authentication Methods tab, and click the "Edit" button to see the screen below.
VPN Figure 83: Authentication Method 29. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided. 30. Click "OK" to save your settings, then "Close" to return to the DUT to Win2K Properties screen. There should now be 2 IP Filers listed, as shown below. Figure 84: DUT to Win2K Properties 31. Select the General tab.
LevelOne Broadband VPN Gateway User Guide Figure 85: Properties - General Tab 32. Click the "Advanced" button to see the screen below. Figure 86: Key Exchange Settings 33. Click the "Methods" button to see the screen below.
VPN Figure 87: Key Exchange Security Methods 34. Select the first entry, and click the "Edit" button to see the following screen. Figure 88: IKE Security Algorithms 35. Select "SHA1" for Integrity Algorithm, "3DES" for Encryption algorithm, and "Low(1)" for the Diffie-Hellman Group. 36. Click "OK" to save, then "OK" again, and then "Close" to return to the Local Security Settings screen. 37. Right click the DUT to Win2K Policy and select "Assign" to make your policy active.
LevelOne Broadband VPN Gateway User Guide Example 3: Windows 2000 Server to VPN Gateway In this example, a Windows 2000 Server connects to the LevelOne Broadband VPN Gateway. Users on each LAN can then gain access to the remote LAN. Figure 90: LevelOne Broadband VPN Gateway to Windows 2000 Server LevelOne Broadband VPN Gateway Configuration This is the same as for the client setup earlier, with the exception of the IP address range for the remote endpoint.
VPN Windows 2000 Server Configuration Configuration is the same as for Example 2: Windows 2000/XP Client to except for specifying the Source and Destination addresses for the "Filter Properties". Instead, for both IP Filters, the Filter Properties- Addressing should be completed as follows. Figure 91: Windows 2000 Server - Addressing • The Source Address should be set to "A specific IP Subnet", and the IP address and Subnet mask set to the address range used on the LevelOne Broadband VPN Gateway's LAN.
Chapter 9 Other Features and Settings This Chapter explains the screens and settings available via the "Other" menu. Overview Normally, it is not necessary to use these screens, or change any settings. These screens and settings are provided to deal with non-standard situations, or to provide additional options for advanced users. The screens available are: PC Database This is the list of PCs shown when you select the "DMZ PC", "Virtual Server", or "Internet Application".
Other Features and Settings PC Database The PC Database is used whenever you need to select a PC (e.g. for the "DMZ" PC). It eliminates the need to enter IP addresses. Also, you do not need to use fixed IP addresses on your LAN. PC Database Screen An example PC Database screen is shown below. Figure 92: PC Database • PCs which are "DHCP Clients" are automatically added to the database, and updated as required.
LevelOne Broadband VPN Gateway User Guide Data - PC Database Screen Known PCs This lists all current entries. Data displayed is name (IP Address) type. The "type" indicates whether the PC is connected to the LAN. Name If adding a new PC to the list, enter its name here. It is best if this matches the PC's "hostname". IP Address Enter the IP Address of the PC. The PC will be sent a "ping" to determine its hardware address.
Other Features and Settings PC Database (Admin) This screen is displayed if the "Advanced Administration" button on the PC Database is clicked. It provides more control than the standard PC Database screen. Figure 93: PC Database (Admin) Data - PC Database ( Admin) Screen Known PCs This lists all current entries. Data displayed is name (IP Address) type. The "type" indicates whether the PC is connected to the LAN. PC Properties Name If adding a new PC to the list, enter its name here.
LevelOne Broadband VPN Gateway User Guide MAC Address Select the appropriate option • Automatic discovery - Select this to have the LevelOne Broadband VPN Gateway contact the PC and find its MAC address. This is only possible if the PC is connected to the LAN and powered On. • MAC is - Enter the MAC address on the PC. The MAC address is also called the "Hardware Address", "Physical Address", or "Network Adapter Address".
Other Features and Settings Remote Administration This feature allows you to manage the LevelOne Broadband VPN Gateway via the Internet. Figure 94: Remote Administration Screen Data - Remote Administration Screen Remote Administration Enable Remote Administration Enable to allow administration via the Internet. If Disabled, this device will ignore management connection attempts from the Internet. Port Number Enter a port number between 1024 and 65535 (8080 is recommended).
LevelOne Broadband VPN Gateway User Guide Routing Overview • If you don't have other Routers or Gateways on your LAN, you can ignore the "Routing" page completely. • If the LevelOne Broadband VPN Gateway is only acting as a Gateway for the local LAN segment, ignore the "Routing" page even if your LAN has other Routers. • If your LAN has a standard Router (e.g.
Other Features and Settings Figure 95: Routing Screen Data - Routing Screen RIP Enable RIP Check this to enable the RIP (Routing Information Protocol) feature of the LevelOne Broadband VPN Gateway. The LevelOne Broadband VPN Gateway supports RIP 1 only. Static Routing Static Routing Table Entries Properties This list shows all entries in the Routing Table. • The "Properties" area shows details of the selected item in the list.
LevelOne Broadband VPN Gateway User Guide Add Add a new entry to the Static Routing table, using the data shown in the "Properties" area on screen. The entry selected in the list is ignored, and has no effect. Update Update the current Static Routing Table entry, using the data shown in the "Properties" area on screen. Delete Delete the current Static Routing Table entry. Clear Form Clear all data from the "Properties" area, ready for input of a new entry for the Static Routing table.
Other Features and Settings Static Routing - Example Figure 96: Routing Example For the LevelOne Broadband VPN Gateway 's Routing Table For the LAN shown above, with 2 routers and 3 LAN segments, the LevelOne Broadband VPN Gateway requires 2 entries as follows. Entry 1 (Segment 1) Destination IP Address 192.168.1.0 Network Mask 255.255.255.0 (Standard Class C) Gateway IP Address 192.168.0.
LevelOne Broadband VPN Gateway User Guide Upgrade Firmware The firmware (software) in the LevelOne Broadband VPN Gateway can be upgraded using your Web Browser. You must first download the upgrade file, then select Upgrade on the Other menu. You will see a screen like the following. Figure 97: Upgrade Firmware Screen To perform the Firmware Upgrade: 1. 2. 3. Click the "Browse" button and navigate to the location of the upgrade file. Select the upgrade file.
Other Features and Settings UPnP An example UPnP screen is shown below. Figure 98: UPNP Screen Data - UPNP Screen UPnP Enable UPnP Services Allow Configuration... Allow Internet access to be disabled • UPnP (Universal Plug and Play) allows automatic discovery and configuration of equipment attached to your LAN. UPnP is by supported by Windows ME, XP, or later. • If Enabled, this device will be visible via UPnP. • If Disabled, this device will not be visible via UPnP.
Appendix A Troubleshooting A This Appendix covers the most likely problems and their solutions. Overview This chapter covers some common problems that may be encountered while using the LevelOne Broadband VPN Gateway and some possible solutions to them. If you follow the suggested steps and the LevelOne Broadband VPN Gateway still does not function properly, contact your dealer for further advice. General Problems Problem 1: Can't connect to the LevelOne Broadband VPN Gateway to configure it.
Appendix A - Troubleshooting check your Internet connection (DSL/Cable modem etc) to see that it is working correctly. Problem 2: Some applications do not run properly when using the LevelOne Broadband VPN Gateway. Solution 2: The LevelOne Broadband VPN Gateway processes the data passing through it, so it is not transparent. Use the Special Applications feature to allow the use of Internet applications which do not function correctly. If this does solve the problem you can use the DMZ function.
Appendix B Specifications B LevelOne Broadband VPN Gateway Model FBR-1404TX Dimensions 141mm(W) * 100mm(D) * 27mm(H) Operating Temperature 0° C to 40° C Storage Temperature -10° C to 70° C Network Protocol: TCP/IP Network Interface: 5 Ethernet: 4 * 10/100BaseT (RJ45) LAN connection 1 * 10/100BaseT (RJ45) for WAN LEDs 11 Power Adapter 12V DC External FCC Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC
Appendix B - Specifications FCC Radiation Exposure Statement This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. This device complies with Part 15 of the FCC Rules.
