Twin WAN VPN Gateway ���������� CUTTING EDGE INNOVATIONS.
Table of Contents Introduction 5 Physical Details 7 Basic Setup XC-DPG503 Twin WAN VPN Gateway 4 Features 9 Configuring your LAN 10 Connecting Broadband Modems 12 Configuring for Interent Access 13 Configuring your LAN PCs 14 Advanced Port 16 Port Options 17 Load Balance 18 Advanced PPPoE 19 Advanced PPTP 20 Advanced Setup 21 Host IP Setup 22 Virtual Server 23 Custom Virtual Server 24 Special Applications 25 Dynamic DNS 26 Multi DMZ 27 UPnP 27 Advanced Features 28 S
Table of Contents QoS Configuration 33 VPN Configuration 34 IPSec Global Setting 35 Policy Setup 36 Management Assistant 38 SNMP 38 Email Alert 38 Syslog 39 Upgrade Firmware 40 Operation & Status 42 System Status 42 Restore Factory Defaults 43 WAN Status 43 LAN Status 43 Advanced LAN Configuration 44 Existing DHCP Server 44 Static Routing 45 Appendices 47 Appendix A 47 Appendix B 48 Appendix C 51 3
Chapter 1 - Introduction XC-DPG503 Twin WAN VPN Gateway Chapter Contents • Introduction • Features • Physical Details XiNCOM XC-DPG503 is a VPN capable Dual WAN Gateway with the industry standard IPsec encryption. It provides extremely secure LAN-to-LAN connectivity over the Internet. The 503 supports VPN by encryption, encapsulation, and authentication using the following methods: DES/3DES/AES, MD5, SHA-1 and SHA-2; up to 50 IPsec tunnels are permitted.
Features Figure 1. How it works Solid VPN Security Full VPN Endpoint with support for up to 50 VPN tunnels using the IPSec encryption protocol. Built-in VPN Endpoint Full VPN Endpoint with support for up to 50 VPN tunnels using the IPsec encryption protocol. Multiple Connection Methods All popular DSL and Cable Modems and connection methods are supported, including Fixed IP, Dynamic IP, PPPoE, even multiple-session PPPoE.
Features Other Features: DHCP Server Support Dynamic Host Configuration Protocol provides a dynamic IP address to PCs and other devices upon request. The XC-DPG503 can act as a DHCP Server for devices on your local LAN. Multi Segment LAN Support LANs containing one or more segments are supported via the XC-DPG503’s built-in static routing table. ARP proxy The ARP proxy feature allows you to assign an external (Internet) IP address to the XC-DPG503’s LAN port.
Physical Details Front Panel: Twin WAN VPN Gateway XC-DPG503 Operation of the Front Panel LEDs is as follows: System: Power OFF - No Power. ON - Normal Operation Status OFF - Normal Operation ON - Firmware not loaded or Hardware Error Blinking - Data in/out WAN: LINK/ACT ON - Physical connection to the Broadband modem on WAN port 1/2 established. OFF - No physical connection on WAN port 1/2. 10M/100M ON - Physical connection using 100BaseT on WAN port 1/2 established.
Physical Details Front Panel Status and Error conditions LED Action WAN1 LINK/ACT & 10M/100M LEDs flash alternatively. WAN1 LINK/ACT & 10M/100M LEDs flash concurrently. WAN1 LINK/ACT & 10M/100M LEDs solid On WAN2 LINK/ACT & 10M/100M LEDs solid On LAN1 LINK/ACT & 10M/100M LEDs solid On Condition Firmware Download in progress. MAC address not assigned.
Chapter 2 - Basic Setup XC-DPG503 Twin WAN VPN Gateway Chapter Contents • Overview • Procedure 1. Configuring your LAN 2. Connecting Broadband Modems 3. Configuring for Internet Access 4. Configuring your LAN PCs Overview Basic setup of your XC-DPG503 wil involve the following steps: 1. Connect the XC-DPG503 to one (1) PC and configure it to your existing LAN. 2. Connecting one or two Broadband Modems to your XC-DPG503. 3. Configuring the XC-DPG503 for Interent Access. 4.
Configuring the XC-DPG503 for your LAN a Procedure Figure 1. Password Dialog 1. Use a standard LAN cable to connect your PC to any LAN port on the XC-DPG503. 2. Connect the power adapter and power up the XC-DPG503. Only use the power adapter provided with the product; using a different one may cause hardware damage. 3. Start your PC or restart your PC if it is already running. Once restarted, the PC will then obtain an IP address from the XC-DPG503. 4. Start your WEB browser. 5.
Configuring the XC-DPG503 for your LAN Ensure these settings are suitable for your LAN: • The default settings are suitable for many situations. • See the following table for details of each setting. Figure 3.
Connecting two broadband modems a Procedure 1. Ensure the XC-DPG503 and the DSL/Cable modem are powered OFF. Leave the modem or modems connected to their data line. 2. Connect the Broadband modem(s) to the XC-DPG503. If using only one (1) Broadband modem, connect it to the “WAN 1” port. Figure 4. Installation Diagram for XC-DPG503 DC 5V WAN2 Reset LAN Ports Broadband Modem WAN1 Broadband Modem 3. Use standard LAN cables to connect PCs to the LAN ports on the XC-DPG503.
Configuring for Internet Access Figure 5. Primary Setup Screen Select Primary Setup from the menu. 1. Configure WAN 1 and/or WAN 2 as required. 2.
Configure PCs on your LAN Overview For each PC, the following may need to be configured: TCP/IP network settings Internet Access configuration TCP/IP Settings When using Windows 95/98/ME/2000/XP and the XC-DPG503’s TCP/IP default settings, no changes need to be made. Just start or reboot your PC. By default, the XC-DPG503 will act as a DHCP Server, automatically providing a suitable IP Address (and related information) to each PC when the PC boots up.
Configure PCs on your LAN For Apple Clients 1. Open the TCP/IP Control Panel. 2. Select Ethernet from the Connect via pop-up menu. 3. Select Using DHCP Server from the Configure pop-up menu. The DHCP Client ID field can be left blank. 4. Close the TCP/IP panel, saving your settings. Note: If using manually assigned IP addresses instead of DHCP, the required changes are: • Set the Router Address field to the XC-DPG02’s IP Address. • Ensure your DNS settings are correct.
Chapter 3 - Advanced Port XC-DPG503 Twin WAN VPN Gateway Chapter Contents • Overview • Port Options • Load Balance • Advanced PPPoE • Advanced PPTP Overview Port Options contains some options which can be set on either or both WAN ports. For most situations, the default values are satisfactory.Virtual Server Load Balance screen is only functional if you are using both WAN ports. It allows you to determine the proportion of WAN traffic sent through each port.
Port Options Figure 6. Port Options Connection Validation PPPoE / PPtP Connection Options Transparent Bridge Mode Health Check Use this field to select the type of connection validation to perform. When set to ICMP, the XC-DPG503 sends out ICMP echo requests. When set to HTTP, the XCDPG503 requests web pages. Auto Dialup When set to Enable a connection will be established whenever outgoing WAN traffic is detected. If not Enabled, you must establish a connection manually.
Load Balance Configuring Load Balancing The Twin WAN line of products uses a session based Load Balancing algorithm by allowing you to manage sessions using several different options: Bytes rx+tx By monitoring real time speed of both WAN connections, the XC-DPG503 will establish new sessions on the WAN port with the lower speed. Use this if there is a fairly even speed on both lines and would like to benefit the most from the speed available.
Advanced PPPoE Figure 8. Advanced PPPoE The screen is required in order to use multiple PPPoE sessions on the same WAN port. It can also be used to manually connect or disconnect a PPPoE session. Settings - Advanced PPPoE WAN Port Select the desired Port and Session, then click the “Select” button. The data for the selected Port/Session will then be displayed in the PPPoE Session WAN IP Account section. WAN IP Account Action Connection Status • User Name – Enter the PPPoE user name assigned by your ISP.
Advanced PPTP Figure 9. Advanced PPTP Settings - Advanced PPTP WAN Port Select the desired Port and click the “Select” button. The data for the selected Port will then be displayed in the WAN IP Account section. WAN IP Account Action Connection Status • User Name – The PPTP user name (login name) assigned by your ISP. • Password – This field is associated with the User Name above. This is assigned by your ISP and used to login to the PPTP Server.
Chapter 4 - Advanced Setup XC-DPG503 Twin WAN VPN Gateway Overview The following advanced features are provided. Chapter Contents • Host IP Setup • Virtual Server • Custom Virtual Server • Special Applications • Dynamic DNS • Multi DMZ • Advanced Features • UPnP Host IP Setup Virtual Server Custom Virtual Server Special Applications Dynamic DNS Multi DMZ Advanced Features UPnP This chapter contains details of the configuration and use of each of these features.
Host IP Host IP This feature is used in the following situations: When you have Multi-Session PPPoE and wish to bind each session to a particular PC on your LAN. When you wish to use the Access Filter feature. This requires that each PC be identified by using the Host IP Setup screen. When you wish to have different Block URL settings for different PCs. This requires that each PC be identified by using the Host IP Setup screen.
Virtual Servers Virtual Servers Figure 10. Virtual Servers This feature allows you to make Servers on your LAN accessible to Internet users. Normally, Internet users would not be able to access a server on your LAN because: Your Server’s IP address is only valid on your LAN, not on the Internet. Attempts to connect to devices on your LAN are blocked by the firewall in the XC-DPG503.
Custom Virtual Servers Custom Virtual Servers This screen allows you to define your own Server types. This is for situations when the desired Server type is not listed on the Virtual Servers screen. Settings - Custom Virtual Servers Select Custom Server Name Custom Server Configuration Buttons Custom Virtual Server List Server List If creating a new entry, ignore this list. To edit an existing entry, select it, and then click the “Select” button. The screen will update with data for the selected entry.
Special Applications Special Application If you use Internet applications which have non-standard connections or port numbers, you may find that they do not function correctly because they are blocked by the XC-DPG503 firewall. In this case, you can define the application as a “Special Application” in order to make it work. Note that the terms “Incoming” and “Outgoing” on this screen refer to traffic from the client (PC) viewpoint.
Dynamic DNS Dynamic DNS Dynamic DNS is very useful when combined with the Virtual Server feature. It allows Internet users to connect to your Virtual Servers using a URL, rather than an IP Address. This also solves the problem of having a dynamic IP address. With a dynamic IP address, your IP address may change whenever you connect to your ISP. You must register for the Dynamic DNS service. The XC-DPG503 supports 2 types of service providers: Standard client, available at http://www.dyndns.org.
Multi DMZ & UPnP Dynamic DNS This feature allows each WAN port IP address to be associated with one (1) computer on your LAN. All outgoing traffic from that PC will be associated with that WAN port IP address. Any traffic sent to that IP address will be forwarded to the specified PC. This allows unrestricted 2-way communication between the “DMZ PC” and other Internet users or Servers. Note: The “DMZ PC” is effectively outside the Firewall making it more vulnerable to attacks.
Advanced Features Advanced Features NAT – NAT (Network Address Translation) is the technology which allows a number of LAN PCs to share one (1) Internet IP address. Remote Access Configuration – This feature allows you to manage the XC-DPG503 via the Internet. You can restrict access to a specified IP address or address range. External Filters Configuration – These settings determine whether or not the XC-DPG503 should respond to ICMP (ping) requests received from the WAN port.
Advanced Features (continued) Using Remote Web-based Setup To connect to the XC-DPG503 from a remote PC via the Internet: 1. Ensure that both your PC and the XC-DPG503 are connected to the Internet. 2. Start your Web Browser. 3. In the Address bar enter: HTTP:// (Internet IP Address of the XC-DPG503) The Port number is also required. (After the IP Address, enter “:” followed by the port number.) e.g.: HTTP://123.123.123.123:8080 • This example assumes the WAN IP Address is 123.123.123.
Chapter 5 - Security Management XC-DPG503 Twin WAN VPN Gateway Chapter Contents • Block URL • Access Filter • Session Limit • Firewall Exception Overview Block URL - This feature blocks specific web sites by IP address, URL, or keywords. Access Filter - Block all Internet access, well-known ports, or block user define ports by groups. Session Limit - Eliminate users’ Internet access and send email alert to the administrator if the device detects new sessions that exceeds the maximum sampling time.
Block URL Block URL This feature allows you to block access to undesirable Web sites. You can block by URL, IP address, or Keyword. You can also have different blocking settings for different groups of PCs. Every URL is searched to see if it matches or contains any of the URL or keywords entered here. After a DNS lookup determines the IP address of the requested site, the site’s IP address is checked against IP address entries on this screen. Note that a single IP address may host many Web sites.
Session Limit & Firewall Exception Session Limit This new feature allows to drop the new sessions from both WAN and LAN side. If the new sessions number are exceed the maximum sessions in a sampling time. Settings - Session Limit Firewall Exception System Firewall Exception Rules: The rules with which any received packets is complied, the packets will not processed by Firewall or NAT module, but to be processed directly by system protocol stack.
Chapter 6 - QoS Configuration Overview The XC-DPG503 provides QoS, which supports the high quality of network service. Classifying outgoing packets based on some policies defined by users provides real-time applications to get better response or performance. XC-DPG503 Twin WAN VPN Gateway Chapter Contents Settings - QoS Setup QoS Feature • Enable QoS – This will allow users enable QoS function. • Queuing Method – The methods that how you manage your queue- Priority queuing.
Chapter 7 - VPN Configuration XC-DPG503 Twin WAN VPN Gateway Chapter Contents • Overview • IPSec Global Setting • Policy Setup Overview Virtual Private Network (VPN) uses encryption to connect computers over a public network such as the Internet. Encrypted connections between computers are commonly referred to as a tunnel. These secure tunnels permit sending private data from one computer to another without the risk of unauthorized access from outside intruders.
IPSec Global Settings IPSec Global Setting IP Global Setting Enable Enabling either WAN 1, WAN 2, or both will start the VPN global setting. ISAkmp Port Internet Security Association and Key Protocol Management (ISAkmp) is designed to negotiate, establish, modify, and delete security associations and their attributes. In particular, it was assigned UDP port 500 by the IANA. Phase 1 DH Group Use DH Group 1(768-bits),DH Group 2(1024-bits), Group 5 (1536-bits) to generate IPSec SA keys.
Policy Setup VPN Policy Setup IPSec Traffic Binding VPN Tunnel List It shows the tunnels that you have entered. The router can setup up to 50 tunnels Tunnel Name This distinguishes different “tunnels” by name. Tunnel The tunnel can only be connected when the Enable check box is selected. WAN port You can choose WAN1, WAN2 or Any to make the VPN connection. PPPoE Session Some ISPs offer multiple sessions when using PPPoE to make the VPN connection. You can select these PPPoE sessions to construct VPN tunnels.
Policy Setup VPN Policy Setup (continued) Key Management Key - Key Type: There are two key types (manual key and auto key) available for the key exchange management. Manual Key: If manual key is selected, no key negotiation is needed. Encryption Key - This field specifies a key to encrypt and decrypt IP traffic. Authentication Key - This field specifies a key use to authentication IP traffic. Inbound/outbound SPI (Security Parameter Index) is carried on the ESP header.
Chapter 8 - Management Assistant XC-DPG503 Twin WAN VPN Gateway Chapter Contents • SNMP • Email Alert • Syslog • Upgrade Firmware SNMP - Simple Network Management Protocol This section is to compliment any SNMP (Simple Network Management Protocol) software installed on your PC. If you have SNMP software, you can use a standard MIB II file with the XC-DPG503.
Management Assistant Email Alert (continued) Email (SMTP) Server Address This field sets the email sever’s address for the warning email will be sent to. (Email Alert must be enabled) For example: mail.domain.com Email Recipient Address This field sets the email address for the warning email will be sent to. This is usually the system administrator email address. For example: admin@mail.domain.com Excessive Ping Notification This feature is useful to prevent ICMP attacks from WAN or LAN.
Management Assistant Admin Password Screen Upgrade Firmware The password screen allows you to assign a password to the XC-DPG503. Using the TFTP Utility (Recommended) The XC-DPG503 Twin WAN Router supports the Trivial File Transfer Protocol (TFTP). This is mainly used to upload the firmware to the device. It can also be used to save and upload the configuration and reset the router to defaults.
Management Assistant Example of how to configure to save file. Restoring Saved Configuration Once you have updated your firmware you are able to upload previously saved configuration. To upload previously saved configuration: 1. Open the TFTP utility by double-clicking on it. 2. Enter the routers IP address (Default is: 192.168.1.1) 3. Click the Browse button and select the configuration file.
Chapter 9 - Operation & Status XC-DPG503 Twin WAN VPN Gateway Chapter Contents • System Status • Restore Factory Defaults • WAN Status • LAN Status Operation & Status Overview Once both the XC-DPG503 and the PCs are configured, operation is automatic. However, there are some situations where additional Internet configuration may be required (Refer to Chapter 4 - Advanced Features for further details) System Status WAN Information Connection Status – Current status – either “Connected” or “Not connected”.
Operation & Status Restore Factory Defaults When the “Restore Factory Defaults” button on the Status screen above is clicked, the following screen is displayed. If the “Restore Default Value” button on this screen is clicked: • ALL of your settings will be erased. • The default IP address, password and ALL other settings will be restored to the factory default values. • The DCHP server function will be enabled.
Chapter 10 - Advanced LAN Configuration XC-DPG503 Twin WAN VPN Gateway Chapter Contents • Overview • Existing DHCP Server • Static Routing Overview These settings are provided to deal with non-standard situations or to provide additional options for advanced users. Existing DHCP Server If your LAN already has a DHCP Server, and you wish to continue using it, the following configuration is required. The DHCP Server function in the XC-DPG503 must be disabled. This setting is on the LAN & DHCP screen.
Advanced LAN Configuration Static Routing This section is only relevant if your LAN has other Routers or Gateways. If you do not have other Routers or Gateways on your LAN, skip the Static Routing page. If your LAN has other Gateways and Routers, you must configure the Static Routing screen as described below. You also need to configure the other Routers. Note: If there is an entry or entries in the Routing table with an Index of zero ( 0 ), these are System entries.
Advanced LAN Configuration Configuring other Routers on you LAN All traffic for devices not on the local LAN must be forwarded to the XC-DPG503 so that they can be forwarded to the Internet. This is done by configuring other Routers to use the XC-DPG503 as the Default Route or Default Gateway, as illustrated by the example below: Configuration settings for the LAN shown with 2 routers and 3 LAN segments, the XC-DPG503 requires 2 entries as follows.
Appendices XC-DPG503 Twin WAN VPN Gateway Chapter Contents • Appendix A - Specifications • Appendix B - Windows TCP/IP Setup • Appendix C - Troubleshooting Appendix A Specifications Model XC-DPG503 Dimensions 245mm (W) x 137mm (D) x 30mm (H) Operating Temperature 0° C to 40° C Storage Temperature -10° C to 70° C Network Protocol TCP/IP Network Interface 6 Ethernet: 4 x 10/100BaseT (RJ45) auto-Switching Hub ports for LAN devices 2 x 10/100BaseT (RJ45) for WAN LEDs 8 LAN 4 WAN 1 Status 1 Power
Appendices Appendix B Windows TCP/IP Setup TCP/IP Settings If using the default XC-DPG503 settings, and the default Windows 95/98/ ME/2000 TCP/IP settings, no changes need to be made. By default, the XC-DPG503 will act as a DHCP Server and automatically provide a suitable IP Address (and related information) to each PC when the PC boots. For all non-Server versions of Windows, the default TCP/IP setting is to act as a DHCP client. Figure B.
Appendices On the DNS Configuration tab, ensure Enable DNS is selected. If the DNS Server Search Order list is empty, enter the DNS address provided by your ISP in the fields beside the Add button, then click Add. 3. Select the TCP/IP protocol for your network card. 4. Click on the Properties button. You should then see a screen like the following. Figure D. DNS Tab (Windows 95/98) Checking TCP/IP Settings - Windows 2000: 1. Select Control Panel - Network and Dial-up Connection. 2.
Appendices Checking TCP/IP Settings - Windows XP: 4. Click on the Properties button. You should then see a screen like the following: 1. Select Control Panel - Network Connection. 2. Right click the Local Area Connection and choose Properties. You should see a screen like the following: Figure H. TCP/IP properties (Windows XP) 5. Ensure your TCP/IP settings are correct. Using DHCP Figure G. Network Configuration (Windows XP) 3. Select the TCP/IP protocol for your network card.
Appendices Appendix C Troubleshooting Overview This chapter covers some common problems that may be encountered while using the XC-DPG503 and some possible solutions to them. If you follow the suggested steps and the XC-DPG503 still does not function properly, contact XiNCOM for further advice. General Problems Problem: I can’t connect to the XC-DPG503 to configure it. Solution: Check the following: The XC-DPG503 is properly installed, LAN connections are OK, and the device is powered ON.
