1. Manuals
  2. Brands
  3. Planet Manuals
  4. Wireless Router
  5. VRT-401
  6. User manual

Planet VRT-401 User Manual

Broadband vpn router
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Networking & Communication
Broadband VPN Router
VRT-401
User' s Manual

Advertisement

Table of Contents
loading

Related Manuals for Planet VRT-401

Summary of Contents for Planet VRT-401

  • Page 1 Networking & Communication Broadband VPN Router VRT-401 User’ s Manual...

  • Page 2: Ce Mark Warning

    PLANET Technology. Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose.

  • Page 3: Table Of Contents

    CHAPTER 1 INTRODUCTION ... 1 VRT-401 Features ... 1 Package Contents ... 3 Physical Details ... 4 CHAPTER 2 INSTALLATION ... 6 Requirements ... 6 Procedure... 6 CHAPTER 3 SETUP ... 8 Overview ... 8 Configuration Program... 9 Config Wizard ... 11 LAN Screen ...
  • Page 4 Remote Administration... 111 Routing... 112 Firmware Upgrade... 116 UPNP ... 117 APPENDIX A TROUBLESHOOTING ... 118 Overview ... 118 General Problems... 118 Internet Access... 118 APPENDIX B SPECIFICATIONS... 120 VRT-401 ... 120 FCC Statement... 120 CE Marking Warning ... 121...

  • Page 5: Chapter 1 Introduction

    Internet Access Features Shared Internet Access. through VRT-401, using only a single external IP Address. The local (invalid) IP Addresses are hidden from external sources. This process is called NAT (Network Address Translation).

  • Page 6: Advanced Internet Functions

    LAN. DHCP Server Support. dynamic IP address to PCs and other devices upon request. VRT-401 can act as a DHCP Server for devices on your local LAN and WLAN. Multi Segment LAN Support.

  • Page 7: Package Contents

    PC is hidden. From the external viewpoint, there is no network, only a single device - VRT-401. Stateful Inspection Firewall. incoming server requests are filtered, thus protecting your network from malicious attacks from external sources.

  • Page 8: Physical Details

    VRT-401 User Manual Physical Details Front-mounted LEDs Power On - Power on. Off - No power. Status (Red) On - Error condition. Off - Normal operation. Blinking - This LED blinks during start up. For each port, there are 2 LEDs...

  • Page 9: Rear Panel

    2. Hold the Reset Button down while you Power On. 3. Keep holding the Reset Button for a few seconds, until the 4. Release the Reset Button. VRT-401 is now using the Connect the DSL or Cable Modem here. If your modem came WAN port with a cable, use the supplied cable.

  • Page 10: Chapter 2 Installation

    Ensure VRT-401 and the DSL/Cable modem are powered OFF. 2. Connect LAN Cables Use standard LAN cables to connect PCs to the Switching Hub ports on VRT-401. Both 10BaseT and 100BaseT connections can be used simultaneously. If required, you can connect any LAN port to another Hub. Any LAN port on VRT- 401 will automatically function as an "Uplink"...
  • Page 11 Internet access, but will NOT be able to access the rest of the LAN. 3. Connect WAN Cable Connect the DSL or Cable modem to the WAN port on VRT-401. Use the cable supplied with your DSL/Cable modem. If no cable was supplied, use a standard cable.

  • Page 12: Chapter 3 Setup

    PCs on your local LAN may also require configuration. For details, see Chapter 4 - PC Configuration. Other configuration may also be required, depending on which features and functions of VRT-401 you wish to use. Use the table below to locate detailed instructions for the required functions. To Do this: Configure PCs on your LAN.

  • Page 13: Configuration Program

    Using your Web Browser To establish a connection from your PC to VRT-401: 1. After installing VRT-401 in your LAN, start your PC. If your PC is already running, restart it. Chapter 9: Other Features and Set-...
  • Page 14 VRT-401 User Manual 2. Start your WEB browser. 3. In the Address box, enter "HTTP://" and the IP Address of VRT-401, as in this example, which uses VRT-401’ s default IP Address: HTTP://192.168.0.1 If you can't connect If VRT-401 does not respond, check the following: VRT-401 is properly installed, LAN connection is OK, and it is powered ON.

  • Page 15: Config Wizard

    Config Wizard The first time you connect to VRT-401, the Config Wizard will run automatically. (The Setup Wizard will also run if VRT-401’ s default settings are restored.) 1. Step through the Wizard until finished. You need to know the type of Internet connection service used by your ISP.
  • Page 16 VRT-401 User Manual PPTP Other Modems (e.g. Broadband Wireless) Type Dynamic IP Address Static (Fixed) IP Address Big Pond Cable (Australia) For this connection method, the following data is required: User Name Password Big Pond Server IP address SingTel RAS...

  • Page 17: Home Screen

    Home Screen After finishing or exiting the Setup Wizard, you will see the Home screen. When you connect in future, you will see this screen when you connect. An example screen is shown below. Navigation & Data Input Use the menu bar on the top of the screen, and the "Back" button on your Browser, for navigation.

  • Page 18: Lan Screen

    Data - LAN Screen TCP/IP IP address for VRT-401, as seen from the local LAN. Use the IP Address default value unless the address is already in use or your LAN is using a different IP address range. In the latter case, enter an unused IP Address from within the range used by your LAN.
  • Page 19 DHCP Server, rather than VRT-401’ s, the following procedure is required. 1. Disable the DHCP Server feature in VRT-401. This setting is on the LAN screen. 2. Configure the DHCP Server to provide VRT-401’ s IP Address as the Default Gateway.

  • Page 20: Chapter 4 Pc Configuration

    This section describes how to configure Windows clients for Internet access via VRT- 401. The first step is to check the PC's TCP/IP settings. VRT-401 uses the TCP/IP network protocol for all functions, so it is essential that the TCP/IP protocol be installed and configured on each PC. TCP/IP Settings - Overview If using default VRT-401 settings, and the default Windows TCP/IP set- tings, no changes need to be made.
  • Page 21 Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, VRT-401 will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from VRT-401.
  • Page 22 VRT-401 User Manual On the Gateway tab, enter VRT-401’ s IP address in the New Gateway field and click Add, as shown below. Your LAN administrator can advise you of the IP Ad- dress they assigned to VRT-401. Figure 10: Gateway Tab (Win 95/98) On the DNS Configuration tab, ensure Enable DNS is selected.
  • Page 23 PC Configuration Checking TCP/IP Settings - Windows NT4.0 1. Select Control Panel - Network, and, on the Protocols tab, select the TCP/IP protocol, as shown below. Figure 12: Windows NT4.0 - TCP/IP 2. Click the Properties button to see a screen like the one below.
  • Page 24 If your PC is already configured, check with your network administrator before making the following changes. 1. The Default Gateway must be set to the IP address of VRT-401. To set this: Click the Advanced button on the screen above.
  • Page 25 PC Configuration Figure 14 - Windows NT4.0 - Add Gateway 2. The DNS should be set to the address provided by your ISP, as follows: Click the DNS tab. On the DNS screen, shown below, click the Add button (under DNS Service Search Order), and enter the DNS provided by your ISP.
  • Page 26 VRT-401 User Manual Figure 15: Windows NT4.0 - DNS...
  • Page 27 PC Configuration Checking TCP/IP Settings - Windows 2000: 1. Select Control Panel - Network and Dial-up Connection. 2. Right - click the Local Area Connection icon and select Properties. You should see a screen like the following: Figure 16: Network Configuration (Win 2000) 3.
  • Page 28 If your PC is already configured, check with your network administrator before making the following changes. Enter VRT-401’ s IP address in the Default gateway field and click OK. (Your LAN administrator can advise you of the IP Address they assigned to VRT-401.) If the DNS Server fields are empty, select Use the following DNS server addresses, and enter the DNS address or addresses provided by your ISP, then click OK.
  • Page 29 PC Configuration Checking TCP/IP Settings - Windows XP 1. Select Control Panel - Network Connection. 2. Right click the Local Area Connection and choose Properties. You should see a screen like the following: Figure 18: Network Configuration (Windows XP) 3. Select the TCP/IP protocol for your network card. 4.
  • Page 30 If your PC is already configured, check with your network administrator before making the following changes. In the Default gateway field, enter VRT-401’ s IP address and click OK. Your LAN administrator can advise you of the IP Address they assigned to VRT-401.
  • Page 31 "VRT-401 ". Click Edit Location. Select TCP/IP for the Network field. (Leave the Phone Number blank.) Click Save, then OK. Configuration is now complete. Before clicking "Sign On", always ensure that you are using the "VRT-401 " loca- tion. PC Configuration...

  • Page 32: Macintosh Clients

    Set the Router Address field to VRT-401’ s IP Address. Ensure your DNS settings are correct. Linux Clients To access the Internet via VRT-401, it is only necessary to set VRT-401 as the "Gate- way". Ensure you are logged in as "root" before attempting any changes.

  • Page 33: Chapter 5 Operation And Status

    Features for further details. Applications that use non-standard connections or port numbers may be blocked by VRT-401’ s built-in firewall. You can define such applications as Special Appli- cations to allow them to function normally. Refer to Chapter 6 - Internet Features for further details.
  • Page 34 IP addresses allocated to them, use the PC Database option on the Advanced menu. This displays the current name of VRT-401. The current version of the firmware installed in VRT-401. Clicking this button will open a Window which lists all sys- tem details and settings.

  • Page 35: Connection Status - Pppoe

    Connection Status - PPPoE If using PPPoE (PPP over Ethernet), a screen like the following example will be dis- played when the "Connection Details" button is clicked. Data - PPPoE Screen Connection Physical Address IP Address Network Mask PPPoE Link Status Figure 21: PPPoE Status Screen The hardware address of this device, as seen by remote devices on the Internet.
  • Page 36 VRT-401 User Manual Connection Log Connection Log Buttons Connect Disconnect Clear Log Refresh Connection Log Messages Message Connect on Demand Manual connection Reset physical connec- tion Connecting to remote server Remote Server located Start PPP PPP up successfully Idle time-out reached...
  • Page 37 Error: Invalid or un- known packet type The data received from the ISP's Server could not be processed. This could be caused by data corruption (from a bad link), or the Server using a protocol which is not supported by this device. Operation and Status...

  • Page 38: Connection Status - Pptp

    VRT-401 User Manual Connection Status - PPTP If using PPTP (Peer-to-Peer Tunneling Protocol), a screen like the following example will be displayed when the "Connection Details" button is clicked. Data - PPTP Screen Connection The hardware address of this device, as seen by remote de- Physical Ad- vices on the Internet.

  • Page 39: Connection Status - Telstra Big Pond

    Buttons If not connected, establish a connection to your ISP. Connect If connected to your ISP, hang up the connection. Disconnect Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Update the data on screen. Refresh Connection Status - Telstra Big Pond An example screen is shown below.

  • Page 40: Connection Details - Singtel Ras

    VRT-401 User Manual This indicates whether or not the connection is currently Connection Status established. Connection Log Connection Log Buttons If not connected, establish a connection to Telstra Big Pond. Connect If connected to Telstra Big Pond, terminate the connection.
  • Page 41 "Renew" button will attempt to re-establish the connection and obtain an IP Address from the ISP's DHCP Server. If an IP Address has been allocated to VRT-401 (by the ISP's DHCP Server), this button will say "Release". Clicking the "Release" button will break the connection and release the IP Address.

  • Page 42: Connection Details - Fixed/Dynamic Ip Address

    VRT-401 User Manual Connection Details - Fixed/Dynamic IP Address If your access method is "Direct" (no login), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 25: Connection Details - Fixed/Dynamic IP Address...
  • Page 43 "Renew" button will attempt to re-establish the connection and obtain an IP Address from the ISP's DHCP Server. If an IP Address has been allocated to VRT-401 (by the ISP's DHCP Server), this button will say "Release". Clicking the "Release" button will break the connection and release the IP Address.

  • Page 44: Chapter 6 Internet Features

    Chapter 6 Internet Features This Chapter explains when and how to use VRT-401’ s "Internet" Fea- tures. Overview The following advanced features are provided. Advanced Internet Communication Applications Special Applications URL filter Dynamic DNS Virtual Servers Options Advanced Internet Screen This screen allows configuration of all advanced features relating to Internet access.

  • Page 45: Communication Applications

    Communication Applications Most applications are supported transparently by VRT-401. But sometimes it is not clear which PC should receive an incoming connection. This problem could arise with the Communication Applications listed on this screen. If this problem arises, you can use this screen to set which PC should receive an incoming connection, as described below.
  • Page 46 VRT-401 User Manual Figure 27: Special Applications Screen Data - Special Applications Screen Use this to Enable or Disable this Special Application as required. Checkbox Enter a descriptive name to identify this Special Application. Name Type - Select the protocol (TCP or UDP) used when you receive Incoming data from the special application or service.

  • Page 47: Url Filter

    If an application still cannot function correctly, try using the "DMZ" feature. This feature, if enabled, allows one (1) computer on your LAN to be exposed to all users on the Internet, allowing unrestricted 2-way communication between the "DMZ PC" and other Internet users or Servers. This allows almost any application to be used on the "DMZ PC".
  • Page 48 VRT-401 User Manual URL Filter Screen Click the "Configure URL Filter" button on the Advanced Internet screen to access the URL Filter screen. An example screen is shown below. Data - URL Filter Screen Filter Strings This lists any existing entries. If you have not entered any values, Current Entries this list will be empty.

  • Page 49: Dynamic Dns (Domain Name Server)

    Domain name. 3. Enter your data from www.dyndns.org in VRT-401’ s DDNS screen. 4. VRT-401 will then automatically ensure that your current IP Address is recorded at http://www.dyndns.org 5. From the Internet, users will be able to connect to your Virtual Servers (or DMZ PC) using your Domain name, as shown on this screen.
  • Page 50 VRT-401 User Manual Data - Dynamic DNS Screen DDNS Service DDNS Service DDNS Data Enter the "User name" specified at the www.dyndns.org Web User Name site when you registered. Enter your current password for www.dyndns.org Password Domain Name DDNS Status This message is returned by the DDNS Server at www.dyndns.org...

  • Page 51: Virtual Servers

    Virtual Servers This feature allows you to make Servers on your LAN accessible to Internet users. Normally, Internet users would not be able to access a server on your LAN because: Your Server does not have a valid external IP Address. Attempts to connect to devices on your LAN are blocked by the firewall in this device.

  • Page 52: Virtual Servers Screen

    VRT-401 User Manual Using the DMZ port for Virtual Servers You should connect your Virtual Servers to the DMZ port, for the following reasons: Traffic passing between the DMZ and LAN passes through the firewall. The fire- wall will protect your LAN if your Server is compromised and used to launch an attack on your LAN.

  • Page 53: Options

    Defining your own Virtual Servers If the type of Server you wish to use is not listed on the Virtual Servers screen, you can use the Firewall Rules to allow particular incoming traffic and forward it to a specified PC (Server). Connecting to the Virtual Servers Once configured, anyone on the Internet can connect to your Virtual Servers.
  • Page 54 VRT-401 User Manual MTU (Maximum Transmission Unit) value should only be MTU size changed if advised to do so by Technical Support. Enter a value between 1 and 1500. This device will still auto-negotiate with the remote server, to set the MTU size. The smaller of the 2 values (auto- negotiated, or entered here) will be used.

  • Page 55: Chapter 7 Security Configuration

    Services Admin Login The Admin Login screen allows you to assign a user name and password to VRT-401. 1. The default login name is "admin". Change this to the desired value. 2. The default password is blank (no password). Enter the desired password in the New Password and Verify Password fields.
  • Page 56 VRT-401 User Manual Figure 34: Password Dialog Enter the "User Name" and "Password" you set on the Admin Login screen above.

  • Page 57: Access Control

    Access Control This feature is accessed by the Access Control link on the Security menu. The Access Control feature allows administrators to restrict the level of Internet Ac- cess available to PCs on your LAN. With the default settings, everyone has unrestricted Internet access.
  • Page 58 VRT-401 User Manual Data - Access Control Screen Group Select the desired Group. The screen will update to display Group the settings for the selected Group. Groups are named "De- fault", "Group 1", "Group 2", "Group 3" and "Group 4", and cannot be re-named.
  • Page 59 Click this to open a sub-window where you can view the View Log "Access Control" log. This log shows attempted Internet accesses which have been blocked by the Access Control feature. Clear Log Click this to clear and restart the "Access Control" log, mak- ing new entries easier to read.

  • Page 60: Group Members Screen

    VRT-401 User Manual Group Members Screen This screen is displayed when the Members button on the Access Control screen is clicked. Use this screen to add or remove members (PCs) from the current group. The "Del >>" button will remove the selected PC (in the Members list) from the current group.
  • Page 61 Security Configuration...

  • Page 62: Firewall Rules

    VRT-401 User Manual Firewall Rules For normal operation and LAN protection, it is not necessary to use this screen. The Firewall will always block DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it - the service is unavailable.
  • Page 63 Data - Firewall Rules Screen Rule List Select the desired option; the screen will update and list any View Rules current rules. If you have not defined any rules, the list will be for .. empty. For each rule, the following data is shown: Data To add a new rule, click the "Add"...
  • Page 64 VRT-401 User Manual Define Firewall Rule Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below. Data - Define Firewall Rule Screen Name Type Source IP Figure 38: Define Firewall Rule Enter a suitable name for this rule.
  • Page 65 These settings determine which traffic, based on their Dest IP destination IP address, is covered by this rule. Select the desired option: Select the desired Service or Services. This determines Services which packets are covered by this rule, based on the proto- col (TPC or UDP) and port number.

  • Page 66: Logs

    Since only a limited amount of log data can be stored in VRT-401, log data can also be E-mailed to your PC or sent to a Syslog Server.
  • Page 67 If enabled, the log will include attempted outgoing connec- Access Control tions which have been blocked by the "Access Control" feature. If enabled, the log will details of packets blocked by user- Firewall Rules defined Firewall rules. Logging can be set for each rule individually.
  • Page 68 VRT-401 User Manual Select the logs you wish to be included. Include...

  • Page 69: Security Options

    Security Options This screen allows you to set Firewall and other security-related options. Data - Security Options Screen SPI Firewall If enabled, DoS (Denial of Service) attacks will be detected and Enable DoS blocked. The default is enabled. It is strongly recommended that Firewall this setting be left enabled.
  • Page 70 If enabled, TFTP (Trivial FTP) connections can be made to this Allow TFTP device. firmware up- grade If checked, VRT-401 will respond to ICMP packets received from the Internet. If not checked, ICMP packets from the Internet will be ig- nored. Disabling this option provides a slight increase in security.

  • Page 71: Scheduling

    Scheduling This schedule can be (optionally) applied to any Access Control Group. Blocking will be performed during the scheduled time (between the "Start" and "Finish" times.) Two (2) separate sessions or periods can be defined. Times must be entered using a 24 hr clock. If the time for a particular day is blank, no action will be performed.

  • Page 72: Services

    VRT-401 User Manual Services Services are used in defining traffic to be blocked or allowed by the Access Control or Firewall Rules features. Many common Services are pre-defined, but you can also define your own services if required. To view the Services screen, select the Services link on the Security menu.
  • Page 73 service. Buttons Delete the selected service from the list. Delete Add a new entry to the Service list, using the data shown in the "Add New Service" area on screen. Clear the " Add New Service " area, ready for entering data for Cancel a new Service.

  • Page 74: Chapter 8 Vpn

    Transport Mode - the payload (data) part of the packet is encapsulated through encryption but the IP header remains in the clear (unchanged). VRT-401 does NOT support Transport Mode. Tunnel Mode - everything is encapsulated, including the original IP header, and a new IP header is generated.
  • Page 75 Phase I is the negotiation and establishment up of the IKE connection. Phase II is the negotiation and establishment up of the IPsec connection. Because the IKE and IPsec connections are separate, they have different SAs (secu- rity associations). Policies VPN configuration settings are stored in Policies.

  • Page 76: Common Vpn Situations

    In this situation, the PC must run appropriate VPN client software in order to connect, via the Internet, to VRT-401. Once connected, the client PC has the same access to LAN resources as PCs on the local LAN (unless restricted by the network administra- tor).
  • Page 77 Connecting 2 LANs via VPN Figure 45: Connecting 2 VPN Gateways This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN. The 2 LANs MUST use different IP address ranges. The VPN Policies at each end determine when a VPN tunnel will be established, and what systems on the remote LAN can be accessed once the VPN connection is established.

  • Page 78: Vpn Configuration

    VRT-401 User Manual VPN Configuration This section covers the configuration required on VRT-401 when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies). Details of using Certificates are covered in a later section. VPN Policies Screen To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies.
  • Page 79 Operations To add a new policy, click the "Add" button. See the following section for details. To Edit or modify an existing policy, select it and click the "Edit" Edit button. Move There are 2 ways to change the order of policies: Use the up and down indicators on the right to move the selected row.
  • Page 80 VRT-401 User Manual Otherwise, click Next to continue. You will see a screen like the following. General Settings Policy Name Enter a suitable name. This name is not supplied to the remote VPN. It is used only to help you manage the policies.
  • Page 81 Figure 49: VPN Wizard - Traffic Selector For outgoing VPN connections, these settings determine which traffic will cause a VPN tunnel to be created, and which traffic will be sent through the tunnel. For incoming VPN connections, these settings determine which systems on your local LAN will be available to the remote endpoint.
  • Page 82 VRT-401 User Manual Remote IP addresses Type The remote VPN should have these IP addresses entered as it's "Local" addresses. 3. Click Next to continue. The screen you will see depends on whether you previously selected "Manual Key Exchange" or "IKE".
  • Page 83 These settings must match the remote VPN. Note that you cannot use both AH and ESP. Manually assigned Keys AH (Authentication Header) specifies the authentication AH Authentication protocol for the VPN header, if used. (AH is often NOT used) If AH is not enabled, the following settings can be ignored. Keys ESP (Encapsulating Security Payload) provides security for ESP Encryption...
  • Page 84 VRT-401 User Manual For Manual Key Exchange, configuration is now complete. Click "Next" to view the final screen. On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard. IKE Phase 1 If you selected IKE, the following screen is displayed after the Traffic Selector screen.
  • Page 85 Authentication Select the desired method, and ensure the remote VPN end- Encryption point uses the same method. The "3DES" algorithm provides greater security than "DES", but is slower. Select the desired option, and ensure the remote VPN endpoint IKE Exchange uses the same mode.
  • Page 86 VRT-401 User Manual IKE Phase 2 (IPsec SA) This setting does not have to match the remote VPN end- IPsec SA Life point; the shorter time will be used. Although measured in Time seconds, it is common to use time periods of several hours, such 28,800 seconds.

  • Page 87: Examples

    Examples This section describes some examples of using VRT-401 in common VPN situations. Example 1: Connecting 2 VRT-401s In this example, 2 LANs are connected via VPN. Note The LANs MUST use different IP address ranges. Both endpoints have fixed WAN (Internet) IP addresses.
  • Page 88 VRT-401 User Manual Pre-shared Key Xxxxxxxxxx IKE Authentica- tion algorithm IKE Encryption IKE Exchange Main Mode mode DH Group Group 1 (768 bit) IKE SA Life time 28800 IKE PFS Disable IPSec SA Parameters IPSec SA Life 28800 time IPSec PFS...
  • Page 89 Example 2: Windows 2000/XP Client to LAN In this example, a Windows 2000/XP client connects to VRT-401 and gains access to the local LAN. Figure 54: Windows 2000/XP Client to VRT-401 To use 3DES encryption, you need Service Pack 3 or later installed on Windows 2000.
  • Page 90 VRT-401 User Manual mode DH Group Group 1 (768 bit) IKE SA Life time 28800 IKE PFS Disable IPSec SA Parameters IPSec SA Life 28800 time IPSec PFS Disable AH authentication Disabled ESP authentica- Enable/MD5 tion ESP encryption Enable/DES Windows Client Configuration 1.
  • Page 91 Figure 56: Windows 2000/XP - Policy Properties Note that no rules are in use. Two 2 rules are required - incoming and outgo- ing. The outgoing rule will be added first. 6. Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below.
  • Page 92 VRT-401 User Manual Figure 58: Filter Properties: Addressing 8. Enter the Source IP address and the Destination IP address. Since this is the outing filter, the Source IP address is "My IP address" and the Destination IP address is the address range used on the remote LAN.
  • Page 93 Figure 60: New Rule Properties: Filter Action 11. Select Require Security, then click the "Edit" button, to view the Require Security Properties screen. Figure 61: Require Security Properties 12. Select Negotiate security (this selects IKE), then click "Add".
  • Page 94 VRT-401 User Manual 13. On the resulting screen (above), select High [ESP] then click "OK" to save your changes and return to the Require Security Properties screen. Figure 63: Require Security Properties 14. Ensure the following settings are correct, then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen.
  • Page 95 15. Click the Tunnel Setting tab, then select The tunnel endpoint is specified by this IP address. Enter the WAN (Internet) IP address of VRT-401, as shown below. 16. Click the Authentication Methods tab, then click the "Edit" to see the screen like the example below.
  • Page 96 19. Click "Close" to return to the DUT to Win2K properties screen. The "To DUT" filter should now be listed, as shown below. Figure 66: Windows 2000/XP Client to VRT-401 20. To add the second (outgoing) rule, click "Add". For the name, enter "To Win2K", then click "Add".
  • Page 97 Figure 68: Filter Properties: Addressing 22. Click "OK" to save your changes, then "Close". Figure 69: Filter List 23. Ensure the "To Win2K" filter is selected, then click the Filter Action tab.
  • Page 98 VRT-401 User Manual 24. Select Require Security, then click "Edit". On the Require Security Methods screen below, select Negotiate security. 25. Click the "Add" button. On the resulting Modify Security Method screen below, select High [ESP]. Figure 70: Filter Action...
  • Page 99 26. Click "OK" to save your changes, then click "OK" again to return to the Filter Action screen. 27. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address of this PC (172.10..9.10 in this example). 28. Select the Authentication Methods tab, and click the "Edit" button to see the screen below.
  • Page 100 VRT-401 User Manual 29. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided. 30. Click "OK" to save your settings, then "Close" to return to the DUT to Win2K Prop- erties screen.
  • Page 101 Figure 76: Properties - General Tab 32. Click the "Advanced" button to see the screen below. Figure 77: Key Exchange Settings 33. Click the "Methods" button to see the screen below.
  • Page 102 36. Click "OK" to save, then "OK" again, and then "Close" to return to the Local Secu- rity Settings screen. 37. Right click the DUT to Win2K Policy and select "Assign" to make your policy active. Figure 80: Windows 2000/XP Client to VRT-401 Configuration is now complete. Figure 79: IKE Security Algorithms...
  • Page 103 Example 3: Windows 2000 Server to VPN Gateway In this example, a Windows 2000 Server connects to VRT-401. Users on each LAN can then gain access to the remote LAN. Figure 81: VRT-401 to Windows 2000 Server VRT-401 Configuration This is the same as for the client setup earlier, with the exception of the IP address range for the remote endpoint.
  • Page 104 The Source Address should be set to "A specific IP Subnet", and the IP address and Subnet mask set to the address range used on VRT-401's LAN. The Destination Address should be set to "A specific IP Subnet", and the IP ad-...

  • Page 105: Using Certificates

    Using Certificates Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates". Each CA also issues a certificate to itself. This Certificate is required in order to vali- date communication with the CA.
  • Page 106 VRT-401 User Manual Adding a Trusted Certificate 1. After obtaining a new Certificate from the CA, you need to upload it to VRT-401. 2. On the "Certificates" screen, click the "Add Trusted Certificate" button to view the Add Trusted Certificate screen, shown below.
  • Page 107 Subject Name Hash Algorithm Signature Algorithm Signature Key Length 3. Click "Next" to continue to the following screen. 4. Check that the data displayed in the Certificate Details section is correct. This data is used to generate the Certificate request. If the data is not correct, click the "Back"...
  • Page 108 Click the "Browse" button, and locate the certificate file on your PC Select the file. The name will appear in the "Certificate File" field. Click "Upload" to upload the certificate file to VRT-401. Click "Finished" to return to the Certificate list. The new Certificate will appear in the list.
  • Page 109 Click the "Browse" button, and locate the CRL file on your PC Select the file. The name will appear in the "File to Upload" field. Click "Upload" to upload the CRL file to VRT-401. Click "Back" to return to the CRL list. The new CRL will appear in the list.

  • Page 110: Chapter 9 Other Features And Settings

    "Virtual Server", or "Internet Application". This database is main- tained automatically, but you can add and delete entries for PCs which use a Fixed (Static) IP Address. This feature allows you to manage VRT-401 via the Internet. Remote Administra- tion Only required if your LAN has other Routers or Gateways.

  • Page 111: Pc Database

    By default, non-Server versions of Windows act as "DHCP Clients"; this setting is called "Obtain an IP Address automatically". VRT-401 uses the "Hardware Address" to identify each PC, not the name or IP address. The "Hardware Address" can only change if you change the PC's network card or adapter.
  • Page 112 VRT-401 User Manual Data - PC Database Screen This lists all current entries. Data displayed is name (IP Address) Known PCs type. The "type" indicates whether the PC is connected to the LAN. If adding a new PC to the list, enter its name here. It is best if this Name matches the PC's "hostname".
  • Page 113 PC Database (Admin) This screen is displayed if the "Advanced Administration" button on the PC Database is clicked. It provides more control than the standard PC Database screen. Data - PC Database ( Admin) Screen This lists all current entries. Data displayed is name (IP Address) Known PCs type.
  • Page 114 DCHP Client - Reserved IP Address - Select this if the PC is set to be a DCHP client, and you wish to guarantee that VRT-401 will always allocate the same IP Address to this Enter the required IP address. Only the last field is required;...

  • Page 115: Remote Administration

    Remote Administration This feature allows you to manage VRT-401 via the Internet. Figure 92: Remote Administration Screen Data - Remote Administration Screen Remote Administration Enable to allow administration via the Internet. If Disabled, this Enable Remote device will ignore management connection attempts from the Administration Internet.

  • Page 116: Routing

    If VRT-401 is only acting as a Gateway for the local LAN segment, ignore the "Routing" page even if your LAN has other Routers. If your LAN has a standard Router (e.g. Cisco) on your LAN, and VRT-401 is to act as a Gateway for all LAN segments, enable RIP (Routing Information Protocol) and ignore the Static Routing table.
  • Page 117 Data - Routing Screen Check this to enable the RIP (Routing Information Protocol) Enable RIP feature of VRT-401. VRT-401 supports RIP 1 only. Static Routing Static Routing This list shows all entries in the Routing Table. Table Entries Figure 93: Routing Screen The "Properties"...

  • Page 118: Configuring Other Routers On Your Lan

    It is essential that all IP packets for devices not on the local LAN be passed to VRT- 401, so that they can be forwarded to the external LAN, WAN, or Internet. To achieve this, the local LAN must be configured to use VRT-401 as the Default Route or Default Gateway.
  • Page 119 Other Routers on the Local LAN Other routers on the local LAN must use VRT-401’ s Local Router as the Default Route. The entries will be the same as VRT-401’ s local router, with the exception of the Gateway IP Address.

  • Page 120: Firmware Upgrade

    Network Mask Gateway IP Address Firmware Upgrade The firmware (software) in VRT-401 can be upgraded using your Web Browser. You must first download the upgrade file, then select Upgrade on the Other menu. You will see a screen like the following.

  • Page 121: Upnp

    If Disabled, UPnP users can NOT disable Internet access via this device. But currently, this restriction only applies to users running Windows XP, who access the Properties via UPnP. (e.g. Right - click VRT-401 in My Network Places, and select Properties) Other Features and Settings...

  • Page 122: Appendix A Troubleshooting

    Overview This chapter covers some common problems that may be encountered while using VRT-401 and some possible solutions to them. If you follow the suggested steps and VRT-401 still does not function properly, contact your dealer for further advice. General Problems Problem 1: Can't connect to VRT-401 to configure it.
  • Page 123 VRT-401 processes the data passing through it, so it is not transpar- Solution 2: ent. Use the Special Applications feature to allow the use of Internet applications which do not function correctly. If this does solve the problem you can use the DMZ function. This should work with almost every application, but: It is a security risk, since the firewall is disabled.

  • Page 124: Appendix B Specifications

    Appendix B Specifications VRT-401 Model Dimensions Operating Tempera- ture Storage Temperature Network Protocol: Network Interface: LEDs Power Adapter FCC Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.

  • Page 125: Ce Marking Warning

    Appendix B - Specifications FCC Radiation Exposure Statement This equipment complies with FCC RF radiation exposure limits set forth for an uncon- trolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. This device complies with Part 15 of the FCC Rules.

Table of Contents