Planet Networking & Communication VRT-311 User Manual
  1. Manuals
  2. Brands
  3. Planet Networking & Communication Manuals
  4. Network Router
  5. VRT-311
  6. User manual

Planet Networking & Communication VRT-311 User Manual

Broadband vpn router
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Broadband VPN Router
VRT-311 / VRT-311S
User's Manual

Advertisement

Table of Contents
loading

Related Manuals for Planet Networking & Communication VRT-311

Summary of Contents for Planet Networking & Communication VRT-311

  • Page 1 Broadband VPN Router VRT-311 / VRT-311S User’s Manual...

  • Page 2: Ce Mark Warning

    PLANET Technology. Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose.

  • Page 3: Table Of Contents

    CHAPTER 1 INTRODUCTION ... 1 VRT-311 /VRT-311S Features... 1 Package Contents ... 3 Physical Details... 4 CHAPTER 2 INSTALLATION ... 8 Requirements ... 8 Procedure ... 8 CHAPTER 3 SETUP... 10 Overview ... 10 Configuration Program... 11 Setup Wizard ... 14 LAN Screen ...
  • Page 4 Remote Administration... 131 Routing... 133 Upgrade Firmware... 138 UPnP... 139 APPENDIX A TROUBLESHOOTING... 140 Overview ... 140 General Problems ... 140 Internet Access... 140 APPENDIX B SPECIFICATIONS ... 142 VRT-311 / VRT-311S ... 142 FCC Statement ... 142 CE Marking Warning... 143...

  • Page 5: Introduction

    Introduction This Chapter provides an overview of VRT-311 / VRT-311S's features and ca- pabilities. Congratulations on the purchase of your new VRT-311 / VRT-311S . VRT-311 / VRT-311S is a multi-function device providing the following services: Shared Broadband Internet Access VPN Gateway for IPSec VPN connections to remote PCs or sites.

  • Page 6: Advanced Internet Functions

    LAN. DHCP Server Support. address to PCs and other devices upon request. VRT-311 / VRT-311S can act as a DHCP Server for devices on your local LAN and WLAN. Multi Segment LAN Support.

  • Page 7: Package Contents

    IPSec VPN Gateway Features IPSec. . Support for IPSec standards, including IKE and certificates. Tunnels. Up to 100 VPN tunnels can be created for VRT-311, and up to 10 VPN tunnels can be created for VRT-311S.. High performance. even when using 3DES.

  • Page 8: Physical Details

    LNK/ACT On - Connection to the modem attached to the WAN (Internet) port is established. Figure 2: VRT-311’s Front Panel Figure 3: VRT-311S’s Front Panel On - Corresponding LAN (hub) port is active. Off - No active connection on the corresponding LAN (hub) port.
  • Page 9 Off - No connection to a modem on the WAN (Internet) port. Flashing - Data is being transmitted or received via the WAN port. PPPoE On - PPPoE connection established. (For VRT-311 Off - No PPPoE connection. only) Introduction...

  • Page 10: Rear Panel

    2. Hold the Reset Button down while you Power On. 3. Keep holding the Reset Button for a few seconds, until the RED 4. Release the Reset Button. VRT-311 / VRT-311S is now using Connect the DSL or Cable Modem here. If your modem came with a...
  • Page 11 Using the DMZ Port The DMZ port is intended for connection of a server you wish to make available to the public. To use multiple servers, use a standard LAN cable to connect the DMZ port to a normal port on another hub, and connect your servers to the hub.

  • Page 12: Installation

    311S. Both 10BaseT and 100BaseT connections can be used simultaneously. If required, you can connect any LAN port to another Hub. Any LAN port on VRT-311 / VRT-311S will automatically function as an "Uplink" port when required. Just connect any LAN port to a normal port on the other hub, using a standard LAN cable.

  • Page 13: Check The Leds

    PCs connected to the DMZ port are isolated from your LAN. 3. Connect WAN Cable Connect the Broadband modem to the WAN port on VRT-311 / VRT-311S. Use the cable supplied with your Broadband modem. If no cable was supplied, use a standard LAN cable.

  • Page 14: Setup

    Chapter 3 Setup This Chapter provides Setup details of VRT-311 / VRT-311S. Overview This chapter describes the setup procedure for: Internet Access LAN configuration PCs on your local LAN may also require configuration. For details, see Chapter 4 - PC Con- figuration.

  • Page 15: Configuration Program

    Configuration Program VRT-311 / VRT-311S contains an HTTP server. This enables you to connect to it, and config- ure it, using your Web Browser. Your Browser must support JavaScript. The configuration program has been tested on the following browsers: Netscape V4.08 or later...

  • Page 16: Using Your Web Browser

    VRT-311 User Guide Double - click the icon for VRT-311 / VRT-311S (either on the Desktop, or in My Network Places) to start the configuration. Refer to the following section Setup Wizard for details of the initial configuration process. Using your Web Browser To establish a connection from your PC to VRT-311 / VRT-311S: 1.
  • Page 17 Setup These are the default values. Both the name and password can (and should) be changed, using the Admin Login screen. Once you have changed either the name or the password, you must use the current values.

  • Page 18: Setup Wizard

    VRT-311 User Guide Setup Wizard The first time you connect to VRT-311 / VRT-311S, the Setup Wizard will run automatically. (The Setup Wizard will also run if VRT-311 / VRT-311S 's default setting are restored.) 1. Step through the Wizard until finished.

  • Page 19: Singtel Ras

    PPTP Other Modems (e.g. Broadband Wireless) Type Dynamic IP Address Static (Fixed) IP Address Big Pond Cable (Australia) For this connection method, the following data is required: User Name Password Big Pond Server IP address SingTel RAS For this connection method, the following data is required: User Name Password RAS Plan...

  • Page 20: Home Screen

    VRT-311 User Guide Home Screen After finishing or exiting the Setup Wizard, you will see the Home screen. When you connect in future, you will see this screen when you connect. An example screen is shown below. Navigation & Data Input Use the menu bar on the top of the screen, and the "Back"...

  • Page 21: Lan Screen

    TCP/IP IP Address IP address for VRT-311 / VRT-311S, as seen from the local LAN. Use the default value unless the address is already in use or your LAN is using a different IP address range. In the latter case, enter an unused IP Address from within the range used by your LAN.

  • Page 22: What Dhcp Does

    You can only use one (1) DHCP Server per LAN segment. If you wish to use another DHCP Server, rather than VRT-311 / VRT-311S 's, the following procedure is required. 1. Disable the DHCP Server feature in VRT-311 / VRT-311S. This setting is on the LAN screen.

  • Page 23: Pc Configuration

    VRT-311S. The first step is to check the PC's TCP/IP settings. VRT-311 / VRT-311S uses the TCP/IP network protocol for all functions, so it is essential that the TCP/IP protocol be installed and configured on each PC. TCP/IP Settings - Overview If using the default VRT-311 / VRT-311S settings, and the default Win- dows TCP/IP settings, no changes need to be made.

  • Page 24: Checking Tcp/Ip Settings - Windows 9X/Me

    Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, VRT-311 / VRT-311S will act as a DHCP Server. Restart your PC to ensure it obtains an IP Address from VRT-311 / VRT-311S.
  • Page 25 PC Configuration On the Gateway tab, enter VRT-311 / VRT-311S 's IP address in the New Gateway field and click Add, as shown below. Your LAN administrator can advise you of the IP Address they assigned to VRT-311 / VRT-311S.

  • Page 26: Checking Tcp/Ip Settings - Windows Nt

    Broadband VPN Router User’s Manual Checking TCP/IP Settings - Windows NT4.0 1. Select Control Panel - Network, and, on the Protocols tab, select the TCP/IP protocol, as shown below. Figure 14: Windows NT4.0 - TCP/IP 2. Click the Properties button to see a screen like the one below. Figure 15: Windows NT4.0 - IP Address 3.
  • Page 27 If your PC is already configured, check with your network administrator before making the following changes. 1. The Default Gateway must be set to the IP address of VRT-311 / VRT-311S. To set this: Click the Advanced button on the screen above.
  • Page 28 Broadband VPN Router User’s Manual Figure17: Windows NT4.0 - DNS...

  • Page 29: Checking Tcp/Ip Settings - Windows

    PC Configuration Checking TCP/IP Settings - Windows 2000: 1. Select Control Panel - Network and Dial-up Connection . 2. Right - click the Local Area Connection icon and select Properties. You should see a screen like the following: Figure18: Network Configuration (Win 2000) 3.

  • Page 30: Using Dhcp

    If your PC is already configured, check with your network administrator before making the following changes. Enter VRT-311 / VRT-311S 's IP address in the Default gateway field and click OK. (Your LAN administrator can advise you of the IP Address they assigned to VRT-311 / VRT- 311S.)

  • Page 31: Checking Tcp/Ip Settings - Windows Xp

    PC Configuration Checking TCP/IP Settings - Windows XP 1. Select Control Panel - Network Connection. 2. Right click the Local Area Connection and choose Properties. You should see a screen like the following: Figure20: Network Configuration (Windows XP) 3. Select the TCP/IP protocol for your network card. 4.
  • Page 32 If your PC is already configured, check with your network administrator before making the following changes. In the Default gateway field, enter VRT-311 / VRT-311S 's IP address and click OK. Your LAN administrator can advise you of the IP Address they assigned to VRT-311 / VRT- 311S.

  • Page 33: Internet Access

    Click Edit Location. Select TCP/IP for the Network field. (Leave the Phone Number blank.) Click Save, then OK. Configuration is now complete. Before clicking "Sign On", always ensure that you are using the "VRT-311 / VRT-311S " location. PC Configuration...

  • Page 34: Macintosh Clients

    Ensure your DNS settings are correct. Linux Clients To access the Internet via VRT-311 / VRT-311S, it is only necessary to set VRT-311 / VRT- 311S as the "Gateway". Ensure you are logged in as "root" before attempting any changes.

  • Page 35: Operation And Status

    Applications which use non-standard connections or port numbers may be blocked by VRT-311 / VRT-311S 's built-in firewall. You can define such applications as Special Ap- plications to allow them to function normally. Refer to Chapter 6 - Internet Features for further details.
  • Page 36 PC Database option on the Other menu. This displays the current name of VRT-311 / VRT-311S. The current version of the firmware installed in VRT-311 / VRT- 311S. Clicking this button will open a Window which lists all system details and settings.

  • Page 37: Connection Status - Pppoe

    Connection Status - PPPoE If using PPPoE (PPP over Ethernet), a screen like the following example will be displayed when the "Connection Details" button is clicked. Data - PPPoE Screen Connection Physical Address IP Address Network Mask PPPoE Link Status Connection Log Connection Log Figure23: PPPoE Status Screen...

  • Page 38: Connection Log Messages

    Broadband VPN Router User’s Manual Buttons Connect Disconnect Clear Log Refresh Connection Log Messages Message Connect on Demand Manual connection Reset physical connection Connecting to remote server Remote Server located Start PPP PPP up successfully Idle time-out reached Disconnecting Error: Remote Server not found Error: PPP Connection failed...

  • Page 39: Connection Status - Pptp

    Connection Status - PPTP If using PPTP (Peer-to-Peer Tunneling Protocol), a screen like the following example will be displayed when the "Connection Details" button is clicked. Data - PPTP Screen Connection The hardware address of this device, as seen by remote devices on the Physical Address Internet.

  • Page 40: Connection Status - Telstra Big Pond

    Broadband VPN Router User’s Manual Disconnect If connected to your ISP, hang up the connection. Delete all data currently in the Log. This will make it easier to read Clear Log new messages. Update the data on screen. Refresh Connection Status - Telstra Big Pond An example screen is shown below.

  • Page 41: Connection Details - Singtel Ras

    Connection Log Connection Log Buttons Connect If not connected, establish a connection to Telstra Big Pond. Disconnect If connected to Telstra Big Pond, terminate the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages.
  • Page 42 "Renew" button will attempt to re-establish the connection and obtain an IP Address from the ISP's DHCP Server. If an IP Address has been allocated to VRT-311 / VRT-311S (by the ISP's DHCP Server), this button will say "Release". Clicking the "Release"...

  • Page 43: Connection Details - Fixed/Dynamic Ip Address

    (Dynamic IP address). If you have a Button will display Fixed (Static) IP address, this button has no effect. EITHER "Release" If the ISP's DHCP Server has NOT allocated an IP Address for VRT-311 / VRT-311S, this button will say "Renew". Clicking Operation and Status...
  • Page 44 "Renew" button will attempt to re-establish the connection and obtain an IP Address from the ISP's DHCP Server. If an IP Address has been allocated to VRT-311 / VRT-311S (by the ISP's DHCP Server), this button will say "Release". Clicking the "Release"...

  • Page 45: Internet Features

    Chapter 6 Internet Features This Chapter explains when and how to use VRT-311 / VRT-311S's "Internet" Features. Overview The following advanced features are provided. WAN Port Confuguration Advanced Internet Communication Applications Special Applications Multi-DMZ URL filter Dynamic DNS Virtual Servers...

  • Page 46: Wan Port Configuration

    Broadband VPN Router User’s Manual WAN Port Configuration The WAN Port Configuration screen provides an alternative to using the Wizard. It can be accessed from the Internet menu. An example screen is shown below. Figure28: WAN Port Configuration Screen Data – WAN Port Configuration Screen Identification Hostname Normally, there is no need to change the default name, but if your ISP...
  • Page 47 Also called Dynamic IP Address. This is the default, and the most is assigned auto- common. matically Leave this selected if your ISP allocates an IP Address to VRT-311 / VRT-311S upon connection. Specified Also called Static IP Address. Select this if your ISP has allocated IP Address you a fixed IP Address.
  • Page 48 Broadband VPN Router User’s Manual Login Login Method If your ISP does not use a login method (username, password) for Internet access, leave this at the default value "None (Direct connec- tion)" Otherwise, check the documentation from your ISP, select the login method used, and enter the required data.

  • Page 49: Advanced Internet

    Multi-DMZ URL filter Communication Applications Most applications are supported transparently by VRT-311 / VRT-311S. But sometimes it is not clear which PC should receive an incoming connection. This problem could arise with the Communication Applications listed on this screen. If this problem arises, you can use this screen to set which PC should receive an incoming connection, as described below.

  • Page 50: Special Applications

    If you use Internet applications which use non-standard connections or port numbers, you may find that they do not function correctly because they are blocked by VRT-311 / VRT-311S 's firewall. In this case, you can define the application as a "Special Application".

  • Page 51: Using A Special Application

    Type - Select the protocol (TCP or UDP) used when you receive data Incoming from the special application or service. (Note: Some applications use Ports different protocols for outgoing and incoming data). Start - Enter the beginning of the range of port numbers used by the application server, for data you receive.

  • Page 52: Url Filter

    Broadband VPN Router User’s Manual URL Filter The URL Filter allows you to block access to undesirable Web site To use this feature, you must define "filter strings". If the "filter string" appears in a re- quested URL, the request is blocked. Enabling the URL Filter also affects the Internet Access Log.

  • Page 53: Dynamic Dns (Domain Name Server)

    2. After registration, follow the Service Provider's procedure to request a Domain Name, and have it allocated to you. 3. Enter your DDNS data on VRT-311 / VRT-311S 's DDNS screen (shown below). 4. VRT-311 / VRT-311S will then automatically ensure that your current IP Address is recorded and updated at the DDNS server.
  • Page 54 Broadband VPN Router User’s Manual DDNS Data DDNS Service Select the desired DDNS Service provider. User Name Enter your Username for the DDNS Service. Password/Key Enter your current password for the DDNS Service. Domain Name Enter the domain name allocated to you by the DDNS Service. If you have more than one name, enter the name you wish to use.

  • Page 55: Virtual Servers

    Virtual Servers This feature allows you to make Servers on your LAN accessible to Internet users. Normally, Internet users would not be able to access a server on your LAN because: Your Server does not have a valid external IP Address. Attempts to connect to devices on your LAN are blocked by the firewall in this device.

  • Page 56: Virtual Servers Screen

    Broadband VPN Router User’s Manual For each enabled Virtual Server, a firewall rule to allow incoming traffic from the Internet (WAN) to the DMZ is automatically created. If the Server is connected to the LAN (hub) ports, you must add the firewall rule manually. Note that the DMZ port is a normal port, not an "uplink"...

  • Page 57: Options

    Connecting to the Virtual Servers Once configured, anyone on the Internet can connect to your Virtual Servers. They must use the Internet IP Address (the IP Address allocated to you by your ISP). e.g. http://203.70.212.52 ftp://203.70.212.52 It is more convenient if you are using a Fixed IP Address from your ISP, rather than Dynamic. However, you can use the Dynamic DNS feature, described in the following section, to allow users to connect to your Virtual Servers using a URL, rather than an IP Address.

  • Page 58: Security Configuration

    Scheduling Services Admin Login The Admin Login screen allows you to assign a user name and password to VRT-311 / VRT- 311S . 1. The default login name is "admin". Change this to the desired value. 2. The default password is blank (no password). Enter the desired password in the New Password and Verify Password fields.
  • Page 59 Security Configuration Figure37: Password Dialog Enter the "User Name" and "Password" you set on the Admin Login screen above.

  • Page 60: Access Control

    Broadband VPN Router User’s Manual Access Control This feature is accessed by the Access Control link on the Security menu. The Access Control feature allows administrators to restrict the level of Internet Access avail- able to PCs on your LAN. With the default settings, everyone has unrestricted Internet access. To use this feature: 1.
  • Page 61 Data - Access Control Screen Group Group Select the desired Group. The screen will update to display the settings for the selected Group. Groups are named "Default", "Group 1", "Group 2", "Group 3" and "Group 4", and cannot be re- named.
  • Page 62 Broadband VPN Router User’s Manual Click this to clear and restart the "Access Control" log, making new Clear Log entries easier to read.

  • Page 63: Group Members Screen

    Group Members Screen This screen is displayed when the Members button on the Access Control screen is clicked. Use this screen to add or remove members (PCs) from the current group. The "Del >>" button will remove the selected PC (in the Members list) from the current group.

  • Page 64: Firewall Rules

    Broadband VPN Router User’s Manual Firewall Rules For normal operation and LAN protection, it is not necessary to use this screen. The Firewall will always block DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it - the service is unavailable.
  • Page 65 For each rule, the following data is shown: Data Name - The name you assigned to the rule. Source - The traffic covered by this rule, defined by the source IP address. If the IP address is followed by ... this indicates there is range of IP addresses, rather than a single address.
  • Page 66 Broadband VPN Router User’s Manual Define Firewall Rule Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below. Data - Define Firewall Rule Screen Name Type Source IP Figure41: Define Firewall Rule Enter a suitable name for this rule. This determines the source and destination ports for traffic cov- ered by this rule.
  • Page 67 Dest IP Services Action These settings determine which traffic, based on their destination IP address, is covered by this rule. Select the desired option: Any - All traffic from the source port is covered by this rule. Single address - Enter the required IP address in the "Start IP address"...

  • Page 68: Logs

    Since only a limited amount of log data can be stored in VRT-311 / VRT-311S, log data can also be E-mailed to your PC or sent to a Syslog Server.
  • Page 69 Data - Logs Screen Enable Logs Incoming Traffic Select the desired option: Outgoing Traffic Select the desired option: Select the desired option: System Log If enabled, the VPN log will record incoming and outgoing VPN connections. View Log Button Use this to view each log, as required. All IP traffic - this will log all incoming TCP/IP connections, of any type.
  • Page 70 Broadband VPN Router User’s Manual Use this to restart the required log. This makes it easier to read the Clear Log Button latest entries. Timezone Timezone Select the correct Timezone for your location. This is required for the date/time shown on the logs to be correct. Syslog Server Enable Syslog If enabled, log data will be sent to your Syslog Server.

  • Page 71: E-Mail

    E-mail Data – E-Mail Screen E-Mail Alerts Send E-Mail alert E-Mail Logs Send Logs by E-Mail Include Send Figure43: E-Mail Screen If enabled, an E-mail will be sent immediately if a DoS (Denial of Service) attack is detected. If enabled, the E-mail address information must be provided.
  • Page 72 Broadband VPN Router User’s Manual E-mail address Subject SMTP Server Port No. Enter the E-mail address the Log is to be sent to. The E-mail will also show this address as the Sender's address. Enter the text string to be shown in the "Subject" field for the E- mail.

  • Page 73: Security Options

    Security Options This screen allows you to set Firewall and other security-related options. Data - Security Options Screen Firewall If enabled, DoS (Denial of Service) attacks will be detected and Enable DoS blocked. The default is enabled. It is strongly recommended that this Firewall setting be left enabled.
  • Page 74 This setting should normally be enabled. If checked, VRT-311 / VRT-311S will respond to ICMP packets received from the Internet. If not checked, ICMP packets from the Internet will be ignored. Disabling this option provides a slight increase in security.

  • Page 75: Scheduling

    Scheduling This schedule can be (optionally) applied to any Access Control Group. Blocking will be performed during the scheduled time (between the "Start" and "Finish" times.) Two (2) separate sessions or periods can be defined. Times must be entered using a 24 hr clock. If the time for a particular day is blank, no action will be performed.

  • Page 76: Services

    Broadband VPN Router User’s Manual Services Services are used in defining traffic to be blocked or allowed by the Access Control or Firewall Rules features. Many common Services are pre-defined, but you can also define your own services if required. To view the Services screen, select the Services link on the Security menu.

  • Page 77: Vpn (Ipsec)

    This Chapter describes the VPN capabilities and configuration required for common situations. Overview This section describes the VPN (Virtual Private Network) support provided by your VRT-311 / VRT-311S. A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network - typically the Internet.
  • Page 78 Policy", and "IPSec Proposal" have the same meaning. However, some vendors separate IKE Policies (Phase 1 parameters) from IPSec Policies (Phase 2 parameters). For VRT-311 / VRT-311S; each VPN policy contains both Phase 1 and Phase 2 parameters (if IKE is used). Each policy defines: The address of the remote VPN endpoint The traffic which is allowed to use the VPN connection.

  • Page 79: Common Vpn Situations

    Common VPN Situations VPN Pass-through Here, a PC on the LAN behind the VRT-311 / VRT-311S is using VPN software, but the VRT- 311 / VRT-311S is NOT acting as a VPN endpoint. It is only allowing the VPN connection.
  • Page 80 Broadband VPN Router User’s Manual Connecting 2 LANs via VPN This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN. The 2 LANs MUST use different IP address ranges. The VPN Policies at each end determine when a VPN tunnel will be established, and what systems on the remote LAN can be accessed once the VPN connection is established.

  • Page 81: Vpn Configuration

    VPN Configuration This section covers the configuration required on VRT-311 / VRT-311S when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies). Details of using Certificates are covered in a later section. VPN Policies Screen To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies.
  • Page 82 Broadband VPN Router User’s Manual Move The order in which policies are listed is only important if you have multiple polices for the same remote site. In that case, the first matching policy is used. There are 2 ways to change the order of policies: Use the up and down indicators on the right to move the selected row.
  • Page 83 Otherwise, click Next to continue. You will see a screen like the following. Figure52: VPN Wizard – General Screen General Settings Policy Name Enter a suitable name. This name is not supplied to the remote VPN. It is used only to help you manage the policies. Enable Policy Enable or disable the policy as required.
  • Page 84 Broadband VPN Router User’s Manual Figure53: VPN Wizard - Traffic Selector Screen For outgoing VPN connections, these settings determine which traffic will cause a VPN tunnel to be created, and which traffic will be sent through the tunnel. For incoming VPN connections, these settings determine which systems on your local LAN will be available to the remote endpoint.
  • Page 85 Remote IP addresses Type The remote VPN should have these IP addresses entered as it's "Local" addresses. 3. Click Next to continue. The screen you will see depends on whether you previously se- lected "Manual Key Exchange" or "IKE". Manual Key Exchange Figure54: VPN Wizard - Manual Key Exchange Screen These settings must match the remote VPN.
  • Page 86 Broadband VPN Router User’s Manual ESP (Encapsulating Security Payload) provides security for the ESP Encryption payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication. Encryption Algorithm Key - In / Key - Out ESP Authentication Generally, you should enable ESP Authentication.
  • Page 87 IKE Phase 1 If you selected IKE, the following screen is displayed after the Traffic Selector screen. This screen sets the parameters for the IKE SA. Figure55: VPN Wizard - IKE Phase 1 Screen IKE Phase 1 (IKE SA) Local Identity This setting must match the "Remote Identity"...
  • Page 88 Broadband VPN Router User’s Manual Authentication Authentication Select the desired option, and ensure that both endpoints have the Algorithm same settings. Encryption Select the desired method, and ensure the remote VPN endpoint uses Algorithm the same method. Select the desired option, and ensure the remote VPN endpoint uses IKE Exchange Mode the same mode.
  • Page 89 IKE Phase 2 Screen This screen sets the parameters for the IPSec SA. When using IKE, there are separate connec- tions (SAs) for IKE and IPSec. Figure56: VPN Wizard - IKE Phase 2 Screen IKE Phase 2 (IPsec SA) This setting does not have to match the remote VPN endpoint; the IPsec SA Life Time shorter time will be used.
  • Page 90 Broadband VPN Router User’s Manual For IKE, configuration is now complete. Click "Next" to view the final screen. Figure57: VPN Wizard - Final Screen On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard.

  • Page 91: Vpn Examples

    VPN Examples This section describes some examples of using VRT-311 / VRT-311S in common VPN situa- tions. Example 1: Connecting 2 VRT-311 / VRT-311Ss In this example, 2 LANs are connected via VPN. Figure58: Connecting 2 VRT-311 / VRT-311Ss Note The LANs MUST use different IP address ranges.
  • Page 92 Broadband VPN Router User’s Manual method Pre-shared Key Xxxxxxxxxx IKE Authentication algorithm IKE Encryption IKE Exchange Main Mode mode DH Group Group 1 (768 bit) IKE SA Life time 28800 IKE PFS Disable IPSec SA Parameters IPSec SA Life time 28800 IPSec PFS Disabled...
  • Page 93 Example 2: Windows 2000/XP Client to LAN In this example, a Windows 2000/XP client connects to VRT-311 / VRT-311S and gains access to the local LAN. Figure59: Windows 2000/XP Client to VRT-311 / VRT-311S To use 3DES encryption on Windows 2000, you need Service Pack 3 or later installed.
  • Page 94 Broadband VPN Router User’s Manual DH Group Group 1 (768 bit) IKE SA Life time 28800 IKE PFS Disable IPSec SA Parameters IPSec SA Life time 28800 IPSec PFS Disable AH authentication Disabled ESP authentication Enable/MD5 ESP encryption Enable/DES Windows Client Configuration 1.
  • Page 95 Figure61: Windows 2000/XP - Policy Properties Note that no rules are in use. Two 2 rules are required - incoming and outgoing. The outgoing rule will be added first. 6. Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below. 7.
  • Page 96 Broadband VPN Router User’s Manual 8. Enter the Source IP address and the Destination IP address. Since this is the outgoing filter, the Source IP address is "My IP address" and the Des- tination IP address is the address range used on the remote LAN. Ensure the Mirrored option is checked.
  • Page 97 Microsoft VPN Figure65: New Rule Properties: Filter Action 11. Select Require Security, then click the "Edit" button, to view the Require Security Proper- ties screen. Figure66: Require Security Properties 12. Select Negotiate security (this selects IKE), then click "Add".
  • Page 98 Broadband VPN Router User’s Manual 13. On the resulting screen (above), select High [ESP] then click "OK" to save your changes and return to the Require Security Properties screen. 14. Ensure the following settings are correct, then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen.
  • Page 99 15. Click the Tunnel Setting tab, then select The tunnel endpoint is specified by this IP address. Enter the WAN (Internet) IP address of VRT-311 / VRT-311S, as shown below. 16. Click the Authentication Methods tab, then click the "Edit" to see the screen like the example below.
  • Page 100 Broadband VPN Router User’s Manual Figure71: Windows 2000/XP Client to VRT-311 / VRT-311S 20. To add the second (incoming) rule, click "Add". For the name, enter "To Win2K", then click "Add". Figure72: Windows 2000/XP Client to VRT-311 / VRT-311S 21. Enter the Source IP address and the Destination IP address as shown below.
  • Page 101 Microsoft VPN Figure73: Filter Properties: Addressing 22. Click "OK" to save your changes, then "Close". Figure74: Filter List 23. Ensure the "To Win2K" filter is selected, then click the Filter Action tab.
  • Page 102 Broadband VPN Router User’s Manual 24. Select Require Security, then click "Edit". On the Require Security Methods screen below, select Negotiate security. 25. Click the "Add" button. On the resulting Modify Security Method screen below, select High [ESP]. Figure75: Filter Action Figure76: Security Methods...
  • Page 103 26. Click "OK" to save your changes, then click "OK" again to return to the Filter Action screen. 27. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address of this PC (172.16.9.10 in this example). 28. Select the Authentication Methods tab, and click the "Edit" button to see the screen below. Figure77: Modify Security Method Figure78: Tunnel Setting Microsoft VPN...
  • Page 104 Broadband VPN Router User’s Manual 29. Select Use this string to protect the key exchange (preshared key), then enter your pre- shared key in the field provided. 30. Click "OK" to save your settings, then "Close" to return to the DUT to Win2K Properties screen.
  • Page 105 Microsoft VPN Figure81: Properties - General Tab 32. Click the "Advanced" button to see the screen below. Figure82: Key Exchange Settings 33. Click the "Methods" button to see the screen below.
  • Page 106 36. Click "OK" to save, then "OK" again, and then "Close" to return to the Local Security Settings screen. 37. Right click the DUT to Win2K Policy and select "Assign" to make your policy active. Figure85: Windows 2000/XP Client to VRT-311 / VRT-311S Configuration is now complete. Figure84: IKE Security Algorithms...
  • Page 107 Example 3: Windows 2000 Server to VPN Gateway In this example, a Windows 2000 Server connects to VRT-311 / VRT-311S. Users on each LAN can then gain access to the remote LAN. Figure86: VRT-311 / VRT-311S to Windows 2000 Server...

  • Page 108: Windows 2000 Server Configuration

    The Source Address should be set to "A specific IP Subnet", and the IP address and Subnet mask set to the address range used on VRT-311 / VRT-311S 's LAN. The Destination Address should be set to "A specific IP Subnet", and the IP address and...

  • Page 109: Certificates

    Certificate button details. Requesting a Trusted Certificate 1. After obtaining a new Certificate from the CA, you need to upload it to VRT-311 / VRT- 311S. 2. On the "Certificates" screen, click the "Add Trusted Certificate" button to view the Add Trusted Certificate screen, shown below.

  • Page 110: Self Certificates

    4. Select the file. The name will appear in the "Certificate File" field. 5. Click "Upload" to upload the certificate file to VRT-311 / VRT-311S. 6. Click "Back" to return to the Trusted Certificate list. The new Certificate will appear in the list.
  • Page 111 Authority). See the following section for details. Requesting a Self Certificate VRT-311 / VRT-311S must generate a request for the CA. This request must then be supplied to the CA. The procedure is as follows: 1. On the Self Certificates screen, click the New Request button to view the first screen of the Self Certificate Request procedure, shown below.
  • Page 112 Broadband VPN Router User’s Manual Subject Name Hash Algorithm Signature Algorithm Signature Key Length IP address Domain Name E-mail Address 3. Click "Next" to continue to the following screen. 4. Check that the data displayed in the Certificate Details section is correct. This data is used to generate the Certificate request.

  • Page 113: Crls

    8. After obtaining a new Certificate, as described above, you need to upload it VRT-311 / VRT-311S. Return to the Self Certificates screen. In the Self Certificate Requests list, select the request matching this certificate. Click the Upload Certificate button.

  • Page 114: Status

    Select the file. The name will appear in the "File to Upload" field. Click "Upload" to upload the CRL file to VRT-311 / VRT-311S. Click "Back" to return to the CRL list. The new CRL will appear in the list.
  • Page 115 Measures the quantity of data which has been received via this SA. Data Rx Buttons Refresh Update the data shown on screen. View Log Open a new window and view the contents of the VPN log. Microsoft VPN...

  • Page 116: Microsoft Vpn

    Status Server Setup VRT-311 / VRT-311S incorporates a PPTP (Peer-to-Peer Tunneling Protocol) server which is compatible with the "VPN Adapter" provided with recent versions of Microsoft Windows. Remote Windows clients are able to connect to this Server. Once connected, they can access the LAN as if they connected locally.

  • Page 117: Client Database

    Data – Microsoft VPN Screen PPTP Server Enable Use this checkbox to enable or disable this feature as required. To allow connection by remote Windows clients, you must enable this feature, and enter the client details (on the Clients screen) to allow them to login to this Server.
  • Page 118 Broadband VPN Router User’s Manual Data - Microsoft VPN Client Database Screen Existing Users User List All existing users are listed. If you have not added any users, this list will be empty. When a user is selected, their details are displayed in the Properties panel.

  • Page 119: Status Screen

    Status Screen The Status screen is accessed by selecting the Status option on the Microsoft VPN menu. Figure99: Microsoft VPN Status Screen Data - Microsoft VPN Status Screen Server Status Status This indicates whether or not the PPTP (VPN) Server is enabled. This indicates the number of remote clients currently logged into the Current Connec- tions...

  • Page 120: Windows Client Setup

    Broadband VPN Router User’s Manual Windows Client Setup To connect to the PPTP (VPN) Server in the VPN Broadband Gateway: The Microsoft VPN feature in the VPN Broadband Gateway must be enabled and config- ured, as described in the previous section. Each user must have a login (username and password) on the VPN client database on the VPN Broadband Gateway.
  • Page 121 1. Ensure you are connected to the Internet. 2. Select Start - Settings - Dial-up Networking 3. Double-click the new VPN entry in Dial-up Networking. 4. Enter your User name and Password, as recorded in the Client database on VRT-311 / VRT-311S. 5. Click the "Connect" button.

  • Page 122: Windows 2000

    Broadband VPN Router User’s Manual Windows 2000 Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open "Network Connections", and start the "New Connection" Wizard. Figure103: Windows 2000 Network Connection 2. Select the VPN option ("Connect to a private network through the Internet"), as shown above, and click Next.
  • Page 123 4. On the screen above, enter the Domain Name or Internet IP address of VRT-311 / VRT- 311S you wish to connect to. Click Next to continue. Figure106: Windows 2000 Connection Availability 5. Choose whether to allow this connection for everyone, or only for yourself, as required.
  • Page 124 3. You can choose to have Windows remember the password if desired, so you do not have to enter it again. Changing the connection settings The PPTP (VPN) Server in VRT-311 / VRT-311S is designed to work with the default Win- dows settings. If necessary, you can change the Windows settings by right-clicking the VPN connection in Network Connections, and selecting Properties.
  • Page 125 Windows XP Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open Network Connections (Start-Settings-Network Connections), and start the New Connection Wizard. Figure108: Windows XP Network Connection Type 2. Select the option "Connect to the network at my workplace", as shown above, and click Next.
  • Page 126 Broadband VPN Router User’s Manual Figure110: Windows XP Connection Name 4. Enter a suitable name for this connection. Click Next to continue. Figure111: Windows XP Public Network 5. On the screen above, select "Do not dial the initial connection". Click Next to continue. Figure112: Windows XP VPN Server...
  • Page 127 6. On the screen above, enter the Domain Name or Internet IP address of VRT-311 / VRT- 311S you wish to connect to. Click Next to continue. Figure113: Windows XP Connection Availability 7. Choose whether to allow this connection for everyone, or only for yourself, as required.

  • Page 128: Other Features & Settings

    PCs which use a Fixed (Static) IP Address. Remote Admin This feature allows you to manage VRT-311 / VRT-311S via the Inter- net. Routing Only required if your LAN has other Routers or Gateways.

  • Page 129: Config File

    You can restore a previously-downloaded configuration file to VRT-311 / VRT-311S, by uploading it to VRT-311 / VRT-311S. This screen also allows you to set VRT-311 / VRT-311S back to its factory default configura- tion. Any existing settings will be deleted.

  • Page 130: Network Diagnostics

    Broadband VPN Router User’s Manual Network Diagnostics This screen allows you to perform a "Ping" or a "DNS lookup". These activities can be useful in solving network problems. An example Network Diagnostics screen is shown below. Figure115: Network Diagnostics Screen Data - Network Diagnostics Screen Ping IP Address...

  • Page 131: Pc Database

    By default, non-Server versions of Windows act as "DHCP Clients"; this setting is called "Obtain an IP Address automatically". VRT-311 / VRT-311S uses the "Hardware Address" to identify each PC, not the name or IP address. The "Hardware Address" can only change if you change the PC's network card or adapter.
  • Page 132 Broadband VPN Router User’s Manual Data - PC Database Screen This lists all current entries. Data displayed is name (IP Address) type. Known PCs The "type" indicates whether the PC is connected to the LAN. Name If adding a new PC to the list, enter its name here. It is best if this matches the PC's "hostname".
  • Page 133 DCHP Client - Reserved IP Address - Select this if the PC is set to be a DCHP client, and you wish to guarantee that VRT-311 / VRT-311S will always allocate the same IP Address to this PC.
  • Page 134 Click this to view the standard "PC Database" screen. Standard Screen Automatic discovery - Select this to have VRT-311 / VRT-311S contact the PC and find its MAC address. This is only possible if the PC is connected to the LAN and powered On.

  • Page 135: Remote Administration

    Remote Administration Remote Administration allows you to connect to this interface via the Internet, using your Web browser. Figure118: Remote Administration Screen Data - Remote Administration Screen Information To establish a connection from the Internet: Information 1. Enable Remote Administration and configure this screen. 2.
  • Page 136 1. Ensure your Internet connection is established, and start your Web Browser. 2. In the "Address" bar, enter "HTTPS://" followed by the Internet IP Address of VRT-311 / VRT-311S. If the port number is not 80, the port number is also required. (After the IP Address, enter ":"...

  • Page 137: Routing

    If you don't have other Routers or Gateways on your LAN, you can ignore the "Routing" page completely. If VRT-311 / VRT-311S is only acting as a Gateway for the local LAN segment, ignore the "Routing" page even if your LAN has other Routers.
  • Page 138 Data - Routing Screen Enable RIP Check this to enable the RIP (Routing Information Protocol) feature of VRT-311 / VRT-311S. VRT-311 / VRT-311S supports RIP 1 only. Static Routing This list shows all entries in the Routing Table. Static Routing...

  • Page 139: Configuring Other Routers On Your Lan

    Configuring Other Routers on your LAN It is essential that all IP packets for devices not on the local LAN be passed to VRT-311 / VRT-311S, so that they can be forwarded to the external LAN, WAN, or Internet. To achieve this, the local LAN must be configured to use VRT-311 / VRT-311S as the Default Route or Default Gateway.
  • Page 140 Other Routers on the Local LAN Other routers on the local LAN must use VRT-311 / VRT-311S 's Local Router as the Default Route. The entries will be the same as VRT-311 / VRT-311S 's local router, with the exception of the Gateway IP Address.
  • Page 141 Gateway IP Address Interface For Router B's Default Route Destination IP Address Network Mask Gateway IP Address Interface 0.0.0.0 0.0.0.0 192.168.0.1 (VRT-311 / VRT-311S ’s IP Address) 0.0.0.0 0.0.0.0 192.168.1.80 (VRT-311 / VRT-311S ’s local router) Other Features and Settings...

  • Page 142: Upgrade Firmware

    Broadband VPN Router User’s Manual Upgrade Firmware Use this screen to upgrade your VRT-311 / VRT-311S 's firmware. You must download the required firmware file, and store it on your PC. During the upgrade process, all existing Internet connections will be terminated.

  • Page 143: Upnp

    If Disabled, UPnP users can NOT disable Internet access via this device. But currently, this restriction only applies to users running Windows XP, who access the Properties via UPnP. (e.g. Right - click VRT-311 / VRT-311S in My Network Places, and select Properties) Other Features and Settings...

  • Page 144: Troubleshooting

    This Appendix covers the most likely problems and their solutions. Overview This chapter covers some common problems that may be encountered while using VRT-311 / VRT-311S and some possible solutions to them. If you follow the suggested steps and VRT- 311 / VRT-311S still does not function properly, contact your dealer for further advice.
  • Page 145 Solution 2: VRT-311 / VRT-311S processes the data passing through it, so it is not transparent. Use the Special Applications feature to allow the use of Internet applications which do not function correctly. If this does solve the problem you can use the DMZ function. This should work with almost every application, but: It is a security risk, since the firewall is disabled.

  • Page 146: Specifications

    (Example - use only shielded interface cables when connecting to computer or peripheral devices). VRT-311 / VRT-311S VRT-311 : 170mm(W) * 147mm(D) * 27mm(H) VRT-311S : 148mm(W) * 120mm(D) * 30mm(H) 0 C to 40 C -10 C to 70 C...

  • Page 147: Ce Marking Warning

    FCC Radiation Exposure Statement This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause...

This manual is also suitable for:

Vrt-311s

Table of Contents