1. Manuals
  2. Brands
  3. Multitech Manuals
  4. Firewall
  5. RouteFinder RF650VPN
  6. User manual

Multitech RouteFinder RF650VPN User Manual

Internet security appliance
Hide thumbs Also See for RouteFinder RF650VPN:
Table of Contents

Advertisement

Quick Links

Download this manual
RF650VPN
Internet Security Appliance
User Guide

Advertisement

Table of Contents
loading

Related Manuals for Multitech RouteFinder RF650VPN

Summary of Contents for Multitech RouteFinder RF650VPN

  • Page 1 RF650VPN Internet Security Appliance User Guide...
  • Page 2 Multi-Tech Systems, Inc. All rights reserved. Copyright © 2001-2002 by Multi-Tech Systems, Inc. Multi-Tech Systems, Inc. makes no representations or warranty with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose.

  • Page 3: Table Of Contents

    RouteFinder Maintenance ........................188 Chapter 5 - Service, Warranty, and Technical Support ............... 190 Warranty ..............................190 On-line Warranty Registration ....................... 190 Recording RouteFinder Information ...................... 191 Contacting Tech Support via E-mail...................... 191 Service..............................192 Multi-Tech on the Internet........................192...
  • Page 4 Repair Procedures..........................192 Ordering Accessories ..........................194 Appendix A – Application Examples and How to Use Remote Syslog ..........195 Appendix B – Cable Diagrams ....................... 203 Appendix C - The WebAdmin Menu System ..................206 Appendix D - User Authentication Methods..................211 Appendix E –...

  • Page 5: Chapter 1 - Introduction And Description

    About this Manual and Related Manuals This manual is provided on the RouteFinder RF650VPN System CD in Acrobat (.PDF) format. It can be viewed, printed, and searched ( ) effectively from Acrobat Reader 4 or 5. The Acrobat Reader is Ctl-F provided on the System CD as well.

  • Page 6: Front Panel

    ALERT The ALERT LED is not used. POWER The POWER LED is off when the RF650VPN is in a reset state. When the POWER LED is lit, the RF650VPN is not in a reset state. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 7: Back Panel

    Chapter 1 – Introduction and Description Back Panel The RF650VPN back panel has a fan, a power plug, the POWER Switch (| / o), an RJ-11 LINE jack, a DB-9 COM1 jack, a DB-15 High-density DSUB (VIDEO) jack, two USB (Revision 1.1 compliant) jacks, an RJ-45 DMZ jack, an RJ-45 (WAN) jack, and an RJ-45 (LAN) jack.

  • Page 8: Features

    (43.18 cm × 4.45 cm × 26.67 cm; 4.54 kg) Operating Environment: Temperature Range: 32º – 120º F (0-50º C) Humidity: 25-85% noncondensing Approvals: FCC Part 68, FCC Part 15 (Class A), CE Mark, UL60950 Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 9: Pre-Installation Planning - The Organizational Security Policy

    Computer Security Index FAQ Home Page: http://web.superb.net/islander/crypto/alt-security-keydist- FAQ.html The CERT (Computer Emergency Reponse Team) site at ftp://info.cert.org/ lists all of the Coordination Center (CERT-CC) past advisories, as well as 24-hour technical assistance in responding to computer security incidents. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 10 Internet. The IETF web page is at http://www.ietf.org/. To help get started with a security policy, try RFC2504 - Users' Security Handbook, and RFC 2196 - Site Security Handbook. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 11 The policy statements should be clear, easy to understand and supported by management. Note: This document contains links to sites on the Internet which are owned and operated by third parties. Multi-Tech Systems, Inc. is not responsible for the content of any such third-party site. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 12: Rf650Vpn Technology

    A special type of connection between two networks is called a firewall. Generally speaking, three types of networks meet at the firewall: 1. External network/Wide Area Network (WAN) 2. Internal Network/Local Area Network (LAN) 3. De-Militarized Zone (DMZ) Firewall Network Connections Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 13 UDP (RFC768). The assigned ports are in the range 0-1023. IETF RFC 1700 provides a list of the well-known port number assignments. IETF RFCs are available on the Internet from a number of sources. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 14 · Masquerading · Source NAT (SNAT) · Destination NAT (DNAT) These allow a whole network to hide behind one or a few IP addresses, preventing the identification of your network topology from the outside. Firewall Connectivity Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 15 The RF650VPN uses a hybrid of the above listed basic forms of firewalls and combines the advantages of both variations: the stateful inspection packet filter functionality offers platform-independent flexibility, and the ability to define, enable or disable all necessary services.

  • Page 16: Chapter 2 - Installation

    Gateway and other IP addresses used) into the appropriate field of the Address Table later in this chapter, and keep for future reference. Administrator requirements to be met before installing the RF650VPN software: · Correct configuration of the Default Gateway ·...

  • Page 17: Address Table

    Enter the configuration information (e.g., the Default Gateway and other IP addresses used) into the appropriate field of the Address Table below. Please print this document and use it to fill in your specific RF650VPN and network information (e.g., the IP address used, e-mail lists, etc.) , and keep for future reference.

  • Page 18: Safety Warnings

    Ensure that the mains supply circuit is capable of handling the load of the RF650VPN. Refer to the power label on the equipment for load requirements.

  • Page 19: Hardware Installation Procedure

    RF650VPN power plug to a live power outlet. 5. Place the RF650VPN Power switch to the on ( | ) position to turn on the RF650VPN. Wait for the RF650VPN to beep a few times, indicating that it is ready to be configured with a web browser.

  • Page 20: Software Configuration

    Chapter 2 – Installation Software Configuration The RouteFinder software is pre-installed on your RF650VPN. Initial configuration is required in order for you to run the WebAdmin program and begin operation. The browser-based interface eases VPN configuration and management. The VPN functionality is based on IPSec and PPTP protocols and uses Triple DES 168-bit encryption to ensure that your information remains private.
  • Page 21 Later, you will want to these default User and Password entries to something else. (If Windows displays the AutoComplete screen, for security reasons, you may want to click No to tell the Windows OS to not remember the Password.) The Welcome to WebAdmin screen is displayed. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 22 Note that Appendix A of this manual contains application examples with additional information on addressing, masking, and software setup. 1. Firewall - Configure the RF650VPN as a Firewall Use this procedure to configure the RF650VPN firewall function as illustrated below. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 23 1. At the Welcome to WebAdmin screen, click on System|Settings. The following screen displays. a) Add your own email address for alerts and notification. b) Remove the default email address. c) Optional: you can change the password in as shown below. WebAdmin Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 24 Change the Default Gateway IP address; this is the IP address of the router that connects to the Internet. b) Change the Host name for the RouteFinder (can be anything). c) Click Save on the Local host settings screen. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 25 Click Save for the Network card (eth1) settings. Optional changes: h) Change the IP address on . This is the DMZ zone PUBLIC STATIC IP address. DMZ port (eth2) i) Click Save for the Network card (eth2) settings. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 26 Add the rule Any – Any – Any – Allow. This allows any service from any server to any client. Note: you will want to change this rule later. b) Click on the circle to enable the rule; the circle will turn green. 6. The RF650VPN is now configured as a Firewall. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 27 Configure the RF650VPN as a PPTP Server for VPN Remote Cient Access Use this procedure to configure the RF650VPN as a PPTP server for VPN Remote Client Access (aka, PPTP Roadwarrior configuration). (Note: IPX and Netbeui not supported when using PPTP tunneling.) 1.
  • Page 28 Enable PPTP Status. b) Enable Debug. c) Select an Encryption Strength and click Save. d) Click on Definitions|Networks. e) In the Command column on the PPTP-Pool line click on Edit to edit the PPTP-Pool settings. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 29 Add. You might have to change the if you do not already have it set to Packet filter rules Any – Any – Any – Allow Note: you will want to change this rule later. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 30 3. IPSec VPN Gateway Configure the RF650VPN as an IPSec VPN Gateway The RF650VPN configured as an IPSec VPN Gateway supports both LAN-to-LAN and Client-to-LAN connections. A Client-to-LAN configuration is shown below; a LAN-to-LAN configuration is shown at the end of this section. The IPSec VPN Gateway Client-to-LAN configuration (aka, IPSec roadwarrior configuration) is shown below.
  • Page 31 2. Click on VPN|IPSEC Configurations. The Edit rule screen displays. a. Enable VPN Status. b. Enable IKE-Debugging. c. At New connection: enter a new IPSec connection Name and click Add. (If a Security Alert screen displays, click Yes.) Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 32 You may have to change the Packet filter rule if you do not have it set to Any – Any – Any – Allow. 5. The RF650VPN is now configured as a PPTP server for VPN remote client access. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 33 Chapter 2 – Installation IPSec VPN Gateway LAN-to-LAN Configuration The RF650VPN configured as an IPSec VPN Gateway supports both LAN-to-LAN and Client-to-LAN connections. An IPSec VPN Gateway Client-to-LAN configuration is described and illustrated in the previous section. An IPSec VPN Gateway LAN-to-LAN configuration is shown below.

  • Page 34: Chapter 3 - Routefinder Software Operation

    The WebAdmin directory has nine menus (System, Definitions, Network, Packet filter, Proxies, VPN, Reporting, Help, and Exit) that are described and illustrated in this chapter. Appendix C of this manual provides an overview of the WebAdmin menu system for your reference. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 35: System

    The System menu contains all of the functional configuration sub-menus for the RouteFinder: Settings Licensing Up2Date Service Backup User Authentication WebAdmin Site Certificate Shut down Restart The System menus are described in the following sections. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 36 Chapter 3 – RouteFinder Software Operation Settings From System|Settings you can define: Notifications WebAdmin (HTTPS) WebAdmin password Automatic Disconnect System Time Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 37 Definitions|Networks and then select it in System|Settings. Use a Network netmask of 255.255.255.255 to define a single host. A remote syslog "how to" is provided in Appendix A of this manual. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 38 This check is carried out for the security of the administrator, so that s/he cannot become locked out accidentally. After completing the adjustments, it is a good idea to disable SSH access again for security reasons. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 39 The safest approach is to have only one administration PC given access to the RouteFinder. You can do this by defining a network with the address of a single computer in the Definitions|Networks menu. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 40 IP address of the RouteFinder separated by a colon (e.g., https://192.168.0.1:445). Refer to the Well Known Ports section in Chapter 1 of this manual. Language: (only English is available at this time.) Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 41 Therefore, it is recommended that the time should only be set once during initial configuration and later should only be slightly adjusted. No adjustments from winter- to summertime should be made, especially if the collected reporting and accounting information is to be further processed. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 42 Enter the license key into the first field and then press the Enter key to expand the license key into the rest of the fields. You can only obtain a license key from Multi-Tech sales support. With a valid license key, you are entitled to use Multi-Tech’s Up2Date service and support. Each RF650VPN ships with a unique individual License Key.
  • Page 43 The License Key number is tied to and tracked with your RouteFinder's serial number. Whenever you require additional licenses, you must first provide Multi-Tech with your current License Key and serial number information in order for us to update your RouteFinder.
  • Page 44 The Up2Dates are signed and encrypted and are read in via an encrypted connection. The Up2Date Sevice is provided in two separate functions: System Up2Dates and Pattern Up2dates. The System Up2Date and Pattern Up2Date functions are described in the following sections. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 45 You can choose update your RouteFinder manually ( selection), or to have Get and install pattern updates now it updated automatically at regular intervals ( , or Every hour Every night Every week Only Multi-Tech can create and sign these packets. Up2Date Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 46 Caution: Even though effective protection mechanisms have been developed against problems with the transmission and/or installation of Up2Dates, performing the Up2Date process remains a potential risk for your system (as with any manual or automatic download). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 47 Caution: When reading in the Backup file, the RouteFinder automatically configures itself as recorded in the backup file. For example, if IP addresses or passwords have since changed or have been forgotten, you might not be able to access the RouteFinder anymore. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 48 (letting you compare the before and after states of the RouteFinder). You may want to store all alerts and notificatons (set up in System|Settings|Notification and described in Chapter 2 of this manual). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 49 5. Click the Add button next to the entry field to Add the e-mail address. To add further e-mail addresses, repeat steps 4 and 5. Enable the E-mail backup file function by clicking the Enable button next to Status:. The E-mail backup file function is enabled when the green traffic LED is lit. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 50: User Authentication

    In this case, user authentication becomes relevant. When requests are made to a proxy service, the client must authenticate himself with his user name and password. This makes the authentication person-based (i.e., user-based) and not IP-based, thus making a person-based Accounting in the HTTP proxy access protocol possible. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 51 But, since the passwords are transferred in plain text, we strongly recommend that the Radius server be located close to the RouteFinder and that they are connected via a switching hub. In case of transfer via a public network, we recommend the use of an encrypted tunnel. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 52 2. The access is only granted if both conditions are met by the user. 7. Edit the profile of the guideline by allowing unencrypted authentication (PAP). Leave the values of the other dialog pages unchanged. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 53 To prevent the event log from overflowing, the RouteFinder stores the information sent by the Radius server for five minutes. This also means, however, that any changes in the user database might only be detectable after five minutes. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 54 Before you can use Local authentication, you must activate User Authentication for the respective proxy services. In Proxies (e.g., Proxies|HTTP or Proxies|SOCKS) check the option Local in the Authentication types select menu, then click the Add button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 55 Note: The RouteFinder Hostname field MUST match the hostname or IP address that you use in your browser to access WebAdmin. 4. When you have entered values for your organization into the entry fields, click Save. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 56 4. Click OK. The Open With screen is displayed if this is a first-time CA certificate import; proceed with step 5. If a CA certificate has been imported before, the Certificate Information screen displays; proceed to step 1 of the following procedure. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 57 6. Enter the filename and location to save the certificate file and click Save. The Download complete screen displays. 7. Check the Close this dialog box when download complete checkbox. Click Open. The certificates are installed to the Download to: location specified. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 58 Chapter 3 – RouteFinder Software Operation Install a Certificate into the Trusted Root Certification Authorities Store 1. At the Certificate Information window click Install Certificate..2. At the Welcome to Certificate Import Wizard window click Next>. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 59 Select Certificate Store, Physical Stores, and ... add to Root Stores.) 4. When the certificate has been added to the Root Store, the Completing the Certificate Manager Import Wizard displays.Click Finish. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 60 NOT YET valid. However, many browsers wrongly report that the certificate has expired. This is not the case. The generated certificates will become valid after a maximum time of 12 hours. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 61 If the RouteFinder is not properly shut down before switching off Power, the next start may take a little longer. In the worst case, data could be lost. Since the RouteFinder is now also checking the consistency of the file system, it may have to restart up to three times. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 62 4 to 5 minutes. When the restart process is complete the RouteFinder will generate 5 consecutive beeps; you can now continue RouteFinder operation. If you do not want to re-start the RouteFinder WebAdmin software, click Cancel to return to the System|Restart menu. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 63: Definitions (Networks And Services)

    Groups themselves can also be put together into new groups. Additionally, local users of proxy services are defined in this directory. The definition and configuration of Networks, Network Groups, Services, Service Groups, and Users are covered in the following sections. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 64 You can now, for example, enable WebAdmin access for this network in System|Settings. You are then offered further functions in the Command column (i.e., edit network or delete network). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 65 Delete Network: You can remove a network from the list by clicking the del Command; the message Do you really want to delete <network name> ? is then displayed. To delete the selected network, click OK to delete the network from the table, or click Cancel to cancel the delete function. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 66 Select the appropriate network by clicking on it. You can choose several networks at once by holding down the key and then clicking on the desired networks. With the key you can choose a Ctrl. Shift block of networks. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 67 4. Choose the network from the Selected Networks window and click Delete. As soon as a Network group contains no more Networks, it is deleted. Add Network Choose the network from the Available Networks window and click the Add button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 68 In the Packet Filter|ICMP menu you can enable ICMP forwarding between networks, as well as RouteFinder ICMP reception (e.g., to allow ping support). The ESP protocol is required for Virtual Private Network (VPN). The AH protocol is required for Virtual Private Network (VPN). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 69 Delete service: By clicking the Delete button, the message Do you really want to delete service < > ? is displayed. Click OK to delete the service or Cancel to quit the cancel function. If you click OK, the service is deleted from the services table. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 70 Confirm your entries by clicking the Add button. The selected services now appear in the Selected Services window. Services can be deleted from the service group by marking the appropriate name and clicking the Delete button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 71 4. Choose the service from the Selected Services window and click the Delete button. As soon as a group contains no more services, it is deleted. Add service: Choose the service from the Available Services window and click the Add button. Note: Changes made in Service Groups are effective immediately. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 72 The Command column offers you further functions (i.e., edit or delete). Further Functions Edit user: By clicking the Edit button, the entries are loaded into the entry menu. You can then edit the entries (i.e., change the Username, Password, Remote Access (PPTP), and/or Proxy Services). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 73 Chapter 3 – RouteFinder Software Operation Delete Delete user: By clicking the button you delete the user from the Users table. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 74: Network (Network Settings)

    The Portscan detection menu allows configuration of the Portscan detection (PSD) feature. The Tools menu contains several tools with which you can test the functionality of your RouteFinder and your network. In the Accounting menu, you set the options for the accounting system. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 75 The RouteFinder must have at least two network cards to protect separate networks or network segments from each other. The first network card is always the internal one (usually connected to the local network); the second network card is always the external one (usually pointing towards the Internet). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 76 VLAN switch. This can lead to faulty ARP (Address Resolution Protocol) resolutions (ARP clash). Some operating systems (e.g., Microsoft Windows) cannot cope with this. That is why one network interface should be used per physical segment. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 77 The Default Gateway and the Host Name must be defined for your RouteFinder; the Default Gateway was already set during initial installation. Host Name 1. Enter the name of your RouteFinder into the entry field. For example: fw.yourdomain.com 2. Save the entries by clicking the Save button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 78 2. In Network card 1 (eth0), enter the definition of the network card into the Name entry field. Then enter the IP address and the corresponding net mask in the appropriate entry fields. For example: Description: INTERNAL IP address: 192.168.2.1 Net mask: 255.255.255.0 3. Confirm your settings by clicking the Save button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 79 Possible cause of error: The missing network card was added after the installation of the RouteFinder, or it wasn’t recognised during installation. Solution: Reinstall the RouteFinder software. You can use the backup feature (described earlier in this chapter) to easily transfer your configuration between the installations. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 80 Possible cause of error: The missing network card was added after the installation of the RouteFinder, or it wasn’t recognised during the installation. Solution: Reinstall the RouteFinder software. You can use the backup feature (described earlier in this chapter) to easily transfer your configuration between the installations. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 81 Possible cause of error: The missing network card was added after the installation of the RouteFinder, or it wasn’t recognised during the installation. Solution: Reinstall the RouteFinder software. You can use the backup feature (described earlier in this chapter) to easily transfer your configuration between the installations. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 82 6. Store the entries by clicking the Add button. The configured IP aliases are entered into a table. Delete IP Alias An IP alias is deleted by marking it in the table and then clicking the Delete button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 83 Routing Table: All entered routes are listed in a table here. The columns Destination, Gateway, Genmask, Flags, Metric, Reference, Use and Iface (Interface) are shown. Note: Default routes of the network cards are entered and cannot be edited. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 84 Edit Edit Routing: By clicking the button, the definitions are loaded into the entry field. You can then edit the entry. Delete Delete Routing: By clicking the button, the entry is deleted from the list. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 85 4. Confirm your entries by clicking the Add button. After a successful addition, a select menu with the corresponding allocations is created. You are then offered further functions (i.e., Edit or Delete a defined Static IP route). Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 86: Routing Table

    Gateway is the address of the router. Iface (Interface) indicates the name of one of its own interfaces, via which the packet is to be sent. The Iface (interface routes) of the network cards cannot be edited. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 87 Note: To divert port 443 (HTTPS), you must change the value of the WebAdmin TCP port in the System|Settings menu (e.g., port 444). Refer to the section on WebAdmin TCP Port earlier in this chapter. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 88 Edit entries: Click the Edit button to load the definitions into the entry menu. Then they can be edited. Delete entries: By clicking the Delete button, the entry is deleted from the menu. Note that for DNAT support, the TCP and/or UDP settings must be enabled (at Definition|Services|Protocol). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 89 1. As the translation takes place after the filtering by packet filter rules, you must allow connections that concern your SNAT rules in the Packet Filter|Rules menu with the original source address. 2. For SNAT support the TCP and/or UDP settings must be enabled (e.g., enabled at Definition|Services|Protocol). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 90 3. Mark the network card in the select menu on the right. 4. Confirm your entries by clicking the button. After a successful definition, a select menu with the corresponding settings is created. Subsequently you are offered further functions (i.e., Edit Delete Networks or Network Groups). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 91 IP address of the external network card. In this example, the sent packet does not contain any internal information. The reply to the request is recognised by the RouteFinder and is passed on to the requesting computer. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 92 Note: Normal network activity such as traceroute or FTP traffic with many small files will also look like a portscan to the PSD. To ensure smooth operation, you can exclude network source and destination combinations from the PSD. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 93 3. Choose the target network from the DST Network select menu. 4. Add the selection to the PSD Network Exclusion list by clicking the Add button. Portscans will no longer be recognised by Network combinations excluded by PSD. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 94 Note: For the Name Resolution function, the DNS proxy function in Proxies|DNS must be enabled. To use the Name Resolution function, a name server in the menu (item) Proxies|Nameserver must be enabled. With Name server enabled, the IP addresses of the reply packets will be converted into valid names. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 95 5. Start the test connection by clicking the Start button. After you click Start, a new browser window opens with the ping statistics accumulating. Click Stop at the bottom of the Ping statistics window to end the statistics logging. A sample Ping log is shown below. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 96 4. Start the search by clicking the Start button. After you click Start, a new browser window opens with the traceroute statistics accumulating. Click Stop at the bottom of the traceroute statistics window to end the statistics logging. A sample Traceroute log is shown below. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 97 5. Start the test connection by clicking the Start button. After you click Start, a new browser window opens with the TCP connect statistics accumulating. Click Stop at the bottom of the TCP connect statistics window to end the statistics logging. A sample TCP Connect log is shown below. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 98 3. Confirm your entry by clicking the Add button. After a successful definition a select menu with the corresponding elements is created. To re-assign a host or a network to the Accounting function, highlight the element and click the Delete button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 99 When packets are denied (Deny setting) an entry in the appropriate log-file occurs. All rules are entered according to the principle: source IP - service - destination IP - action. To be able to differentiate rules, the appropriate Networks|Groups and Services|Groups must first be defined. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 100 Drop: All packets that meet these requirements are discarded, dropped to the floor, assigned to oblivion. No reply packet of any kind is sent. All packets that meet these requirements are first logged and then dropped. Deny: Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 101 Note: By default, new rules are created at the end of the table in the inactive state. The rule only becomes effective if you assign the active state. Refer to the section on Rule active/inactive in this chapter. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 102 3. Open the Rules menu in the Packet Filter directory and set the packet filter rules: From (Client): Any Service: Any To (Server): Broadcast8 Action: Drop 4. Confirm your entries by clicking the Add button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 103 The ICMP forward rule applies for all IP addresses. If ICMP forward is enabled, ICMP packets go through all connected networks. Another use of ICMP forwarding is to allow ICMP packets to be forwarded to individual networks (set in Packet Filter|Rules). For this, ICMP forward in Packet filter|ICMP must be disabled. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 104 Set ICMP on firewall active/inactive: The traffic lights indicate the status of the function. By clicking the Enable button, you set the status to Enabled (green). By clicking the Disable button, you set the status to Disabled (red). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 105 This function is especially useful for searching for errors in the RouteFinder packet filter and NAT rules. Note: Packets dropped by the Drop setting in Packet Filter|Rules do not appear in the Packetfilter-violation-LiveLog display. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 106 For the Current packet filter rules display fields, the rules are currently valid, and are taken directly from the core of the operating system. The Packet filter rules’ chain and sub-chain format and description is provided at the end of this section on Filter LiveLog. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 107 For the Current NAT rules display fields, the rules are currently valid, and are taken directly from the core of the operating system. The Packet filter rules’ chain and sub-chain format and description is provided at the end of this section on Filter LiveLog. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 108 RouteFinder, to keep an intruder from destroying the log data upon compromising the RouteFinder. PacketFilterLivelog output is generated by programs outside of the RouteFinder (e.g., FreeS/WAN); for a detailed description, refer to the appropriate program's user manual. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 109 - Subchain: LOGDROP Chain FORWARD: - Subchain: LOCAL - Subchain: FIX_CONNTRACK - Subchain: AUTO_FORWARD - Subchain: USR_FORWARD - Subchain: LOGDROP Chain OUTPUT: - Subchain: LOCAL - Subchain: FIX_CONNTRACK - Subchain: AUTO_OUTPUT - Subchain: TTT_ACCEPT - Subchain: LOGDROP Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 110 All Destination NAT is done i n this Chain. You can configure Destination NAT in Network|NAT. AUTO_NAT_POST: All Masquerading is done in this Chain, You can configure Masquerading in Network|Masquerading. AUTO_NAT_OUT: All Source NAT is done in this Chain. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 111: Proxies (Application Gateways)

    Note: A valid name server (DNS) must be enabled in order to be able to use the proxy services HTTP and SMTP. If SOCKS5 clients that do not resolve DNS names themselves are being used, the proxy service SOCKS requires a valid name server. SOCKS4 clients always resolve DNS names themselves. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 112 Note that parts of a web page such as streaming audio and video are not loaded via port 80 (HTTP), but via a different TCP port. These must be dealt with via an appropriate rule in the Packet Filter|Rules menu. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 113 :IP address of the web or Action Allow You can use the proxy if you configure the IP address of your RouteFinder and port 8080. Note: Every change in becomes effective instantly without further notice. Proxies Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 114 Proxy must be assigned. All unassigned networks that want to connect to the Internet without the proxy must be inserted with a corresponding rule in Packet Filter. There is no access to the HTTP proxy using predefined settings in the browser in transparent mode. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 115 With HTTP Proxy Transparent mode disabled and User authentication enabled, the Authentication drop-down list displays. Here you can select local, sam, or radius authentication types. When you select an Authentication type and click Add, the Allowed Users and Available Users information is displayed. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 116 For e-mails to be able to reach the system, you must include the RouteFinder’s IP address in the DNS server for your respective domains as a . E-mails to domains not listed will be blocked. Mail Exchanger (MX) Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 117 All settings are immediately active and are preserved after leaving the Proxies|SMTP menu. Note: The RouteFinder processes up to 25 incoming SMTP connections simultaneously preventing Denial of Service (DoS) attacks. The 26th incoming connection is not accepted. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 118 Note: The RouteFinder requires connection to a name server on the Internet; otherwise, name resolution is processed by the ROOT - name servers. The same applies to an enabled name server and no assigned IP address. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 119 User authentication is enabled. Authentication types: here you select the method of user authentication (local, radius, or sam). If you choose the local method, you can determine whether local users may use the SOCKS proxy. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 120 From Proxies|SOCKS you can choose between local, sam, and radius permission types, as well as Add or Delete them. The User authentication drop-down list for Allowed Users and Available Users displays as shown above. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 121: Vpn (Virtual Private Networks)

    VPN to communicate as if they were directly connected. This kind of connection could also be used to grant trusted companies (suppliers, consultants, etc.) secured access to internal information. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 122 1. Company A leases a dedicated line to subsidiary B. In the case of geographically-distant locations, this is very expensive. 2. Companies A and B use a VPN to transfer their information economically and securely via the Internet. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 123 : Define Perfect Secret Forwarding (PSF). PSF is a secure method for key exchange that New connection must be supported by both sides of a connection. : enter the name of the desired PSF connection and click Name Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 124 Remote IP: assign the IP of the counterpart where the VPN tunnel is ending (select Any, localhost, etc.). Remote subnet: assign the remote sub network to which the encryption should be taken (e.g., PPTP- Pool, Any, localhost, etc.). Leave blank for net-to-host or host-to-host configurations. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 125 This is best done by copying (ctrl. + c) and pasting (ctrl. + v). If you use the authentication secret method, you must enter the same password at both ends of the VPN tunnel. This password is also called secret or Pre Shared Key (PSK). Make sure that this password does not Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 126 4. Select from the select menu. network 1 To (Server) 5. In , select the action Action Allow 6. Confirm your entries by clicking the button. Complete communication between the two VPN parties is now possible. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 127 ESPENCKEY: the ESP (Encapsulating Security Payload) ENKEY: enter the Key for ESP encryption (a 192-bit hex number for triple DES). For example: 0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0 . ESPAUTHKEY: the ESP (Encapsulating Security Payload) AUTHKEY: enter the Key for ESP authentication (a 128-bit hex number for MD5). For example: 0x12345678_9abcdef0_2468ace0_13579bdf . Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 128 The actual generation process continues in the background. The result can then be seen when you next log in to VPN|RSA Key. These three RSA key options are discussed in the following sections. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 129 RSA key creation process. The Live-Log Public Key xxxx Bits displayed in the window is the transmission state of the private part of your RSA key to the LiveLog VPN counterpart. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 130 When you configure a new VPN connection, if you use an IPSec Connection with the authorization method , the key you created earlier under rsasig RSA Key required by the counterpart. When the new RSA key is generated, the Logfile DONE screen displays as shown below. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 131 . This starts the process wherin the RouteFinder will save the RSA key as a .RSA document. Start 2. At the window select and click . The window displays. File Download Save this file to disk Save As Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 132 The RSA key is saved as an .RSA document in the location specified. A sample public key is shown below. 0sAQNic1Twvw7iknvNd6ieKDhd9JTu/Krbc71H4oIFd/xqKJnt U8x25M0Wbxr0gQngECdZPWHj6KeSVtMtslzXMkxDecdawo CadPtPiH/Iln23GKUOt3GoDVMob+fob9wBYbwdHOxPAYtN QBxNPEU9PGMxQdYp8io72cy0duJNCXkEVvpvYvVzkmp0x VYOWYkfjiPsdhnz5FCitEh6XsCe0ctByoLjKA1C+mLtAlWhuy cVojr2JwzSqUIJXzS6nV4yrpI+QY5o5yztgjVIgwW1Er6jyyo2a eFLgucqjuHSZ+sX0dz/OfdQ0N0AjRAmO3eknOYLk2DPRkm UeYr3W95q1Z2j/+4GRlzzP8ZoyPwdBv7hpZ0TRA9c38a26+ La8N2/TDKx+fGLfixB6Ed8X0jCmq4It7iD2d/9EWeaUZfctqaKf The key content varies for each key and for the particular keylength generated. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 133 The Windows Choose file screen is displayed to let you select the file to be imported as the RSA key. 2. Select a file and click Open This function lets you import a complete RSA key. This key must fulfill the requirements of FreeS/Wan. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 134 This window shows all the active IPSEC SA connections. As long as no entries have been made, no IPSEC connections exist. VPN Status This window shows all the configured and negotiated sessions and time-outs. You can also see if a VPN client with a dynamic IP address has logged in. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 135 Status: current PPTP remote access status. Debug: with PPTP service enabled, you can also enable the Debug mode, giving you more extensive logging in the Debug Log, which can be opened at the bottom of the screen. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 136 Debug Log, which can be opened at the bottom of the VPN|PPTP Roadwarrior screen. Open PPTP debug log: click to display the PPTP LiveLog screen. To start a PPTP LiveLog session, click start LiveLog. With PPTP LiveLog active, click stop LiveLog to end the PPTP LiveLog session. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 137 6. In Microsoft Windows 2000, click Start/Settings/Network and Dial-Up Connections. 7. Click the Make new connection icon. The Network Connection Wizard window then opens. Click the Next button. 8. Choose Connect to a private network through the Internet and click the Next button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 138 I am calling select menu. The PPTP connection is then started by clicking the new icon in the Start/Settings/Network and Dial up connections menu. Further information should be available from the administrator of the network. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 139 Reporting 1. Known to be OK - these are messages that can typically be ignored, e.g.: System running since Tuesday 10 July 2001 14:30:44, or CNAME_lookup_failed_temporarily._(#4.4.3)/, or Watching superdaemon.pl ALL OK. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 140 · services enabled which you have not enabled, or · unexpected logins as privileged (e.g., root) user. Your organization's security policy should indicate the action to take for each event category (i.e., probe, attack, successful break-in, etc. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 141 RouteFinder (the time elapsed between the last boot and the current time). This menu shows the date when your system was last booted, and the period of time in which the RouteFinder has been available without interruption (in day, hours, and minutes) . Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 142 By then clicking on more… you return to the original graphic. Note: use the Shift – Reload keys to ensure that the images load correctly. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 143 The used memory is shown. While using the HTTP proxy, frequent activity of the swap file is normal. The log files are updated every five minutes and displayed in the Reporting|Hardware diagrams. The Reporting|Hardware function is not supported by every browser. If not supported, select Reload to update. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 144 You can click on more... for additional reporting on internal network traffic (e.g., overviews of the network traffic for the previous week, month or year). The Network interface cards window contains information about all of the configured internal and external network (NIC) cards. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 145 The Network connections table shows you all of the established TCP sessions and all of the TCP and UDP ports that the RouteFinder is listening to for incoming connections. (Connections through the RouteFinder are not shown). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 146 Network Connections Table - Example 2 Proto Recv-Q Send-Q Local Address Foreign Address State 192.168.2.43:443 192.168.2.40:1034 ESTABLISHED This output tells you there is an active (ESTABLISHED) connection from 192.168.2.43 port 443 (https) to 192.168.2.40 port 1034. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 147: Http Proxy

    If the respective object is already available in the cache of the HTTP proxy and is up to date, the proxy does not have to retrieve the object from the Internet. This is called a “cache hit”. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 148 The HTTP memory hits diagram shows the percentage of cache hits occurring while the requested object was still in RAM (as opposed to being loaded from disk). Note: For this reporting the HTTP proxy must be enabled, otherwise the diagrams only show a straight horizontal line. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 149 The Reporting|SMTP proxy menu displays the RouteFinder's SMTP proxy (e-mail) usage and status in two windows called SMTP-Logs and SMTP-Status. SMTP-Logs shows a real-time log of the e-mail traffic via the SMTP proxy. The real-time log function is started by clicking the open SMTP-LiveLog button. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 150 Chapter 3 – RouteFinder Software Operation A sample SMTP-LiveLog screen is shown below. When SMTP-LiveLog is inactive, click start LiveLog to begin real-time logging SMTP activity. When SMTP-LiveLog is active, click stop LiveLog to end logging SMTP activity. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 151 Timeouts: shows the number of interruptions during the transfer of an e-mail. A large number of Timeouts (interruptions) indicates either a faulty Internet connection or that the SMTP server responsible for e-mail reception is not available. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 152 Go button. A Security Alert screen displays. Click Yes. The processing that then takes place may take some time. If you click Yes again during this processing time, a ..be patient… message displays. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 153 The displayed traffic will match what your ISP charges if your service is volume-based. You define which interfaces and networks are included in the Accounting report menu in the Network|Accounting menu (described earlier in this chapter). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 154 The system administrator then receives a report via e-mail. Selfmonitoring considerably reduces maintenance, as manual intervention becomes almost obsolete, resulting in less work for the administrator. From Reporting|Selfmonitor click open Selfmonitoring-LiveLog; the Selfmonitoring log is displayed (sample shown below). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 155 Chapter 3 – RouteFinder Software Operation Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 156 Note: By clicking the Delete button, the e-mail addresses marked in the select window are immediately deleted without further notice. At least one e-mail address has to be entered. The last e-mail address listed cannot be deleted. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 157 With the PSD LiveLog active, click stop LiveLog at the bottom of the PSD LiveLog display to halt the real-time PSD LiveLog recording. With the PSD LiveLog inactive, click start LiveLog at the bottom of the PSD LiveLog display to begin the real-time PSD LiveLog recording. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 158: Help (The Online Help Functions)

    If the term is used in WebAdmin or in the Online Help, the following information is presented: · Path to the corresponding function in WebAdmin · Link to the term in Online Help · Short information about the WebAdmin page indicated in the path Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 159 All submenus are listed in alphabetical order. By clicking at the corresponding submenu item you are able to select a help text. All letters with available entries are displayed in bold in the navigation bar. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 160 When you are done in WebAdmin, click Exit; the browser connection is terminated and you are returned to the Login screen. Note that hitting the browser’s Back button will not effectively return you to the previous menu or directory. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 161: Chapter 4 - Troubleshooting

    DMZ should not be fully-trusted, and should only be used for a single purpose (such as a web server, or an ftp server). If DMZ is used, does the exposed user share the public IP with the Router? Yes. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 162 IP-Packets to pass. There are 4 dropdown boxes in WebAdmin|NAT. The first two define which IP-Packets will be translated. The second two define into which IP/Port address they are translated. For example: Net1: 212.5.63.4/255.255.255.255 (Box1) Srv1: 0:65535 TCP 80 (Box2) Net2: 192.168.100.2/255.255.255.255 (Box3) Srv2: 0:65535 TCP 81 (Box4) Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 163 IP: 196.126.228.66 Netmask: 255.255.255.224 Def GW: 196.126.228.65 NEW: RouteFinder: Router Ethernet Interface: IP: 196.126.228.65 Netmask: 255.255.255.252 Routes: 196.126.228.67/255.255.255.252 -> 196.126.228.66 196.126.228.72/255.255.255.248 -> 196.126.228.66 196.126.228.80/255.255.255.240 -> 196.126.228.66 RouteFinder Ethernet Interface: IP: 196.126.228.66 Netmask: 255.255.255.252 Def GW: 196.126.228.65 Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 164 A18: In short, DNAT is done before the packets pass the packet filter, and SNAT and Masquerading are done after that. The RouteFinder uses a 2.4 kernel and iptables (the internal logic in the netfilter code). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 165 U.S. companies. Several years ago, export policy was changed to allow the unrestricted export of DES to companies that demonstrate plans to implement key recovery systems in a few years. Today, Triple-DES is exportable under the regulations described above. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 166 In this case with glftpd, these are the options: pasv_addr 1.2.3.4 1 pasv_ports 3000 4000 See glftpd.docs for more info on those configuration options, or check the docs of your particular FTP server if you use another daemon. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 167 SOCKS V4 extended servers for resolution. For SOCKS V5, the clients can pass unresolved host names to SOCKS V5 servers to resolve. SOCKS will work if the SOCKS V5 client or SOCKS V5 servers can resolve a host. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 168 Q37. What causes the log message incompatible version number: 71 ? A37. Socks displays this log message when someone tries to use the SOCKS server as an HTTP proxy. ASCII code 71 is the letter "G", the first letter of an HTTP/1.0 request. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 169: Problem Solving

    Default Gateway of the Client PC is correctly configured (Chapter 3) · verify proper Network Cable installation (Chapter 2) 5. Check for updates to the product documentation on the Multi-Tech web site at http://www.multitech.com/DOCUMENTS/. 6. To troubleshoot TCP/IP connections in Windows 2000, use the...
  • Page 170 MiniDIN connector, make sure that you are not using an adapter cable (e.g., a 6-pin DIN to 6- pin miniDIN adapter cable). 9. Observe the RF650VPN front panel LEDs. Verify that the LAN, WAN, and/or DMZ LEDs indicate proper RouteFinder operation in terms of the Ethernet LINK integrity, transmit/receive activity (ACT LED), and speed (100 MB /10 MB).

  • Page 171: Error Messages

    Meaning: In System|Backup you tried to import (restore) an existing backup file, but that backup file was damaged or unusable by the RF650VPN. Action: Hit the keyboard Esc key or click your browser's Back button. Make sure the file you want restored is in the format backup_20020111_163316.abf (i.e., a .abf document).
  • Page 172 Action: Enter an SPI in VPN|IPSEC Configurations. The SPI is a unique identifier in the SA that allows the receiving computer to select the SA under which a packet will be processed. Message: SYNTAX ERROR: Invalid server name: Error Header: $error_header{2} Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 173 Meaning: From Definitions|Services you make all of the RouteFinder protocol service definitions, which eases ongoing administration. Services are definitions for data traffic via networks (e.g., the Internet). A service definition consists of a name, the protocol, and the Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 174 Action: Re-type the Old password in the correct format. Refer to the context-sensitive Helps for additional information. Message: ERROR - unable to erase e-mail address Error Header: $error_header{18} Meaning: You tried to delete the last E-Mail address (e.g., from System|Settings|Notification, or from System|Backup|E-mail backup file). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 175 Meaning: The netmask that you entered was not in the required form. Action: Enter the Netmask in the correct form (syntax). Message: SYNTAX ERROR: Invalid IP address Error Header: $error_header{30} Meaning: The IP address that you entered was not valid. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 176 Chapter 4 – Troubleshooting Action: Enter an IP address that is valid for the IP address Menu|Entry field. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 177 Meaning: You clicked Save (e.g., at the System|Settings|Notification screen) without first entering an E- mail address. Whenever important RouteFinder events occur, the administrator is notified via e-mail. At least one e-mail address must be entered. Recovery: Enter an existing valid email address and click Save. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 178 Recovery: If you do not want to shut down the RouteFinder, click Cancel to return to the System|Shut down menu, and continue operation. If you want to shut down the RouteFinder click the OK button. Refer to System|Shut down in Chapter 3 for more information. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 179 Recovery: Check the spelling of the term that you entered and re-try the search. Try using the Help|Index function, the Help|Glossary function, or the context-sensitive Online Helps (click Online Help from the sreen with the terms you want defined). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 180 Error Header: $error_message{55} Message: Another administrator is currently logged in. Error Header: $error_message{56} Message: Access denied! Error Header: $error_message{57} Message: To encrypt with RSA, you have to generate a RSA key first! Error Header: $error_message{58} Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 181 Internet environment. To access this server from a program, establish a TCP connection to port 101 (decimal) at the service host, SRI-NIC.ARPA (26.0.0.73 or 10.0.0.51). Recovery: Enter the Domain Name in the correct syntax and continue operation. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 182: Chapter 5 - Pc Board Components, Upgrades, And Add-Ons

    (e.g., RouteFinder housekeeping, monitoring, and updating), and a hard disk drive recovery procedure. PC Board Components The RF650VPN pc board components are illustrated and discussed below. Note: Several of the RF650VPN pc board components are user-configurable; however, please contact Tech Support before changing the component settings.
  • Page 183 Caution: Danger of explosion if battery is incorrectly replaced. The lithium battery on the RF650VPN pc board provides backup power for the time-keeping capability. The battery has an estimated life expectancy of ten years.

  • Page 184: Top Cover Removal / Replacement

    Chapter 5 – PC Board Components, Upgrades, and Add-ons Top Cover Removal / Replacement Use this procedure to remove the RF650VPN top cover (e.g., as the first step for all upgrade procedures). 1. Turn off RF650VPN power and remove the RF650VPN power cord.

  • Page 185: Rack Mounting

    Keyboard Connection KB1 is a keyed 6-pin MiniDIN PS/2 interface on the RF650VPN pc board used for connecting a keyboard. Perform the following steps to attach a keyboard to the unit for configuration and reporting. 1. Remove the RF650VPN top cover using the procedure earlier in this chapter.

  • Page 186: Software Upgrades And Add-Ons

    The RF650VPN provides SSH Sentinel client software (30-day trial Internet Pilot version with Static IP support). It allows client computer connection to the RF650VPN using PSK (Pre Shared Keys) in a Host- to-Net connection. (Appendix F of this manual describe the SSH IPSec VPN client setup process.) To upgrade to the full 1-, 5-, 10- or 50-user Sentinel SSH IPSec VPN client package, order the applicable model (RFIPSC-5, RFIPSC-10, or RFIPSC-50) from Multi-Tech for the number of users that you require.

  • Page 187: License Keys

    Chapter 5 – PC Board Components, Upgrades, and Add-ons License Keys Each RF650VPN ships with a unique individual License Key. It is a 35-digit code that is provided on the RouteFinder's System CD. You can enter and view License Key information from the RouteFinder's WebAdmin software at System|Licensing.

  • Page 188: Routefinder Maintenance

    Shared Secret Maintenance – Authentication keys need to be unpredictable, and random numbers can often be necessarily involved. You’ll want to change authentication keys often, since the longer a key is used, the more likely it is to be discovered or accidentally disclosed. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 189 "Top Twenty Scanner." Several commercial vulnerability scanners may also be used to scan for these vulnerabilities, and the SANS Institute maintains a list of all scanners that provide a focused Top Twenty scanning function at www.sans.org. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 190: Chapter 5 - Service, Warranty, And Technical Support

    Multi-Tech has an excellent staff of technical support personnel available to help you get the most out of your Multi-Tech product. If you have any questions about the operation of this unit, call 1-800- 972-2439. Please fill out the RouteFinder information (below), and have it available when you call. If your RouteFinder requires service, the tech support specialist will guide you on how to send in your RouteFinder (refer to the next section).

  • Page 191: Recording Routefinder Information

    Chapter 5 – Service, Warranty, and Technical Support Recording RouteFinder Information Please fill in the following information on your Multi-Tech RouteFinder. This will help tech support in answering your questions. (The same information is requested on the Warranty Registration Card.) Model No.: _________________________...

  • Page 192: Service

    Chapter 5 – Service, Warranty, and Technical Support Service If your tech support specialist decides that service is required, your RouteFinder may be sent (freight prepaid) to our factory. Return shipping charges will be paid by Multi-Tech Systems. Include the following with your RouteFinder: ·...
  • Page 193 Your original point of purchase Reseller may offer the quickest and most economical repair option for your Multi-Tech product. You may also contact any Multi-Tech sales office for information about the nearest distributor or other repair service for your Multi-Tech product.

  • Page 194: Ordering Accessories

    Chapter 5 – Service, Warranty, and Technical Support Ordering Accessories SupplyNet, Inc. supplies replacement transformers, cables and connectors for select Multi-Tech products. You can place an order with SupplyNet via mail, phone, fax or the Internet at: Mail: SupplyNet, Inc.

  • Page 195: Appendix A - Application Examples And How To Use Remote Syslog

    · RouteFinder VPN and MultiVOIP Example · Other examples can be found on the Multi-Tech Web site for the RF650VPN as separate Reference Guides. A Remote Syslog "How To" is also provided at the end of this appendix. State-of-the-Art Firewall Security. The RouteFinder provides network layer security using Stateful Packet Inspection, the sophisticated firewall technology found in large enterprise firewalls, to protect the network against intruders and Denial of Service (DoS) attacks.
  • Page 196 Internet. Some applications require multiple TCP/IP ports to be open. A DMZ allows just one computer to be exposed for that purpose. It is recommended that you set your computer with a static IP if you want to use DMZ. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 197 The SMTP proxy acts as an email relay; it accepts e-mail for your internet domains and passes them on to your internal e-mail distribution system (e.g., a Microsoft Exchange Server). E-Mails are transparently scanned for known viruses and other harmful content. The SMTP proxy also acts as a gateway for outgoing mail. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 198 Appendix A – Application Examples and How to Use Remote Syslog RouteFinder VPN and MultiVOIP Example Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 199 If your are using a syslog server that can differentiate senders host addresses and the facilitiy, then it is very easy to log into specified files. You can use which is available at http://www.balabit.hu/en/products/syslog-ng syslog-ng Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 200 (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); source s_sys { unix-stream ("/dev/log"); internal(); udp (ip(0.0.0.0) port (514)); }; destination karl2 { file("/var/log/karl2"); }; filter filter_karl2 { host("192.168.2.157");}; log { source(s_sys); filter(filter_karl2); destination(karl2); }; Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 201 (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); source s_sys { unix-stream ("/dev/log"); internal(); udp (ip(0.0.0.0) port(514)); }; destination karl2 { file("/var/log/karl2_kern"); }; filter filter_karl2 { host("192.168.2.157") and match("kernel"); }; log { source(s_sys); filter(filter_karl2); destination(karl2); }; Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 202 { file("/var/log/karl2_kern"); }; destination karl2_stuff { file("/var/log/karl2_stuff"); }; filter filter_karl2_kern { host("192.168.2.157") and match("kernel");}; filter filter_karl2_stuff { host("192.168.2.157") and not match("kernel"); }; log { source(s_sys); filter(filter_karl2_kern); destination(karl2_kern); }; log { source(s_sys); filter(filter_karl2_stuff); destination(karl2_stuff); }; Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 203: Appendix B - Cable Diagrams

    This appendix illustrates and describes the RF650VPN cables. Power Cords The RF650VPN IEC-320 Power Cord with US plug is shown below. IEC-320 Power Cord with US Plug IEC-320 Power Cord with Euro Plug and the IEC-320 Power Cord (fused) with a UK Plug:...
  • Page 204 Appendix B – Cable Diagrams CD-ROM Drive Adapter The RF650VPN is shipped with a 44 pin (m)-to-40 pin (f) adapter that connects the Hard Disk Drive/CD- ROM Drive cable to a CD-ROM Drive for use when performing the Hard Disk Drive Recovery procedure.
  • Page 205 34 --------- 34 15 -------- 15 35 --------- 35 16 -------- 16 36 --------- 36 17 -------- 17 37 --------- 37 18 -------- 18 38 --------- 38 19 -------- 19 39 --------- 39 40 --------- 40 Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 206: Appendix C - The Webadmin Menu System

    HTTP: Definition of the HTTP proxy (web), web ad blocker and web filter. SMTP: Definition of then SMTP proxy for e-mail and for virus scanning. DNS: Definition of the DNS proxy (nameserver). SOCKS: Definition of the SOCKS proxy (generic). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 207 Exit: Terminates the browser connection and returns you to the Login screen. The overall WebAdmin menuing heierarchy follows the form: Directory Menu Entry field Select menu For the above example, the text descriptions in this manual this manual would use the format Directory|Menu|Entry field|Select menu. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 208 Appendix C – The WebAdmin Menu System The RouteFinder RF650VPN System CD The RouteFinder RF650VPN System CD contains the RF650VPN system files in the format shown below. With your browser running, when you insert the System CD in your computer's CD-ROM drive, the RouteFinder Install screen displays.
  • Page 209 (the printed manual). You can also find it directly on the System CD in Acrobat format (InstallationGuide.pdf), as well as on the Multi-Tech web site (http://www.multitech.com). This is an Adobe Acrobat file - if you don't have the Acrobat Reader, download it from http://www.adobe.com. The...
  • Page 210 Documentation Tree to view the full set of documentation on the System CD. Click Register your product at www.multitech.com to register your RF650VPN online at the Multi-Tech web site. RouteFinder Software Releases Software version 1.92: Initial SW release for RouteFinder / .

  • Page 211: Appendix D - User Authentication Methods

    "Local" RouteFinder User Authentication This method does not need an external server to validate user accounts. You can add users with the RouteFinder's Web Frontend and specify the allowed proxy types on a "per-user" basis. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 212 Here we will explain how to set up Microsoft's IAS (Internet Authentication Server). IAS is delivered with all Windows 2000 Server versions, however it is often not installed by default. For NT4, IAS comes with the "NT4 Option Pack" (available for "free"). The Windows 2000 IAS version has many more features Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 213 Finally, you need the default domain to authenticate against. This will be overridden if users specify their user name as <DOMAIN>\<USERNAME>, otherwise it will be filled in as the <DOMAIN> part. Caution: disable the Guest account of your NT domain, since this one will allow Any username/password combination to pass ! Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 214: Appendix E - Regulatory Information

    Since any number of Fax software packages can be used with this product, the user must refer to the Fax software manual for setup details. Typically, the Fax branding information must be entered via the configuration menu of the software. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 215 8. No repairs are to be made by you. Repairs are to be made only by Multi-Tech Systems or its licensees. Unauthorized repairs void registration and warranty.
  • Page 216 Also, note that some software packages may have features or lack restrictions that may cause the modem to become non-compliant. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 217: Appendix F - License Agreements

    Multi-Tech Systems, Inc. End User License Agreement (EULA) IMPORTANT - READ BEFORE OPENING THE SOFTWARE PACKAGE This is a legal agreement between you (either an individual or a single entity) and Multi-Tech Systems, Inc. for the Multi-Tech software product enclosed, which includes computer software and may include associated media, printed materials, and "online"...
  • Page 218 Agreement. Any previous version of the software must be destroyed or returned to Multi-Tech Systems, Inc. within 90 days of receipt of the software upgrade or update.
  • Page 219 2205 Woodale Drive, Mounds View, MN 55112. This is a legal agreement between you (either an individual or a single entity) and Multi-Tech Systems, Inc. for the Multi-Tech software product enclosed, which includes computer software and may include associated media, printed materials, and "online"...
  • Page 220 Multi-User Limited Warranty and License Agreement The software contained in this package is licensed by Multi-Tech Systems, Inc., to the original end-user purchaser, hereafter referred to as Licensee, of this product for site use. A site is defined as a single business, government, or academic location, such as a building, a floor of a building, a campus, etc., and...
  • Page 221 250 users inclusively. Software and manuals may be copied, with the inclusion of the Multi-Tech Systems, Inc., copyright notice, for use within that single site. Additional manuals may be ordered from Multi-Tech Systems, Inc., for a nominal charge.
  • Page 222 License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 223 If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 224 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 225 LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 226: Glossary

    – An attempt at breaking part or all of a cryptosystem; can be either a successful or unsuccessful attempt. Many types of attacks can occur (e.g., algebraic attack, birthday attack, brute force attack, chosen ciphertext attack, chosen plaintext attack, known plaintext attack, linear cryptanalysis, middleperson attack). Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 227 DNS and the file-server/file-client relationship in NFS. CHAP (Challenge Handshake Authentication Protocol) – An IETF standard for authentication using PPP which uses a "random Challenge", with a cryptographically-hashed "Response" which depends on the Challenge and a secret key. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 228 University in 1976. Until 1976 there was only conventional cryptography, which uses the same key to both scramble (encrypt) and unscramble (decrypt) information. Public key cryptography is based on two keys, a private key and a public key. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 229 ESP may be used to provide the same security services as AH, plus it provides an encryption service. The main difference between ESP and AH authentication methods is that ESP does not protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode). ESP is important for the Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 230 It may also error checking and other fields. A header is also the part of an electronic mail message which precedes the body of a message and contains, among other things, the message originator, date and time Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 231 However, as opposed to IP addresses, IP names are not limited to four parts. Also, several IP names can be assigned to one IP address; these are referred to as aliases. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 232 – An encryption technology developed by Microsoft to encrypt point-to-point links. The PPP conections can be over a VPN tunnel or over a dial-up line. MPPE is a feature of Microsoft's MPPC scheme for compressing PPP packets. The MPPC algorithmwas Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 233 PSF is a security method that ensures that the new key of a key exchange is in no way based on the information of an old key and is therefore unambiguous. If an old key is found or calculated, no conclusions can be drawn about the new key. On the RF650VPN, PFS is configured in VPN|IPSec Configurations.
  • Page 234 (VPNs) over the Internet. All data sent over a PPTP connection can be encrypted and compressed, and multiple network level protocols (TCP/IP, IPX) can be run concurrently. Note: the RF650VPN does NOT support IPX or Netbeui when using PPTP tunneling. Protocol –...
  • Page 235 (transferring only the differences instead of entire files). Rsync was developed by Andrew Tridgell and Paul Mackerras; The rsync daemon (rsyncd) provides an efficient, secure method for making files available to remote sites. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 236 – A functionality equivalent to DNAT, except that the source addresses of the IP packets are converted instead of the target address. This can be helpful in more complex situations (e.g., for diverting reply packets of connections to other networks or hosts). In contrast to Masquerading, SNAT Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 237 Analysis can often be performed on these logs using available software to create reports detailing various aspects of the system and/or the network. Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 238 Internet. A VPN can use encryption, user authentication, and/or firewall protection to solve remote access security threats. WAN (Wide Area Network) – A data network, typically extending a LAN beyond a building or campus, linking to other (remote) LANs. Multi-Tech RouteFinder RF650VPN User Guide...

  • Page 239: Index

    101 HTTP Proxy delete, 101 configure, 113 edit, 101 non-transparent mode, 112 set, 100 transparent mode, 112 Password change, 40 Ping start, 94 ICMP Ping, 93 on firewall, 103 Protocol ICMP, 102 AH, 68 Multi-Tech RouteFinder RF650VPN User Guide...
  • Page 240 SAM – NT/2000, 54, 170 edit e-mail addresses, 154 general, 50 Selfmonitor, 153 local, 54 Radius, 51 Service delete, 69 SAM, 54 edit, 69 Users, 72 Service, 68 Service Groups add service, 71 define, 70 WebAdmin, 39 edit, 71 Multi-Tech RouteFinder RF650VPN User Guide...

Table of Contents