- DL manuals
- AirLive
- Network Router
- IP-2000VPN
- User Manual
AirLive IP-2000VPN User Manual
Summary of IP-2000VPN
Page 1
6. Specifications 1 airlive wla-9000ap user’s manual ip-2000vpn internet vpn router user’s manual.
Page 2: Declaration of Conformity
Declaration of conformity we, manufacturer/importer declare that the product internet vpn router is in conformity with in accordance with 89/336 eec-emc directive and 1999/5 ec-r & tte directive clause description limits and methods of measurement of radio disturbance characteristics of information ...
Page 3
Airlive ip-2000vpn ce declaration statement country declaration country declaration cs Česky [czech] ovislink corp. Tímto prohlašuje, že tento airlive ip-2000vpn je ve shodě se základními požadavky a dalšími příslušnými ustanoveními směrnice 1999/5/es. Lt lietuvių [lithuanian] Šiuo ovislink corp. De...
Page 4
Airlive ip-2000vpn user’s manual 1 copyright the contents of this publication may not be reproduced in any part or as a whole, stored, transcribed in an information retrieval system, translated into any language, or transmitted in any form or by any means, mechanical, magnetic, electronic, optical, ...
Page 5
Airlive ip-2000vpn user’s manual 2 table of contents chapter 1 introduction ................................................................................................................. 4 1.1 features...................................................................................................
Page 6
Airlive ip-2000vpn user’s manual 3 chapter 9 status....................................................................................................................... 132 9.1 connection status – pppoe ..................................................................................................
Page 7
Airlive ip-2000vpn user’s manual 4 c c c h h h a a a p p p t t t e e e r r r 1 1 1 i i i n n n t t t r r r o o o d d d u u u c c c t t t i i i o o o n n n the airlive internet vpn router, ip-2000vpn, features ipsec and pptp vpn server, to offer the easy installation vpn connection for office-to-offi...
Page 8
Airlive ip-2000vpn user’s manual 5 1.1 features ipsec vpn features • ipsec. Support for ipsec standards, including ike and certificates. • 10 tunnels. Up to 10 vpn tunnels can be created. • ipsec authentication and encryption.Support des, 3des, aes-128, 192, 256 bits encryption, and md5, sha-1 authe...
Page 9
Airlive ip-2000vpn user’s manual 6 advanced internet functions • c ommunication applications. Support for internet communication applications, such as interactive games, telephony, and conferencing applications, which are often difficult to use when behind a firewall, is included. • s pecial interne...
Page 10
Airlive ip-2000vpn user’s manual 7 lan features • 3-port switching hub. The ip-2000vpn incorporates a 3-port 10/100baset switching hub, making it easy to create or extend your lan. • dhcp server support. Dynamic host configuration protocol provides a dynamic ip address to pcs and other devices upon ...
Page 11
1.2 installation of the router requirement • network cables. Use standard 10/100baset network (utp) cables with rj45 connectors. • tcp/ip protocol must be installed on all pcs. • for internet access, an internet access account with an isp, and a broadband modem (usually, dsl or cable modem). Procedu...
Page 12
Airlive ip-2000vpn user’s manual 9 4. Power up • power on the broadband modem. • connect the supplied power adapter to the ip-2000vpn and power up. Please note that you should use only the power adapter provided. Using a different one may cause hardware damage. 5. Check the leds • the power led shou...
Page 13
1.3 front panel and rear panel led function color status description power power indication ● green on power on on error condition status system status ● red blinking system starts up on the wan port is linked. Wan wan port activity ● green blinking the wan port is sending or receiving data. On an a...
Page 14
Airlive ip-2000vpn user’s manual 11 1.4 packing list the following items should be included: • ip-2000vpn internet vpn router • installation cd-rom • quick installation guide • ac adapter when you open your package, make sure all of the above items are included and not damaged. If you see that any c...
Page 15
Airlive ip-2000vpn user’s manual 12 c c c h h h a a a p p p t t t e e e r r r 2 2 2 d d d e e e p p p l l l o o o y y y m m m e e e n n n t t t overview this chapter describes the setup procedure for: • internet access • lan configuration pcs on your local lan may also require configuration. For det...
Page 16
Airlive ip-2000vpn user’s manual 13 configure or use any of the following: • configuration file backup and restore. • network diagnostic • pc database • remote administration • routing • upgrade firmware • upnp chapter 10: other features and settings configuration program the ip-2000vpn contains an ...
Page 17
Using your web browser to establish a connection from your pc to the ip-2000vpn: 1. Start your web browser. 2. In the address box, enter "http://" and the ip address of the ip-2000vpn, as in this example, which uses the ip-2000vpn's default ip address: http://192.168.1.1 3. You will be prompted for ...
Page 18
Airlive ip-2000vpn user’s manual 15 c c c h h h a a a p p p t t t e e e r r r 3 3 3 c c c o o o n n n f f f i i i g g g u u u r r r e e e r r r o o o u u u t t t e e e r r r home screen the first time you connect to the ip-2000vpn, you will see the home screen shown below: • use the menu bar on the ...
Page 19
Airlive ip-2000vpn user’s manual 16 3.1 setup wizard the main purpose of setup wizard works to configure wan type, when you finish the wan port’s configuration, you can make the test in the wizard to verify the setting. • you need to know the type of internet connection service used by your isp. Che...
Page 20
Dsl modem login method type details isp data required dynamic ip address your ip address is allocated automatically, when you connect to you isp. User name and password. Pppoe static ip address your isp allocates a permanent ip address to you. Ip address, mask, gateway and dns address allocated to y...
Page 21
Dynamic ip address you connect to the isp only when required. The ip address is usually allocated automatically. Usually, none. None static ip address your isp allocates a permanent ip address to you. Ip address, mask, gateway and dns address allocated to you. Telstra big pond cable (australia) type...
Page 22
Singtel ras for this connection method, the following data is required: • user name • password • ras plan airlive ip-2000vpn user’s manual 19.
Page 23
Others (e.G. Fixed wireless) type details isp data required dynamic ip address your ip address is allocated automatically, when you connect to you isp. Usually, none. However, some isp's may require you to use a particular hostname, domain name, or mac (physical) address. Static ip address your isp ...
Page 24
3.2 lan use the lan link on the main menu to reach the lan screen. An example screen is shown below. Data - lan screen tcp/ip ip address ip address for the ip-2000vpn, as seen from the local lan. Use the default value unless the address is already in use or your lan is using a different ip address r...
Page 25
What dhcp server can do a dhcp (dynamic host configuration protocol) server allocates a valid ip address to a dhcp client (pc or device) upon request. • the client request is made when the client device starts up (boots). • the dhcp server provides the gateway and dns addresses to the client, as wel...
Page 26
Airlive ip-2000vpn user’s manual 23 operation once both the ip-2000vpn and the pcs are configured, operation is automatic. However, there are some situations where additional internet configuration may be required: • if using internet-based communication applications, it may be necessary to specify ...
Page 27
Airlive ip-2000vpn user’s manual 24 c c c h h h a a a p p p t t t e e e r r r 4 4 4 i i i n n n t t t e e e r r r n n n e e e t t t f f f e e e a a a t t t u u u r r r e e e s s s 4.1 wan port overview the following advanced features are provided. • wan port configuration • advanced internet • commu...
Page 28
Airlive ip-2000vpn user’s manual 25 data – wan port configuration screen identification hostname normally, there is no need to change the default name, but if your isp requests that you use a particular “hostname”, enter it here. Domain name if your isp provided a domain name, enter it here. Otherwi...
Page 29
Airlive ip-2000vpn user’s manual 26 dns automatically obtain from server the dns (domain name server) address will be obtained automatically from your isp's server. Note that if using a fixed ip address, with no login (login is set to "none"), then no server is used, and this option cannot be used. ...
Page 30
Disconnected by your isp, the connection will be re-established immediately. (however, this does not ensure that your internet ip address will remain unchanged.) auto-disconnect idle time-out this field has no effect unless the setting above is automatic connect/disconnect . If auto-disconnect is be...
Page 31
Communication applications most applications are supported transparently by the ip-2000vpn. But sometimes it is not clear which pc should receive an incoming connection. This problem could arise with the communication applications listed on this screen. If this problem arises, you can use this scree...
Page 32
Data – special applications screen special applications checkbox use this to enable or disable this special application as required. Name enter a descriptive name to identify this special application. Incoming ports • type - select the protocol (tcp or udp) used when you receive data from the specia...
Page 33
This allows unrestricted 2-way communication between the "dmz pc" and other internet users or servers. • this allows almost any application to be used on the "dmz pc". • the "dmz pc" will receive all "unknown" connections and data. • if the dmz feature is enabled, you must select the pc to be used a...
Page 34
Airlive ip-2000vpn user’s manual 31 data – url filter screen filter strings current entries this lists any existing entries. If you have not entered any values, this list will be empty. Add filter string to add an entry to the list, enter it here, and click the "add" button. An entry may be a domain...
Page 35
Dynamic dns screen select internet on the main menu, then dynamic dns, to see a screen like the following: data – dynamic dns screen ddns service ddns service • you must register for the service at one of the listed service providers. You can reach the service provider's web site by selecting them i...
Page 36
4.4 virtual server this feature allows you to make servers on your lan accessible to internet users. Normally, internet users would not be able to access a server on your lan because: • your server does not have a valid external ip address. • attempts to connect to devices on your lan are blocked by...
Page 37
Using the dmz port for virtual servers you should connect your virtual servers to the dmz port, for the following reasons: • traffic passing between the dmz and lan passes through the firewall. The firewall will protect your lan if your server is compromised and used to launch an attack on your lan....
Page 38
Airlive ip-2000vpn user’s manual 35 data – virtual servers screen servers servers this lists a number of pre-defined servers, plus any servers you have defined. Details of the selected server are shown in the "properties" area. Properties enable use this to enable or disable support for this server,...
Page 39
4.5 options this screen allows advanced users to enter or change a number of settings. For normal operation, there is no need to use this screen or change any settings. Data – options screen backup dns ip address enter the ip address of the dns (domain name servers) here. These dns will be used only...
Page 40
Airlive ip-2000vpn user’s manual 37 c c c h h h a a a p p p t t t e e e r r r 5 5 5 s s s e e e c c c u u u r r r i i i t t t y y y overview the following advanced configurations are provided. • admin login • access control • firewall rules • logs • e-mail • security options • scheduling • services ...
Page 41
Enter the "user name" and "password" you set on the admin login screen above. Airlive ip-2000vpn user’s manual 38.
Page 42
5.2 access control this feature is accessed by the access controllink on the security menu. The access control feature allows administrators to restrict the level of internet access available to pcs on your lan. With the default settings, everyone has unrestricted internet access. To use this featur...
Page 43
Airlive ip-2000vpn user’s manual 40 data – access control screen group group select the desired group. The screen will update to display the settings for the selected group. Groups are named "default", "group 1", "group 2", "group 3" and "group 4", and cannot be re-named. "members" button click this...
Page 44
Group members screen this screen is displayed when the members button on the access controlscreen is clicked. Use this screen to add or remove members (pcs) from the current group. • the "del >>" button will remove the selected pc (in the members list) from the current group. • the "" button will ad...
Page 45
5.3 firewall rule for normal operation and lan protection, it is not necessary to use this screen. The firewall will always block dos (denial of service) attacks. A dos attack does not attempt to steal data or damage your pcs, but overloads your internet connection so you can not use it - the servic...
Page 46
Airlive ip-2000vpn user’s manual 43 data – firewall rules screen rule list view rules for … select the desired option; the screen will update and list any current rules. If you have not defined any rules, the list will be empty. Data for each rule, the following data is shown: • name - the name you ...
Page 47
Define firewall rule clicking the "add" button in the firewall rulesscreen will display a screen like the example below. Airlive ip-2000vpn user’s manual 44.
Page 48
Airlive ip-2000vpn user’s manual 45 data – define firewall rule screen define firewall rule name enter a suitable name for this rule. Type this determines the source and destination ports for traffic covered by this rule. Select the desired option. Source ip these settings determine which traffic, b...
Page 49
5.4 logs the logs record various types of activity on the ip-2000vpn. This data is useful for troubleshooting, but enabling all logs will generate a large amount of data and adversely affect performance. Since only a limited amount of log data can be stored in the ip-2000vpn, log data can also be e-...
Page 50
Airlive ip-2000vpn user’s manual 47 data – logs screen enable logs incoming traffic select the desired option: • all ip traffic - this will log all incoming tcp/ip connections, of any type. This will generate the largest logs, and fill the internal log buffer more quickly. • all tcp/udp/icmp traffic...
Page 51
Airlive ip-2000vpn user’s manual 48 system log select the desired option: • router operations (start up, get time etc) - this option will log normal router operations. • connections to the web - based interface of this router - this option will log each connection to the router itself, whenever the ...
Page 52
5.5 e-mail data – e-mail screen e-mail alerts send e-mail alert if enabled, an e-mail will be sent immediately if a dos (denial of service) attack is detected. If enabled, the e-mail address information must be provided. E-mail logs send logs by e-mail if enabled, logs will be logs to the specified ...
Page 53
Airlive ip-2000vpn user’s manual 50 subject enter the text string to be shown in the "subject" field for the e-mail. Smtp server enter the address or address or ip address of the smtp (simple mail transport protocol) server you use for outgoing e-mail. Port no. Enter the port number used to connect ...
Page 54
5.6 security options this screen allows you to set firewall and other security-related options. Data – security options screen firewall enable dos firewall if enabled, dos (denial of service) attacks will be detected and blocked. The default is enabled. It is strongly recommended that this setting b...
Page 55
Airlive ip-2000vpn user’s manual 52 options respond to icmp (ping) the icmp protocol is used by the "ping" and "trace route" programs, and by network monitoring and diagnostic programs. • if checked, the ip-2000vpn will respond to icmp packets received from the internet. • if not checked, icmp packe...
Page 56
5.7 scheduling • this schedule can be (optionally) applied to any access control group. • blocking will be performed during the scheduled time (between the "start" and "finish" times). • two (2) separate sessions or periods can be defined. • times must be entered using a 24 hr clock. • if the time f...
Page 57
5.8 services services are used in defining traffic to be blocked or allowed by the access control or firewall rules features. Many common services are pre-defined, but you can also define your own services if required. To view the services screen, select the services link on the security menu. Data ...
Page 58
Airlive ip-2000vpn user’s manual 55 c c c h h h a a a p p p t t t e e e r r r 6 6 6 i i i p p p s s s e e e c c c v v v p p p n n n 6.1 common vpn situations vpn pass-through here, a pc on the lan behind the router/gateway is using vpn software, but the router/gateway is not acting as a vpn endpoint...
Page 59
Office-to-office vpn gateway this allows two (2) lans to be connected. Pcs on each endpoint gain secure access to the remote lan. • the 2 lans must use different ip address ranges. • the vpn policies at each end determine when a vpn tunnel will be established, and what systems on the remote lan can ...
Page 60
6.2 vpn configuration this section covers the configuration required on the ip-2000vpn when using manual key exchange (manual policies) or ike (automatic policies). Details of using certificates are covered in a later section. Vpn policies screen to view this screen, select vpn policies from the vpn...
Page 61
Move the order in which policies are listed is only important if you have multiple polices for the same remote site. In that case, the first matching policy is used. There are 2 ways to change the order of policies: • use the up and down indicators on the right to move the selected row. You must con...
Page 62
• if you prefer to use a single setup screen instead of a wizard, click the setup screen button. This is recommended for experienced users only. • otherwise, click next to continue. You will see a screen like the following. General settings policy name enter a suitable name. This name is not supplie...
Page 63
2. Click next to continue. You will see a screen like the following: • for outgoing vpn connections, these settings determine which traffic will cause a vpn tunnel to be created, and which traffic will be sent through the tunnel. • for incoming vpn connections, these settings determine which systems...
Page 64
Remote ip addresses type • single address - enter an ip address in the "start ip address" field. • range address - enter the starting ip address in the "start ip address" field, and the finish ip address in the "finish ip address" field. • subnet address - enter the desired ip address in the "start ...
Page 65
Airlive ip-2000vpn user’s manual 62 manually assigned keys ah authentication ah (authentication header) specifies the authentication protocol for the vpn header, if used. (ah is often not used) if ah is not enabled, the following settings can be ignored. Keys • the "in" key here must match the "out"...
Page 66
Esp spi this is required if either esp encryption or esp authentication is enabled. • each spi (security parameter index) must be unique. • the "in" spi here must match the "out" spi on the remote vpn, and the "out" spi here must match the "in" spi on the remote vpn. • each spi should be at least 3 ...
Page 67
Airlive ip-2000vpn user’s manual 64 ike phase 1 (ike sa) local identity this setting must match the "remote identity" on the remote vpn. Select the desired option, and enter the required data in the "local identity data" field. • wan ip address - this is the most common method. If selected, no input...
Page 68
Direction select the desired option: • initiator - only outgoing connections will be created. Incoming connection attempts will be rejected. • responder - only incoming connections will be accepted. Outgoing traffic which would otherwise result in a connection will be ignored. • both directions - bo...
Page 69
Ike phase 2 (ipsec sa) ipsec sa life time this setting does not have to match the remote vpn endpoint; the shorter time will be used. Although measured in seconds, it is common to use time periods of several hours, such 28,800 seconds. Ipsec pfs if enabled, pfs (perfect forward security) enhances se...
Page 70
6.3 certificates certificates are used to authenticate users. Certificates are issued to you by various cas (certification authorities). These certificates are called "self certificates". Each ca also issues a certificate to itself. This certificate is required in order to validate communication wit...
Page 71
Requesting a trusted certificate 1. After obtaining a new certificate from the ca, you need to upload it to the ip-2000vpn. 2. On the "certificates" screen, click the "add trusted certificate" button to view the add trusted certificate screen, shown below. 3. Click the "browse" button, and locate th...
Page 72
Airlive ip-2000vpn user’s manual 69 active self certificates name the name you assigned to this certificate. You should select a name which helps to identify this particular certificate. Subject name the company or person to whom the certificate is issued. Issuer name the ca (certification authority...
Page 73
2. Complete this screen. Name enter a name which helps to identify this particular certificate. This name is only for your reference, it is not visible to other people. Subject name this is the name which other organizations will see as the holder (owner) of this certificate. This should be your reg...
Page 74
3. Click "next" to continue to the following screen. 4. Check that the data displayed in the certificate details section is correct. This data is used to generate the certificate request. If the data is not correct, click the "back" button and correct the previous screen. 5. If the data is correct, ...
Page 75
9. Upload the certificate: • click the browse button, and locate the certificate file on your pc. • select the file. The name will appear in the certificate file field. • click the upload button to upload the certificate file to the ip-2000vpn. • click back to return to the self certificates screen....
Page 76
6.4 clrs • crls are only necessary if using certificates. • crl (certificate revocation list) files show certificates which have been revoked, and are no longer valid. • each ca issues its own crls. • it is very important to keep your crls up-to-date. You need to obtain the crl for each ca regularly...
Page 77
6.5 status this screen lists all vpn sas (security association) which exist at the current time. • if no vpn tunnels exist at the current time, the table will be empty. • to update the display, click the "refresh" button. • if using ike, there is one sa for the ike connection, and another sa for the...
Page 78
Airlive ip-2000vpn user’s manual 75 c c c h h h a a a p p p t t t e e e r r r 7 7 7 m m m i i i c c c r r r o o o s s s o o o f f f t t t v v v p p p n n n ( ( ( p p p p p p t t t p p p ) ) ) overview microsoft vpn uses the microsoft vpn adapter which is provided in recent versions of windows. This ...
Page 79
Data – microsoft vpn screen pptp server enable use this checkbox to enable or disable this feature as required. To allow connection by remote windows clients, you must enable this feature, and enter the client details (on the clients screen) to allow them to login to this server. Authentication meth...
Page 80
Airlive ip-2000vpn user’s manual 77 data – microsoft vpn client database screen existing users user list all existing users are listed. If you have not added any users, this list will be empty. When a user is selected, their details are displayed in the properties panel. You can then edit the user's...
Page 81
Status screen the status screen is accessed by selecting the status option on the microsoft vpn menu. Data – microsoft vpn status screen server status status this indicates whether or not the pptp (vpn) server is enabled. Current connections this indicates the number of remote clients currently logg...
Page 82
7.2 windows pptp clients setup to connect to the pptp (vpn) server in the ip-2000vpn: • the microsoft vpn feature in the ip-2000vpn must be enabled and configured, as described in the previous section. • each user must have a login (username and password) on the vpn client database on the ip-2000vpn...
Page 83
4. Enter the internet ip address or domain name of this device. (if you don't have a fixed ip address, you can use a dynamic dns service to obtain a domain name). Click "next" to continue. 5. Click “finish” to exit the wizard. The new entry will now be listed in "dial-up networking". If necessary, y...
Page 84
Windows 2000 ensure you have logged on with administrator rights before attempting this procedure. 1. Open "network connections", and start the "new connection" wizard. 2. Select the vpn option ("connect to a private network through the internet"), as shown above, and click next . Airlive ip-2000vpn...
Page 85
3. On the screen above: • select "do not dial the initial connection" if internet access is via the lan. • if using a pppoe software client, select "automatically dial this initial connection" and select the pppoe connection. • click next to continue. 4. On the screen above, enter the domain name or...
Page 86
5. Choose whether to allow this connection for everyone, or only for yourself, as required. Click next to continue. 6. Enter a suitable name, and click "finish" to save and exit. 7. Setup is now complete. To establish a connection: 1. Right-click the connection in "network connections", and select "...
Page 87
Windows xp ensure you have logged on with administrator rights before attempting this procedure. 1. Open network connections (start-settings-network connections), and start the new connection wizard. 2. Select the option "connect to the network at my workplace", as shown above, and click next. Airli...
Page 88
3. On the next screen, shown above, select the "virtual private network connection" option. Click next to continue. 4. Enter a suitable name for this connection. Click next to continue. Airlive ip-2000vpn user’s manual 85.
Page 89
5. On the screen above, select "do not dial the initial connection". Click next to continue. 6. On the screen above, enter the domain name or internet ip address of the ip-2000vpn you wish to connect to. Click next to continue. Airlive ip-2000vpn user’s manual 86.
Page 90
Airlive ip-2000vpn user’s manual 87 7. Choose whether to allow this connection for everyone, or only for yourself, as required. Click next to continue. 8. On the final screen, click finish to save and exit. 9. Setup is now complete. To establish a connection: 1. Right-click the connection in "networ...
Page 91
Windows vista ensure you have logged on with administrator rights before attempting this procedure. 1. Select control panel Æ network and sharing center, click “set up a connection or network”. 2. Select “connect to a workplace”, and press “next”. Airlive ip-2000vpn user’s manual 88.
Page 92
3. On the next screen, select and press “use my internet connection (vpn)”. 4. If pc was configured to dial up isp with pppoe or else, system will ask user to verify the connection which internet connection will be used to connect. Select the specific one and press “next”. Airlive ip-2000vpn user’s ...
Page 93
5. User should fill in the pptp server ip address in the screen “type the internet address to connect to”. 6. Type in the user name and password of pptp client, and then press “connect” to connect with pptp server. Airlive ip-2000vpn user’s manual 90
Page 94
7. If pptp client connect successfully to pptp server, user can see the following screen. 8. Ping the ip-2000vpn lan ip address (192.168.1.1) and the ip address (192.168.1.2) of pc connected to ip-2000vpn, to verify the pptp connection. The result is fine. Airlive ip-2000vpn user’s manual 91.
Page 95
Airlive ip-2000vpn user’s manual 92 c c c h h h a a a p p p t t t e e e r r r 8 8 8 v v v p p p n n n e e e x x x a a a m m m p p p l l l e e e this section describes some examples of using the ip-2000vpn in common vpn situations. It is used to create ipsec vpn tunnel between two offices’ sites, and...
Page 96
8.1 office-to-office ipsec vpn – connecting to 2 ip-2000vpn in this example, 2 ip-2000vpn will connect vpn with each other and gains access to the both lans. Environment: ipsec site a ipsec site b wan ip address 60.250.158.64 203.10.66.89 lan ip subnet 192.168.1.X 192.168.0.X pre-shared key 12345678...
Page 97
Data – network configuration setting type value notes name policy_a name does not affect operation. Select a meaningful name. Enable policy enable allow netbios traffic enable enable to allow netbios passing through vpn tunnel remote endpoint fixed ip 203.10.66.89 other endpoint's wan (internet) ip ...
Page 98
Airlive ip-2000vpn user’s manual 95 data – authentication and encryption setting type value notes ike direction both directions do not have to match with site b. Either endpoint can block 1 direction. Local identify wan ip address system will detect the ip address and fill in the form automatically....
Page 99
Step 3: ipsec vpn site b – network configuration data – network configuration setting type value notes name policy_b name does not affect operation. Select a meaningful name. Enable policy enable allow netbios traffic enable enable to allow netbios passing through vpn tunnel remote endpoint fixed ip...
Page 100
Step 4: ipsec vpn site b – authentication and encryption data – network configuration setting type value notes ike direction both directions do not have to match with site a. Either endpoint can block 1 direction. Local identify wan ip address system will detect the ip address and fill in the form a...
Page 101
Airlive ip-2000vpn user’s manual 98 method ike authentication algorithm md5 must match with site a ike encryption 3des must match with site a ike exchange mode main mode must match with site a dh group group 2 (1024 bit) must match with site a ike sa life time 180 shorter period will be used. Ike ke...
Page 102
8.2 office-to-office ipsec vpn – connecting ip-2000vpn and rs-1200 in this example, ip-2000vpn will connect vpn with rs-1200, and gains access to the both lan. Environment: ip-2000vpn rs-1200 wan ip address airlive98.Dyndns.Org 60.250.158.64 lan ip subnet 192.168.1.X 192.168.100.X pre-shared key 123...
Page 103
Setting type value notes name to_rs12 name does not affect operation. Select a meaningful name. Enable policy enable allow netbios traffic enable enable to allow netbios passing through vpn tunnel remote endpoint domain name airlive98.Dyndns .Org the domain name resolved the other endpoint's wan (in...
Page 104
Setting type value notes ike direction both directions using "responder only" is not possible. Local identify wan ip address system will detect the ip address and fill in the form automatically. It is the most common id method. Remote identify remote wan ip address system will detect the ip address ...
Page 105
2. Configure ddns service and fill in the necessary setting, in order to resolve the dynamic domain name (ex. Airlive98.Dyndns.Org) with current ip address. Step 4: configure rs-1200 ipsec autokey 1. Select ipsec autokey in vpn. Click new entry. 2. In the list of ipsec autokey, fill in name with to_...
Page 106
6. Select data encryption + authentication in ipsec algorithm list. Here we select 3des for enc algorithm and md5 for auth algorithm to make sure the encapsulation way for data transmission. 7. After selecting group2 in perfect forward secrecy, enter 3600 seconds in isakmp lifetime; enter 28800 seco...
Page 107
Step 6: configure rs-1200 outgoing and incoming policy 1. Enter the following setting in outgoing policy. • tunnel: select to_ip2k_tunnel • click ok . 2. Enter the following setting in incoming policy. • tunnel: select to_ip2k_tunnel. • click ok . Airlive ip-2000vpn user’s manual 104.
Page 108
8.3 getting into office network from internet (pptp) – windows xp pptp client in this example, a windows xp client connects to the ip-2000vpn and gains access to the local lan. Environment: ip-2000vpn pc with pptp vpn software wan ip address 60.250.158.65 any lan ip subnet 192.168.1.X encrypted auth...
Page 109
Step 2: set up ip-2000vpn pptp server 1. Select microsoft vpn Æ clients, and tick the selection of “allow connection” in properties. 2. Fill in with the form to enter user name and password. For example, user name is jacky, and password is 1234. 3. Click “add as new user” button to update the accoun...
Page 110
Step 3: set up windows xp pptp client software ensure you have logged on with administrator rights before attempting this procedure. 1. Open network connections (start Æ settings Æ network connections), and start the new connection wizard. 2. Select the option "connect to the network at my workplace...
Page 111
4. Enter a suitable name for this connection. Click next to continue. 5. On the screen above, select "do not dial the initial connection". Click next to continue. Airlive ip-2000vpn user’s manual 108.
Page 112
6. On the screen above, enter the domain name or internet ip address of the ip-2000vpn you wish to connect to. Click next to continue. 7. Choose whether to allow this connection for everyone, or only for yourself, as required. Click next to continue. 8. On the final screen, click finish to save and ...
Page 113
Step 4: connect windows xp pptp client to ip-2000vpn 1. When user finishes windows xp pptp client configuration, it will pop up a login windows for user’s access. 2. Enter the user name and password, for example user name with jacky and password with 1234, tick the selection “save this user name and...
Page 114
3. Click “connect” button and start the pptp connection with ip-2000vpn. 4. After verifying client’s user name and password, if the connection is successful, the right-bottom corner will add another connection icon to indicate the pptp connection. 5. User can run the command prompt in pptp client’s ...
Page 115
7. Try to connect the resource pc (192.168.1.4) and search for the shared folder. 8. When you find out the shared folder, pptp client can access the resource as well. Airlive ip-2000vpn user’s manual 112.
Page 116
8.4 getting into office network from internet (ipsec) – windows xp ipsec client in this example, a windows 2000/xp client connects to the ip-2000vpn and gains access to the local lan. To use 3des encryption on windows 2000, you need service pack 3 or later installed. Environment: ip-2000vpn pc with ...
Page 117
Step 1: ip-2000vpn – network configuration setting type value notes name to_xp name does not affect operation. Select a meaningful name. Enable policy enable allow netbios traffic enable enable to allow netbios passing through vpn tunnel remote endpoint fixed ip 220.139.238.157 other endpoint's wan ...
Page 118
Step 2: ip-2000vpn –authentication and encryption setting type value notes ike direction both directions using "responder only" is not possible. Local identify wan ip address system will detect the ip address and fill in the form automatically. It is the most common id method. Remote identify remote...
Page 119
Ike authentication algorithm md5 must match with client pc. Ike encryption des must match with client pc. Ike exchange mode main mode windows 2000/xp only supports main mode. Dh group group 1 (768 bit) must match with client pc. Ike sa life time 180 shorter period will be used. Ike keep alive skip t...
Page 120
3. Click "next", and then enter a policy name, for example "2kvpn to xp", then click "next". 4. Step through the wizard: • deselect activate the default response rule . Click "next". • leave edit properties checked . Click "finish". 5. The following "properties - rules" screen will be displayed. Air...
Page 121
1. No rules are in use. Two (2) rules are required - incoming and outgoing. 2. The outgoing rule will be added first. 6. Deselect the "use add wizard" checkbox, and then click "add" to view the screen below. 7. Click “add” and type "to 2kvpn" for the name. 8. Deselect “use add wizard” and then to cl...
Page 122
9. Enter the source ip address and the destination ip address. • since this is the outgoing filter, the source ip addressis "my ip address" and the destination ip address is the address range used on the remote lan. • ensure the mirrored option is checked, and click “ok” to save the setting. 10. Cli...
Page 123
11. On the resulting screen (above), ensure the "to 2kvpn" filter is selected, then click the filter actiontab to see a screen like the following 12. Select require security, then click the "edit" button, to view the require security propertiesscreen, and select negotiate security(this selects ike),...
Page 124
13. On the resulting screen (above), select encryption and integritythen click "ok" to save your changes and return to the require security propertiesscreen. Airlive ip-2000vpn user’s manual 121.
Page 125
14. Ensure the following settings are correct, and then click "ok" to return to the filter action tab of the edit rule properties screen. Vpn setting windows setting ike enabled negotiate security ah disabled ah integrity: esp encryption: enable/3des esp confidentially: 3des esp authentication: enab...
Page 126
16. Click the authentication methodstab. 17. Click the "edit" and select use this string (preshared key), then enter your preshared key in the field provided. Airlive ip-2000vpn user’s manual 123.
Page 127
18. Click "ok" to save your changes and return to the authentication methodstab of the edit rule properties screen. 19. Click "close" to return to the 2kvpn to xp properties screen. The "to 2kvpn" filter should now be listed, as shown below. 20. To add the second (incoming) rule, click "add" to crea...
Page 128
21. Click “add” and fill in the name with "to winxp", and then click "add". 22. Enter the source ip address and the destination ip address as shown below. • since this is the incoming filter, the source ip address is the address range used on the remote lan and the destination ip addressis "my ip ad...
Page 129
23. Click "ok" to save the setting. 24. Ensure the "to win2k" filter is selected, and then click the filter action tab. Airlive ip-2000vpn user’s manual 126.
Page 130
25. Select require security, then click "edit". Check the negotiate security is selected. 26. Click "ok" to return to the filter action screen. 27. Select the tunnel setting tab, and enter the wan (internet) ip address of this pc (220.139.238.157 in this example). Airlive ip-2000vpn user’s manual 12...
Page 131
28. Select the authentication methods tab, and click the "edit" button. 29. Select use this string (preshared key), then enter your preshared key in the field provided. Airlive ip-2000vpn user’s manual 128.
Page 132
30. Click "ok" to save your settings, then "close" to return to the 2kvpn to xp properties screen. There should now be 2 ip filers listed, as shown below. 31. Select the general tab. Airlive ip-2000vpn user’s manual 129.
Page 133
32. Click the "advanced" button to see the screen below. 33. Click the "methods" button to see the screen below. 34. Move up the fourth rule to the top, in order to define "md5" for integrity algorithm, "des" for encryption algorithm , and "low(1)" for the diffie-hellman group. 35. Click "ok" to sav...
Page 134
36. Right click the 2kvpn to xp policyand select "assign" to make your policy active. 37. Configuration is now complete. Airlive ip-2000vpn user’s manual 131.
Page 135
Airlive ip-2000vpn user’s manual 132 c c c h h h a a a p p p t t t e e e r r r 9 9 9 s s s t t t a a a t t t u u u s s s status screen use the status link on the main menu to view this screen. Data – status screen internet connection method this indicates the current connection method. Broadband mod...
Page 136
Airlive ip-2000vpn user’s manual 133 lan ip address the ip address of the ip-2000vpn. Network mask the network mask (subnet mask) for the ip address above. Dhcp server this shows the status of the dhcp server function - either "on" or "off". For additional information about the pcs on your lan, and ...
Page 137
9.1 connection status – pppoe if using pppoe (ppp over ethernet), a screen like the following example will be displayed when the "connection details" button is clicked. Data – pppoe screen connection physical address the hardware address of this device, as seen by remote devices on the internet. (th...
Page 138
Airlive ip-2000vpn user’s manual 135 update the messages shown on screen. Buttons connect if not connected, establish a connection to your isp. Disconnect if connected to your isp, hang up the connection. Clear log delete all data currently in the log. This will make it easier to read new messages. ...
Page 139
9.2 connection status – pptp if using pptp (peer-to-peer tunneling protocol), a screen like the following example will be displayed when the "connection details" button is clicked. Data – pptp screen connection physical address the hardware address of this device, as seen by remote devices on the in...
Page 140
Airlive ip-2000vpn user’s manual 137 disconnect if connected to your isp, hang up the connection. Clear log delete all data currently in the log. This will make it easier to read new messages. Refresh update the data on screen..
Page 141
9.3 connection status – telstra big pond data – telstra big pond screen connection physical address the hardware address of this device, as seen by remote devices. (this is different to the hardware address seen by devices on the local lan.) ip address the ip address of this device, as seen by inter...
Page 142
Airlive ip-2000vpn user’s manual 139 disconnect if connected to telstra big pond, terminate the connection. Clear log delete all data currently in the log. This will make it easier to read new messages. Refresh update the data on screen..
Page 143
9.4 connection status – singtel ras if using the singtel ras access method, a screen like the following example will be displayed when the "connection details" button is clicked. Data – singtel ras screen internet ras plan the ras plan which is currently used. Physical address the hardware address o...
Page 144
Airlive ip-2000vpn user’s manual 141 button will display either "release" or "renew" automatically on connection. (dynamic ip address). If you have a fixed (static) ip address, this button has no effect. • if the isp's dhcp server has not allocated an ip address for the ip-2000vpn, this button will ...
Page 145
9.5 connection status – fixed/dynamic ip address if your access method is "direct" (no login), a screen like the following example will be displayed when the "connection details" button is clicked. Data – fixed/dynamic ip address screen internet physical address the hardware address of this device, ...
Page 146
Airlive ip-2000vpn user’s manual 143 or "renew" • if the isp's dhcp server has not allocated an ip address for the ip-2000vpn, this button will say "renew". Clicking the "renew" button will attempt to re-establish the connection and obtain an ip address from the isp's dhcp server. • if an ip address...
Page 147
9.6 connection status – l2tp if using l2tp (layer 2 tunneling protocol), a screen like the following example will be displayed when the "connection details" button is clicked. L2tp data – l2tp screen connection physical address the hardware address of this device, as seen by remote devices on the in...
Page 148
Airlive ip-2000vpn user’s manual 145 buttons connect if not connected, establish a connection to your isp. Disconnect if connected to your isp, hang up the connection. Clear log delete all data currently in the log. This will make it easier to read new messages. Refresh update the data on screen..
Page 149
Airlive ip-2000vpn user’s manual 146 c c c h h h a a a p p p t t t e e e r r r 1 1 1 0 0 0 o o o t t t h h h e e e r r r f f f e e e a a a t t t u u u r r r e e e s s s & & & s s s e e e t t t t t t i i i n n n g g g s s s overview normally, it is not necessary to use these screens, or change any se...
Page 150
Config file screen data – config file screen config file backup config use this to download a copy of the current configuration, and store the file on your pc. Click download to start the download. Restore config this allows you to restore a previously-saved configuration file back to the ip-2000vpn...
Page 151
10.2 network diagnostics this screen allows you to perform a "ping" or a "dns lookup". These activities can be useful in solving network problems. An example network diagnostics screen is shown below. Network diagnostics screen data – network diagnostics screen ping ip address enter the ip address y...
Page 152
10.3 pc database the pc database is used whenever you need to select a pc (e.G. For the "dmz" pc). It eliminates the need to enter ip addresses. Also, you do not need to use fixed ip addresses on your lan. Pc database screen an example pc database screen is shown below. • pcs which are "dhcp clients...
Page 153
Ip address enter the ip address of the pc. The pc will be sent a "ping" to determine its hardware address. If the pc is not available (not connected, or not powered on) you will not be able to add it. Buttons add this will add the new pc to the list. The pc will be sent a "ping" to determine its har...
Page 154
Airlive ip-2000vpn user’s manual 151 data – pc database (admin) screen pc database (admin) known pcs this lists all current entries. Data displayed is name (ip address) type. The "type" indicates whether the pc is connected to the lan. Pc properties name if adding a new pc to the list, enter its nam...
Page 155
10.4 remote administration remote administration allows you to connect to this interface via the internet, using your web browser. Data – remote administration screen information information to establish a connection from the internet: 1. Enable remote administration and configure this screen. 2. Fr...
Page 156
Ip address to manage this device via the internet, you need to know the ip address of this device, as seen from the internet. This ip address is allocated by your isp, and is shown here if you are currently connected to the internet. But if using a dynamic ip address, this value can change each time...
Page 157
Airlive ip-2000vpn user’s manual 154 10.5 routing overview • if you don't have other routers or gateways on your lan, you can ignore the "routing" page completely. • if the ip-2000vpn is only acting as a gateway for the local lan segment, ignore the "routing" page even if your lan has other routers....
Page 158
Data – routing screen rip rip select the rip (routing information protocol) type based on the request and save the setting to enable it. The ip-2000vpn supports rip 1, rip 2b, and rip 2m. Static routing static routing table entries this list shows all entries in the routing table. • the "properties"...
Page 159
Airlive ip-2000vpn user’s manual 156 properties • destination network - the network address of the remote lan segment. For standard class "c" lans, the network address are the first 3 fields of the destination ip address. The 4th (last) field can be left at 0. • network mask - the network mask for t...
Page 160
Airlive ip-2000vpn user’s manual 157 other routers on the local lan other routers on the local lan must use the ip-2000vpn's local routeras the default route. The entries will be the same as the ip-2000vpn's local router, with the exception of the gateway ip address. • for a router with a direct con...
Page 161
10.6 upgrade firmware use this screen to upgrade your ip-2000vpn's firmware. • you must download the required firmware file, and store it on your pc. • during the upgrade process, all existing internet connections will be terminated. • the upgrade process must not be interrupted. Data – upgrade firm...
Page 162
10.7 upnp an example upnp screen is shown below. Data – upnp screen upnp enable upnp services • upnp (universal plug and play) allows automatic discovery and configuration of equipment attached to your lan. Upnp is by supported by windows me, xp, or later. • if enabled, this device will be visible v...
Page 163
Airlive ip-2000vpn user’s manual 160 a a a p p p p p p e e e n n n d d d i i i x x x a a a p p p c c c c c c o o o n n n f f f i i i g g g u u u r r r a a a t t t i i i o o o n n n overview for each pc, the following may need to be configured: • tcp/ip network settings • internet access configuratio...
Page 164
3. Click on the propertiesbutton. You should then see a screen like the following. Ensure your tcp/ip settings are correct, as follows: using dhcp to use dhcp, select the radio button obtain an ip address automatically. This is the default windows setting, and it is recommended to use it. By default...
Page 165
• on the dns configuration tab, ensure enable dnsis selected. If the dns server search order list is empty, enter the dns address provided by your isp in the fields beside the add button, then click add. Checking tcp/ip settings- windows nt4.0 1. Select control panel - network , and, on the protocol...
Page 166
3. Select the network card for your lan. 4. Select the appropriate radio button - obtain an ip address from a dhcp serveror specify an ip address , as explained below. Obtain an ip address from a dhcp server this is the default windows setting, and it is recommended to use it. By default, the ip-200...
Page 167
6. The dns should be set to the address provided by your isp, as follows: • click the dns tab. • on the dns screen, shown below, click the add button (under dns service search order), and enter the dns provided by your isp. Airlive ip-2000vpn user’s manual 164.
Page 168
Checking tcp/ip settings- windows 2000 1. Select control panel - network and dial-up connection. 2. Right click the local area connection icon and select properties. 3. Select the tcp/ip protocol for your network card. 4. Click on the properties button. You should then see a screen like the followin...
Page 169
Using dhcp to use dhcp, select the radio button obtain an ip address automatically. This is the default windows setting, and it is recommended to use it. By default, the ip-2000vpn will act as a dhcp server. Restart your pc to ensure it obtains an ip address from the ip-2000vpn. Using a fixed ip add...
Page 170
5. Ensure your tcp/ip settings are correct. Using dhcp to use dhcp, select the radio button obtain an ip address automatically. This is the default windows setting, and it is recommended to use it. By default, the ip-2000vpn will act as a dhcp server. Restart your pc to ensure it obtains an ip addre...
Page 171
4. Close the tcp/ip panel, saving your settings. If using manually assigned ip addresses instead of dhcp, the required changes are: • set the router address field to the ip-2000vpn's ip address. • ensure your dns settings are correct. Linux clients to access the internet via the ip-2000vpn, it is on...
Page 172
Airlive ip-2000vpn user’s manual 169 a a a p p p p p p e e e n n n d d d i i i x x x b b b v v v p p p n n n o o o v v v e e e r r r v v v i i i e e e w w w this section describes the vpn (virtual private network) support provided by your ip-2000vpn. A vpn (virtual private network) provides a secure...
Page 173
Airlive ip-2000vpn user’s manual 170 policies vpn configuration settings are stored in policies. Note that different vendors use different terms. Generally, the terms "vpn policy", "ipsec policy", and "ipsec proposal" have the same meaning. However, some vendors separate ike policies (phase 1 parame...
Page 174
Airlive ip-2000vpn user’s manual 171 ipsec parameters the ipsec parameters at each endpoint must match..
Page 175
Airlive ip-2000vpn user’s manual 172 a a a p p p p p p e e e n n n d d d i i i x x x c c c t t t r r r o o o u u u b b b l l l e e e s s s h h h o o o o o o t t t i i i n n n g g g overview this chapter covers some common problems that may be encountered while using the ip-2000vpn and some possible ...
Page 176
Airlive ip-2000vpn user’s manual 173 problem 2: some applications do not run properly when using the ip-2000vpn. Solution 2: the ip-2000vpn processes the data passing through it, so it is not transparent. Use the special applications feature to allow the use of internet applications which do not fun...
Page 177
Airlive ip-2000vpn user’s manual 174 a a a p p p p p p e e e n n n d d d i i i x x x d d d s s s p p p e e e c c c i i i f f f i i i c c c a a a t t t i i i o o o n n n s s s model ip-2000vpn dimensions 141mm(w) * 100mm(d) * 27mm(h) operating temperature 0 ° c to 40° c storage temperature -10 ° c to...