Secure Tunnel

7/28/2019 Secure Tunnel

1/16

Internet Secure Tunneling

Implementation Guide


2/16

I n t e r n e t S e c u r e T u n n e l i n g

D ear C ustomer:

Congratulations on your purchase of t he Intel Express R outernow w ith

Virtual Private Networking for secure networking over the Internet.

Intel E xpress Ro uters can secure your private business communications for saf e

and a ffordable transmission over the Internet. At the same time, Intel E xpress

R outers continue to off er a simple, cost-effective solution for your trad itional

WAN rout ing needs.

This guide shows how to configure a secure tunnel for VP N using two I ntel E xpress

R outers.The guide covers different configura tions and set-ups to meet mo st network

needs. We also provide an intro duction to secure tunneling and security issues. A list

of responses to freq uently asked q uestions is included.

Weve attempted to provide complete informa tion in this guide. If you should want

further assistance, Intel offers a number of support and service options. For more

info rma tio n, go to http://suppo rt.intel.com/sites/support/.

Thank yo u for your purchase!

Sincerely,

The I ntel E xpress Rout ers Marketing Team


3/16

I m p l e m e n t a t i o n G u i d e

1

Table of Contents

Introduction to Tunneling 2

Securing D ata O ver a VPN

Advanced filters and firewalls

PAP and CHAP

Example Scenarios for Configuration of a Tunnel 3

Configuration issues

Static IP host route to the remote router

Numbered I P WAN link

Encryption

Filtering

Configuration Scenarios

1. Internet Tunneling only

2. Tunneling with brow ser (HTTP) access to the Internet

3. Tunneling with brow ser access and mail exchange on Internet

4. Tunneling with brow ser access on the Internet through a proxy server

5. Internet tunneling through a firewall

How to Configure Tunnels and Filters 12

Tunneling over a WAN connection

Tunneling over a LA N connection

Ho w to configure IP filters

Frequently Asked Questions 13


4/16

2


Introduction toTunneling

Tunneling is a technology that enables

one network to send its data via a nother

netwo rks connections.Tunneling wo rks

by encapsulating a network protocol

within packets carried by the second

network. It is almost like having your

own private network.

With two or more I ntel E xpress R outers,

you can use tunneling and encryption to

create a Virtual Private Network (VP N).This virtual netw ork allow s safe use of

the Int ernet to send and receive secure

business dat a betw een LANs.You get

the security of a private network at the

vastly lowered expense of simple

Internet connections.

In ad dition to security and low cost,

anot her benefit of t unneling is its global

networking capability.Any international

site can be connected to a V PN o ver the

Internet. B ecause the tunnel link is inde-

pendent of t he Wide Area Netw orking

(WAN) link, you can connect to the

Internet via a ny WAN link, including

T1/E1, ISD N, Frame R elay or X.25,

for exa mple.

Tunneling employs the I nternet P roto col

(IP), which specifies the format of

packets and the addressing scheme.All

data transmitted o ver the tunnel is encap-

sulated in IP packets. As a result, you can

route and bridge protocols, enable filters

and deploy cost-control fea tures the same

wa y as when using a WAN link. You can

transmit IP, IPX and bridged data over

the tunnel.

Typically, because of current limitat ions

in the Internet infrastructure,VP Ns are

most suitable fo r non real-time or lower-

bandwidth tra ffic. For this reason, propri-

eta ry or leased-line solutions still make

sense for businesses that regularly tra ffic

in time-sensitive da ta or la rge files.

Securing data over a VPN

In a world where some people make a

living by breaking into private property

whether its real property or intellectual

property in the form of data securingprivate t ransmissions over the Internet

is imperative.

Current security tools at your disposal

include encryption, filtering and firewalls.

With the increasing use of the Internet

for private transactions, security and

protection schemes constitute a major

area of current high-technology research

and development.

Intel Express Routers offer a simple and

inexpensive solution fo r securing private

communications over the Internet , public

Frame R elay and X .25 netwo rks. Theres

no need to alter your existing network

architecture. Security is provided by using

an Intel router for each point at which

you connect to the Internet.

Intel supplies its Express Ro uters with

powerful encryption. Intel uses the

B lowfish algorithm, with a 144-bit

encryption key.This compares w ith

competing solutions providing key

lengths of only 40 to 128 bits. For even

greater security, you can use a different

key for each tunnel.

B efore any data enters the public

domain, each packet is encrypted and

placed in a separate envelope for

tra nsmission. For greatest effectiveness,

the encryption is performed across the

entire data stream rather than o n individ-

ual packets only. E ven the original source

and destination address of the da ta

stream are hidden from potential hackers.

Advanced filters and firewalls

Encrypting data makes it virtually impos-

sible to decipher. To keep intrud ers fromgaining access to your tunnel in the first

place, advanced filters provide additional

security.You can establish these security

screens to a llow only predefined users to

access the tunnel.

Filtering on the WAN port is the first

step to building a firewall to shield your

network. If you a re using your WAN

connection for creating a VP N only, you

can use filters to block all tra nsmissions

except tho se in the secure tunnel. In t his

case, you dont need a firewall.

However, if you use the WAN connection

both for Internet a ccess (e.g., e-mail and

the World Wide Web) and for a VP N, you

should install a firewall.A t the very least,

you should install an Internet proxy to

prevent some of the common attacks

used by hackers.


5/16

3


PAP and CHAP

To authenticate remote users, the I nternet

uses a digita l version of the o ld cowboy

code: look them in the eye as you shake

their hand.The handshake takes the form

of Internet protocols known a s Pa ssword

Authentication Protocol (PAP) and

Challenge H andshake Authentication

Protocol (CHA P).

PAP, the most basic form of authen-

tication, transmits a users name and

password o ver a network a nd compares it

to a table of name-password pairs.The

passwords stored in the table usually are

encrypted. PAPs weakness, however, is

that both the username and pa ssword a re

transmitted in the clear that is, in an

unencrypted form.

CH AP features stronger security

measures. In CH AP, one router sends a

key to the other router to be used to

encrypt the username and pa ssword . Thisenables the username and password t o be

transmitted in an encrypted form to

protect them against eavesdroppers.

Other security features

Other security features include Network

Add ress Translatio n (NAT) and PP P Ca ll

B ack. NAT enhances security by hiding

internal I P addresses when data is sent

over the Internet or WAN. NAT alsoprovides considerable savings in time

and money by eliminating the need to

redesign yo ur businesss interna l TCP/IP

add ressing scheme when connecting to

the Internet or remote sites with

conflicting IP add ressing schemes.

U sing NAT, an Intel Express R outer

automat ically maps an IP a ddress to

each internal L AN address, enabling

transparent communication with those

outside your corporate network.

Alternatively, the router can maintain

a pool of unique IP a ddresses, assigning

a temporary add ress to a workstation

whenever it connects over the Internet

or WAN. This method requires few er

official Internet IP addresses.

Over ISD N (EuroISD N only) and

analog modems, PP P C all Back can be

used for authentication. If a user dials in

for access to the L AN, the router cuts

the connection, then calls back to ensure

that its an authorized link. PP P C all

B ack is compatible with t he Microsoft

Ca ll B ack standard.

Example Scenarios

for Configuration ofa Tunnel

Now that we have covered some of the

basics of tunneling, lets look at some

specific examples of configuring the

router for different a pplicat ions that

include a tunnel. There are five examples

that cover these specific configurations:.

1. Internet tunnel without a llowing

Internet access2. Internet tunnel with Internet access

3. Internet tunnel with web access and

SMTP e-mail exchange

4. Internet tunnel with a proxy server

installed

5. Internet tunnel with a firewall installed

Note:These tunneling configuration

scenarios exclude ma ny common services

such as FTP,Telnet a nd common Internet

plug-ins such a s streaming a udio or video.

This strict configuration provides the

most security.The more services you

allow, the greater the susceptibility of the

system to hackers. Add additional filters

with caution.

If you need to add filters for common

services (also known a s w ell-known

ports ), visit the fo llowing Web sites:

Mark Daugherty' s TCP /IP page:

http://members.iquest.net/~mdd/tcpip.html

RFC 1700 assigned numbers:

ht tp://www.in ternic.net/rfc/rfc1700.txt

For services not listed here, contact t he

product vendor for the protocol and port

information needed to create a filter.

Configuration issues

B efore we go to the specific examples,

lets discuss some issues tha t a pply to a ll

configurations.With Intel Express

R outers, configuring a tunnel is simple.

You dont have t o modify a pplications or

add any specialized software t o your

LA N. Just enter the IP add ress of the

router at t he remote site and enter the

same encryption key on both ends of the

WAN. The connection w ill work with

virtually any I SP and tra vel as easily asopen traffic through the Internet.

Disabling Telnet

While Telnet a llows remot e configura tion

and management of the router, it also

opens a high security risk. As a result, we

recommend that you disable Telnet, and

enable it only when you need it. When you


6/16


enable Telnet, use a password conta ining

at least six characters, with a mix of letters,

numbers and punctuat ion marks.

Static IP host route to the

remote router

To establish the tunnel you need to

configure a stat ic host route to t he IP

address of the remote router at the end

of the tunnel. The IP a ddress may be

the ad dress of either the WAN o r the

LAN interface.

Numbered IP WAN link

B y using the IP address (if one is

assigned) of the WAN interface instead

of the LA N interface, you can hide your

internal IP network from the Internet.

H owever, hiding your internal IP

network does not allow users to reach

the Internet, unless you also use Network

Ad dress Translat ion (NAT).

Encryption

The use of dat a encryption o ver a public

data network is highly recommended.

Private da ta b eing transferred over the

public Internet should alwa ys be

encrypted for security.

Filtering

Filters act like security gua rds who

require all traffic to show a badge before

passing a gate. In the case of a t unnel,

filters allow only predefined traffic

through the router.Filters are defined on a link basis, and

separate filters are implemented for

transmitting and receiving. Since you

only need to protect the local LA N from

intruders and do not wa nt to restrict

access to the Internet from the local

LA N, it is enough to filter on incoming

packets.Therefore, the transmit filter

must be set to pass all packets.

Whenever an IP station wants to

establish a session (over TCP ), the ACK

flag (in the TCP header) is alwa ys set to

0 in a connection-request packet. B y

filtering on the ACK flag, we can tell the

router whether to a llow incoming

connection requests to the LA N from

the Internet.

The tunn el connectio n is a TCP

connection to port 1990.When a router

establishes a tunnel, it connects to

destination port 1990 and uses a source

port higher than 2000.

Setting up IP filters is described more

fully in Chapter 6 of the U ser G uide.

A q uick description on how to configure

a t unnel and how to configure a filter is

given at the end of this document.

Internet

ISP ISP

Router 2

LAN 2

Router 1

LAN 1

1. Internet Tunneling Only

Tunnel

WAN 1 WAN 2

4

Configuration Scenarios

1. Internet Tunneling Only

In this example, the two sites (LAN1 and

LA N2) want to exchange data over the

Internet.There is no need for Internet

e-mail or Web access.

Fil ter configurati on

The router must accept only t unnel traff ic

from the WAN link to the I SP; it must

only receive packets from the remote

router over t he tunnel (receive filter).

All other packets must be discarded.

Transmit filter: the defa ult action must

be set to Pass.

R eceive filter: the default a ction must

be set to Discard.


7/16

5


2. Tunneling with browser

(HTTP) access to the Internet

Exa mple 2 shows a configuration tha t

opens a tunnel to the remote rout er as

well as allowing users on the local LA N

to brow se the World Wide Web o n the

Internet.

I nternet access setup

To estab lish Int ernet access, a static

route to t he Internet must be configured.

A sta tic route representing the Internet

is 0.0.0.0 wit h subnet mask 0.0.0.0. The

static route must be assigned to the

WAN interface toward the Internet.

The static route must be added under

>Protocols>IP routing >Static R oute>

where:

The netwo rk address is 0.0.0.0

Network mask is 0.0.0.0

Link is the WAN link to wa rd

the Internet.


Filtering req uirements:

The router must a llow tunnel tra ffic

between the LAN and t he remote

router.

U sers on the local LA N must have

access to Web (H TTP) services on

the Internet.

U sers must be able to access external

D omain Name Servers.

Tunnel fi lter

The rout er must a ccept Tunnel tr af fic

from the remote ro uter via the link to

the IS P.

I nternet access fi l ter

The router must not allow external users

to get a ccess to the local LA N from the

ISP ISP

Router 2Router 1

2. Tunneling with browser (HTTP) access to the Internet

Tunnel

WAN 1 WAN 2

LAN 2LAN 1

Internet

Receive filter on the WAN link toward the Internet

Action Protocol TCP Flag Source IP Source. Port Destination IP Destination Port

Tunnel client Pass TCP ACK IP address of = 1990 (Tunnel) IP address of > 2000the remote the local router router

Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990 (Tunnel)the remote thelocal routerrouter

The Tunnel clientfilter allows the local router to esta blish the tunnel connection.

The Tunnel server filter allows the remote router to establish the tunnel connection.

The I P address of the local routershould be the IP address of either the WAN interface or the L AN interface. For maximum

security, the IP address of the WAN interf ace should be used (if one is assigned).

The I P address of the remote routeris the address to w hich the tunnel should be established.


8/16

6


Internet, i.e., it must discard all connect

requests from the Internet (receive

filter). At t he same time, it must allow a ll

users on the LAN t o get Web a ccess on

the Internet.

D omain Name Server fi lt er

When connecting to a Web server on the

Internet, you normally connect with a n

U RL . To translate between IP add resses

and U R Ls, you will need to connect to a

D omain Name Server (D NS), which will

give you the IP a ddress of the name you

want to connect to.


be set to Pass.

R eceive filter: the default a ction mustbe set to Discard.

Receive filters on the WAN link toward the Internet

Action Protocol TCP Flag Source IP Source Port Destination IP Destination Port

Tunnel Client Pass TCP ACK IP address of = 1990 IP address of > 2000the remote router (Tunnel) the local router

Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990the remote router the local router (Tunnel)

WWW client Pass TCP ACK All = 80 (HTTP) IP address of > 1023the local net

DNS client Pass UDP IP address of = 53 (DNS) IP address of > 1023external DNS the local netserver

DNS client Pass TCP ACK IP address of = 53 (DNS) IP address of > 1023external DNS the local net

server

The Tunnel client filter allows the local rout er to estab lish the tunnel connection.


The WWW client filter allows local users to esta blish a Web connection to the I nternet, but the default f ilter discards connection

requests from the Internet t o the L AN.

The DNS filtersallow the local users to a ccess D NS servers on the Internet. D NS requests might use either U D P or TCP as a

transport protocol; therefore, both protocols must be allowed to pass the filter.

The I P address of external D NS serveris the address of the external D NS server on the Internet, given by your I nternet provider.

The I P address of the local routershould be the IP a ddress of either the WAN interfa ce or the LAN interfa ce. For better security,the IP address of the WAN interf ace should be used (if one is assigned).

The I P address of the remote routeris the address of the router over the tunnel.


9/16

7



access and mail exchange onthe Internet

In this example, users on the LA N have

Web brow ser access to the I nternet a nd

access to the remote LA N via an

Internet t unnel.They also need to be

able to receive and send e-mail over the

Internet via a n internal mail server,

using an external mail transfer agent.


To get I nternet a ccess, a sta tic route to

the Internet must be configured.A static

route representing the I nternet is 0.0.0.0

with subnet mask 0.0.0.0.The static route

must be a ssigned to the WAN interface

towa rd the Internet.

The static route must be added under

>Protocols>IP R outing >Static R oute>

where:



Link is the WAN link towa rd

the Internet.


These are t he req uirements for filtering:

The router must a llow tunnel tra ffic to

and from LA N and the remote router.

Users on the LAN must have access to

Web (HTTP) services on the Internet. Users must have access to an external

D omain Name Server.

Users must be able to receive and

send e-mails to and from the Internet.

Tunnel fi lt er

The router must a ccept tunnel traf fic

from the remote router via the link to

the ISP.


The router must not allow external users

to get a ccess to the local LA N from the

Internet, i.e., it must discard a ll

connection requests from the Internet

(receive filter).A t t he same time, it must

allow all users on the LA N to get Web

and e-mail access on the Internet.

D omain Name Server fi lter


Internet, you normally connect using an

U R L. To translate between IP add resses


D omain Name Server.The D NS will give

you the IP ad dress of the UR L to w hich

you want to connect.

A l low i ng access to and from an in ternalmai l server and to and from an I nternet

mai l server

The interna l mail server only needs to

communicate wit h one external mail

server on the Internet: a mail transfer

agent. The Internet provider must supply

the IP address of the external mail server.


be set to Pass.


be set to Discard.

Internet

ISP ISP

Router 2Router 1

LAN 1

Mail Server

3. Tunneling with browser access and mail exchange on Internet

Tunnel

WAN 1 WAN 2

LAN 2


10/16

8




Tunnel client Pass TCP ACK IP address of = 1990 IP address of > 2000the remote (Tunnel) the localrouter router

Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990(Tunnel)the remote the local router router

Receive e-mails Pass TCP All IP address of > 1023 IP address of = 25(SMTP)external mail internal mail server server

Transmit e-mails Pass TCP ACK IP address of = 25 (SMTP) IP address of > 1023external mail internal mail

server server WWW client Pass TCP ACK All = 80 (HTTP) IP address of > 1023

the local net

DNS client Pass UDP IP address of = 53 (DNS) IP address of > 1023external DNS the local net server

DNS client Pass TCP ACK IP address of = 53 (DNS) IP address of > 1023external DNS the local net server

The Tunnel client filter allows the local router to establish the tunnel connection.

The Tunnel server filter allows the remote router to establish the tunnel.

The Mail filtersallow a n internal SMTP mail server to send and receive mail with an externa l mail server (mail transfer agent).

The WWW client filter allows local users to estab lish a connection to the Internet , but the defa ult filter discards connection

requests from the Internet to the LA N.

The DNS filtersallow the local users to a ccess DNS servers on the Internet. D NS requests might use either U D P o r TCP as a

transport protocol; therefore, both protocols must be allowed to pass the filter.

The I P address of external DNS serveris the address of the external D NS server on the Internet. The address must be supplied by

the Internet Service Provider.

The I P address of the local routershould be the IP address of either the WAN interface or the L AN interface. For maximumsecurity, the IP add ress of the WAN interf ace should be used (if one is assigned).

The I P address of the remote rou teris the address of the router over the tunnel.

The I P address of external mai l serveris the address of the external ma il server.The internal ma il server communicates with

the externa l mail server when sending and receiving e-mail. The external ma il server address must be given by the Int ernet

Service Provider.


11/16

9



access on the Internet througha proxy server

In this scenario, users on the LAN have

browser access to the Internet.When

users browse the Internet, they will

connect through a proxy server.


To get Int ernet access, a sta tic route to

the Internet must be configured.A static

route representing the Internet is 0.0.0.0,with a subnet mask set at 0.0.0.0.The

static route must be assigned to the

WAN interface, towa rd the Internet.

The static route must be ad ded under

>Protocols>IP R outing >Static Ro ute>

where:



Link is the WAN link tow ard the

Internet.


These are t he req uirements for filtering:

The router must allow tunnel traf fic

to and from the LA N of the remote

router.

U sers on the LAN must be ab le to

browse on the Internet through the

proxy server. The filter must,

therefore, only allow Web (H TTP)

traffic to the proxy server.

U sers must have D omain Name

Server access to the Internet through

the proxy server.

Tunnel fil ter

The router must a ccept tunnel traff icfrom the remote router via the link to

the ISP.


The router must not allow externa l

users to get a ccess to t he local LAN

from the Internet, i.e., it must discard

all connect requests from the Internet

(receive filter).The router should only

accept packets to the pro xy serverfrom the Internet.

D omain Name Server fi lter


Internet, you normally connect using an

U R L. To translate between IP add resses


D omain Name Server.The D NS will give

you the IP address of the name to which

you want to connect.

Transmit filter: the default action must

be set to Pass.


be set to D iscard.

ISP ISP

Express Router

Remote net

Express Router

Local net

Proxy Server

4. Tunneling with browser access on the Internet through a proxy server

Tunnel

WAN 1 WAN 2

Internet


12/16

10




Tunnel client Pass TCP ACK IP address of = 1990 IP address of > 2000the remote (Tunnel) the localrouter router

Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990the remote the local (Tunnel)router router

WWW client Pass TCP ACK All = 80 (HTTP) IP address of > 1023the proxyserver

DNS client Pass UDP IP address of = 53 (DNS) IP address of > 1023external DNS the proxy

server server

DNS client Pass TCP ACK IP address of = 53 (DNS) IP address of > 1023external DNS the proxy server server

The Tunnel clientfilter allows the local router to establish the tunnel connection.


The WWW client filter allows local users to estab lish a connection to the Int ernet, but the defa ult filter discards connection

attempts from the Internet to the L AN.

The DNS filtersallow the local users to access D NS servers on the Internet. D NS requests might use either U D P or TCP as a t rans-

port protocol; therefore, both protocols must be a ble to pass the filter.

The I P address of external D NS serveris the address of the external DNS server on the Internet.The address must be provided by


The I P address of the local routershould be either the IP add ress of the WAN interfa ce or the LA N interface. For maximum

security, the I P add ress of the WAN interface should be used (if one is a ssigned).

The I P address of the remote routeris the address of the router over t he tunnel.


13/16

11


5. Internet tunneling through

a firewallWhile not required for every a pplicat ion,

a dedicat ed firewa ll for filtering is the

most secure solution fo r tunneling. The

firewall must be set up to allow tunnel

traffic to pa ss between the remote router

and the local router.The router on the

LA N is used as a tunnel end-point to

the remote netw ork; it has no WAN con-

nection. The router tha t connects the fire-

wall to the Internet does not need tunnel

links, nor does it have to be a n Intel

Express Router to pass tunnel traffic.

Fil ter configuration

You do not need to add filters in the local

router. The firewa ll has the responsibility

to filter out unwanted packets. H owever,

the firewall must allow tunnel traffic to

pass both ways betw een the local router

and t he remote router.

Firewall Configuration

The firewa ll must be configured to pass

tunnel traffic in the same way the Express

Router filters are configured to passtunnel traf fic (see tab le below.)

Transmit filter: the default action must

be set to Pass.


be set to D iscard.

Internet

ISP ISP

Express Router

Express Router

Router

Firewall

Desktop System Desktop System

5. Internet tunneling through a firewall

Tunnel

WAN 1 WAN 2

Receive filter in the firewall to allow tunnel traffic


Tunnel client Pass TCP ACK IP address of = 1990 IP address of > 2000the remote (Tunnel) the local routerrouter

Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990the remote the local router (Tunnel)router

The Tunnel client filter allows the local router to establish the tunnel connection.

The Tunnel server filter allows the remot e router to esta blish the tunnel connection.

The I P address of the local routershould be the I P address of the LA N interface.

The I P address of the remote rou teris the address of the router over the tunnel.


14/16

12


How to ConfigureTunnels and Filters

The follow ing procedure is an

abbreviated guide to configuring a

tunnel, for routing data to a remote site

via the Internet. See the U ser G uide for

deta iled instructions. It is assumed that

the link to the Internet is already

configured; if not, see the Quick Setup

G uide or Chapter 5 of the User G uide

for instructions.

Tunneling over a WANconnection

1. Enter the Links option of

A dvanced Setup.

2. Add a new link. Choose Internet

Tunnelas the WAN pro tocol.

3. For L ocal I P Address, choose either

the address of the LAN interface or

the address of the WAN interfa ce, if

one is assigned. Note: The address

must be an off icial address given by


4. For Remote IP A ddress, use the

address of the remote router to which

the tunnel should be established.

Again, either the WAN or t he LAN

IP address of the remote router should

be chosen.

5. Enable encryption for the tunnel.

D ata communication via t he tunnel is

not secure otherw ise.

6. Select IP routingunder the Protocolsoption of A dvanced Setup.

7. Add a static host route to the remote

router. The host route must be set up

with the same IP a ddress as that for

the R emote IP Address. The static

host route must be a ssigned to the

WAN interface toward the Internet.

R emember that the subnet mask to a

host route is always 255.255.255.255.

8. Configure the protocols (IP, IPX

and/or B ridging) to be used over t he

tunnel. See Chapters 6, 7 and 8 in the

U ser G uide manual for information

on configuring the pro tocols.

Tunneling over a LAN

connection

1. Enter the Links option of

Advanced Setup.

2. Add a new link.C hoose Internet

Tunnelas the WAN protocol.

3. For L ocal I P Address, choose the IP

add ress of either the LA N interface

or the WAN interfa ce, if one is

assigned. Note: The address must be

an off icial ad dress given by the

Internet Service Provider.

4. For Remote IP A ddress, use the IP

address of the remote router to which

the tunnel should be estab lished.

Aga in, choose either the WAN or the

LA N address of the remote router.5. Enable encryption for the tunnel.

D ata communication via the tunnel

is not secure otherw ise.

6. Select IP r outingunder the Protocols

option of A dvanced Setup.

7. Add a static host route to the remote

router. The host route must be set up

with the same IP a ddress as that for

the R emote IP Address. The static

host route must be a ssigned to the

LA N interface. R emember thatthe subnet mask to a host route

is 255.255.255.255.

8. Forwarding Address must be the IP

address of the local router connected

to the Internet. If a firewall is used, the

Forwarding Address must be the IP

address of the firewall.

9. Configure the protocols (IP, IPX or

B ridging) to be used over the tunnel.

See Cha pters 6, 7 and 8 in the User

Guidemanual fo r configuring the

protocols.

How to configure IP filters

U se the following procedure to

configure IP filtering on the LA N or

the WAN interfa ce.

1. Enter the A dvancedscreen under

the IP link you would like to add

a filter.

2. Set the Filteringparameter toEnabledon the Adva nced screen for

the IP link.

3. Select the Tx Fi lterson the Advanced

screen for the IP link. Set the D efault

Action to Pass. Filter only on

receiving t raffic.

4. G o back to the Rx Fi ltersto define

receive filters.

5. Set the Default Actionto D iscard.

6. U seAdd

to add a new filter.7. Set Actionto Pass

8. Set the filter parameter as described

in the examples given earlier in this

document.

The filtering of IP packets is based on the

following criteria:

IP protocol

A filter can process packets based on

U D P, TCP or ICMP. Other protocols can

be defined by the IP number. TCP

filtering also can be based on TCP Flags

for all Flags or just with the acknowledge

(ACK ) flag set.


15/16

13


Source address

Use the Source Address to filter packets

entering the router via t he link from a

specific host or netw ork.

Source port

The Source P ort filters packets

originating from a single port (e.g.,

SMTP or H TTP), from a ra nge of

ports, or from all ports.

Destination address

A filter can process packets addressed to

a host address or a network address.

Destination port

A filter can process packets addressed to

a single port, a range of ports or a ll ports.

Port values and port operator

For the ports value, it is possible to define

whether the port value should be eq ual

(= ), different (!= ), greater than (>) or less

than (


16/16

C Please R ecycle.NP1040

Date post:	03-Apr-2018
Category:	Documents
Upload:	dyanne20
View:	213 times
Download:	0 times

Secure Tunnel

Documents