7/28/2019 Secure Tunnel
1/16
Internet Secure Tunneling
Implementation Guide
7/28/2019 Secure Tunnel
2/16
I n t e r n e t S e c u r e T u n n e l i n g
D ear C ustomer:
Congratulations on your purchase of t he Intel Express R outernow w ith
Virtual Private Networking for secure networking over the Internet.
Intel E xpress Ro uters can secure your private business communications for saf e
and a ffordable transmission over the Internet. At the same time, Intel E xpress
R outers continue to off er a simple, cost-effective solution for your trad itional
WAN rout ing needs.
This guide shows how to configure a secure tunnel for VP N using two I ntel E xpress
R outers.The guide covers different configura tions and set-ups to meet mo st network
needs. We also provide an intro duction to secure tunneling and security issues. A list
of responses to freq uently asked q uestions is included.
Weve attempted to provide complete informa tion in this guide. If you should want
further assistance, Intel offers a number of support and service options. For more
info rma tio n, go to http://suppo rt.intel.com/sites/support/.
Thank yo u for your purchase!
Sincerely,
The I ntel E xpress Rout ers Marketing Team
7/28/2019 Secure Tunnel
3/16
I m p l e m e n t a t i o n G u i d e
1
Table of Contents
Introduction to Tunneling 2
Securing D ata O ver a VPN
Advanced filters and firewalls
PAP and CHAP
Example Scenarios for Configuration of a Tunnel 3
Configuration issues
Static IP host route to the remote router
Numbered I P WAN link
Encryption
Filtering
Configuration Scenarios
1. Internet Tunneling only
2. Tunneling with brow ser (HTTP) access to the Internet
3. Tunneling with brow ser access and mail exchange on Internet
4. Tunneling with brow ser access on the Internet through a proxy server
5. Internet tunneling through a firewall
How to Configure Tunnels and Filters 12
Tunneling over a WAN connection
Tunneling over a LA N connection
Ho w to configure IP filters
Frequently Asked Questions 13
7/28/2019 Secure Tunnel
4/16
2
I n t e r n e t S e c u r e T u n n e l i n g
Introduction toTunneling
Tunneling is a technology that enables
one network to send its data via a nother
netwo rks connections.Tunneling wo rks
by encapsulating a network protocol
within packets carried by the second
network. It is almost like having your
own private network.
With two or more I ntel E xpress R outers,
you can use tunneling and encryption to
create a Virtual Private Network (VP N).This virtual netw ork allow s safe use of
the Int ernet to send and receive secure
business dat a betw een LANs.You get
the security of a private network at the
vastly lowered expense of simple
Internet connections.
In ad dition to security and low cost,
anot her benefit of t unneling is its global
networking capability.Any international
site can be connected to a V PN o ver the
Internet. B ecause the tunnel link is inde-
pendent of t he Wide Area Netw orking
(WAN) link, you can connect to the
Internet via a ny WAN link, including
T1/E1, ISD N, Frame R elay or X.25,
for exa mple.
Tunneling employs the I nternet P roto col
(IP), which specifies the format of
packets and the addressing scheme.All
data transmitted o ver the tunnel is encap-
sulated in IP packets. As a result, you can
route and bridge protocols, enable filters
and deploy cost-control fea tures the same
wa y as when using a WAN link. You can
transmit IP, IPX and bridged data over
the tunnel.
Typically, because of current limitat ions
in the Internet infrastructure,VP Ns are
most suitable fo r non real-time or lower-
bandwidth tra ffic. For this reason, propri-
eta ry or leased-line solutions still make
sense for businesses that regularly tra ffic
in time-sensitive da ta or la rge files.
Securing data over a VPN
In a world where some people make a
living by breaking into private property
whether its real property or intellectual
property in the form of data securingprivate t ransmissions over the Internet
is imperative.
Current security tools at your disposal
include encryption, filtering and firewalls.
With the increasing use of the Internet
for private transactions, security and
protection schemes constitute a major
area of current high-technology research
and development.
Intel Express Routers offer a simple and
inexpensive solution fo r securing private
communications over the Internet , public
Frame R elay and X .25 netwo rks. Theres
no need to alter your existing network
architecture. Security is provided by using
an Intel router for each point at which
you connect to the Internet.
Intel supplies its Express Ro uters with
powerful encryption. Intel uses the
B lowfish algorithm, with a 144-bit
encryption key.This compares w ith
competing solutions providing key
lengths of only 40 to 128 bits. For even
greater security, you can use a different
key for each tunnel.
B efore any data enters the public
domain, each packet is encrypted and
placed in a separate envelope for
tra nsmission. For greatest effectiveness,
the encryption is performed across the
entire data stream rather than o n individ-
ual packets only. E ven the original source
and destination address of the da ta
stream are hidden from potential hackers.
Advanced filters and firewalls
Encrypting data makes it virtually impos-
sible to decipher. To keep intrud ers fromgaining access to your tunnel in the first
place, advanced filters provide additional
security.You can establish these security
screens to a llow only predefined users to
access the tunnel.
Filtering on the WAN port is the first
step to building a firewall to shield your
network. If you a re using your WAN
connection for creating a VP N only, you
can use filters to block all tra nsmissions
except tho se in the secure tunnel. In t his
case, you dont need a firewall.
However, if you use the WAN connection
both for Internet a ccess (e.g., e-mail and
the World Wide Web) and for a VP N, you
should install a firewall.A t the very least,
you should install an Internet proxy to
prevent some of the common attacks
used by hackers.
7/28/2019 Secure Tunnel
5/16
3
I m p l e m e n t a t i o n G u i d e
PAP and CHAP
To authenticate remote users, the I nternet
uses a digita l version of the o ld cowboy
code: look them in the eye as you shake
their hand.The handshake takes the form
of Internet protocols known a s Pa ssword
Authentication Protocol (PAP) and
Challenge H andshake Authentication
Protocol (CHA P).
PAP, the most basic form of authen-
tication, transmits a users name and
password o ver a network a nd compares it
to a table of name-password pairs.The
passwords stored in the table usually are
encrypted. PAPs weakness, however, is
that both the username and pa ssword a re
transmitted in the clear that is, in an
unencrypted form.
CH AP features stronger security
measures. In CH AP, one router sends a
key to the other router to be used to
encrypt the username and pa ssword . Thisenables the username and password t o be
transmitted in an encrypted form to
protect them against eavesdroppers.
Other security features
Other security features include Network
Add ress Translatio n (NAT) and PP P Ca ll
B ack. NAT enhances security by hiding
internal I P addresses when data is sent
over the Internet or WAN. NAT alsoprovides considerable savings in time
and money by eliminating the need to
redesign yo ur businesss interna l TCP/IP
add ressing scheme when connecting to
the Internet or remote sites with
conflicting IP add ressing schemes.
U sing NAT, an Intel Express R outer
automat ically maps an IP a ddress to
each internal L AN address, enabling
transparent communication with those
outside your corporate network.
Alternatively, the router can maintain
a pool of unique IP a ddresses, assigning
a temporary add ress to a workstation
whenever it connects over the Internet
or WAN. This method requires few er
official Internet IP addresses.
Over ISD N (EuroISD N only) and
analog modems, PP P C all Back can be
used for authentication. If a user dials in
for access to the L AN, the router cuts
the connection, then calls back to ensure
that its an authorized link. PP P C all
B ack is compatible with t he Microsoft
Ca ll B ack standard.
Example Scenarios
for Configuration ofa Tunnel
Now that we have covered some of the
basics of tunneling, lets look at some
specific examples of configuring the
router for different a pplicat ions that
include a tunnel. There are five examples
that cover these specific configurations:.
1. Internet tunnel without a llowing
Internet access2. Internet tunnel with Internet access
3. Internet tunnel with web access and
SMTP e-mail exchange
4. Internet tunnel with a proxy server
installed
5. Internet tunnel with a firewall installed
Note:These tunneling configuration
scenarios exclude ma ny common services
such as FTP,Telnet a nd common Internet
plug-ins such a s streaming a udio or video.
This strict configuration provides the
most security.The more services you
allow, the greater the susceptibility of the
system to hackers. Add additional filters
with caution.
If you need to add filters for common
services (also known a s w ell-known
ports ), visit the fo llowing Web sites:
Mark Daugherty' s TCP /IP page:
http://members.iquest.net/~mdd/tcpip.html
RFC 1700 assigned numbers:
ht tp://www.in ternic.net/rfc/rfc1700.txt
For services not listed here, contact t he
product vendor for the protocol and port
information needed to create a filter.
Configuration issues
B efore we go to the specific examples,
lets discuss some issues tha t a pply to a ll
configurations.With Intel Express
R outers, configuring a tunnel is simple.
You dont have t o modify a pplications or
add any specialized software t o your
LA N. Just enter the IP add ress of the
router at t he remote site and enter the
same encryption key on both ends of the
WAN. The connection w ill work with
virtually any I SP and tra vel as easily asopen traffic through the Internet.
Disabling Telnet
While Telnet a llows remot e configura tion
and management of the router, it also
opens a high security risk. As a result, we
recommend that you disable Telnet, and
enable it only when you need it. When you
7/28/2019 Secure Tunnel
6/16
I n t e r n e t S e c u r e T u n n e l i n g
enable Telnet, use a password conta ining
at least six characters, with a mix of letters,
numbers and punctuat ion marks.
Static IP host route to the
remote router
To establish the tunnel you need to
configure a stat ic host route to t he IP
address of the remote router at the end
of the tunnel. The IP a ddress may be
the ad dress of either the WAN o r the
LAN interface.
Numbered IP WAN link
B y using the IP address (if one is
assigned) of the WAN interface instead
of the LA N interface, you can hide your
internal IP network from the Internet.
H owever, hiding your internal IP
network does not allow users to reach
the Internet, unless you also use Network
Ad dress Translat ion (NAT).
Encryption
The use of dat a encryption o ver a public
data network is highly recommended.
Private da ta b eing transferred over the
public Internet should alwa ys be
encrypted for security.
Filtering
Filters act like security gua rds who
require all traffic to show a badge before
passing a gate. In the case of a t unnel,
filters allow only predefined traffic
through the router.Filters are defined on a link basis, and
separate filters are implemented for
transmitting and receiving. Since you
only need to protect the local LA N from
intruders and do not wa nt to restrict
access to the Internet from the local
LA N, it is enough to filter on incoming
packets.Therefore, the transmit filter
must be set to pass all packets.
Whenever an IP station wants to
establish a session (over TCP ), the ACK
flag (in the TCP header) is alwa ys set to
0 in a connection-request packet. B y
filtering on the ACK flag, we can tell the
router whether to a llow incoming
connection requests to the LA N from
the Internet.
The tunn el connectio n is a TCP
connection to port 1990.When a router
establishes a tunnel, it connects to
destination port 1990 and uses a source
port higher than 2000.
Setting up IP filters is described more
fully in Chapter 6 of the U ser G uide.
A q uick description on how to configure
a t unnel and how to configure a filter is
given at the end of this document.
Internet
ISP ISP
Router 2
LAN 2
Router 1
LAN 1
1. Internet Tunneling Only
Tunnel
WAN 1 WAN 2
4
Configuration Scenarios
1. Internet Tunneling Only
In this example, the two sites (LAN1 and
LA N2) want to exchange data over the
Internet.There is no need for Internet
e-mail or Web access.
Fil ter configurati on
The router must accept only t unnel traff ic
from the WAN link to the I SP; it must
only receive packets from the remote
router over t he tunnel (receive filter).
All other packets must be discarded.
Transmit filter: the defa ult action must
be set to Pass.
R eceive filter: the default a ction must
be set to Discard.
7/28/2019 Secure Tunnel
7/16
5
I m p l e m e n t a t i o n G u i d e
2. Tunneling with browser
(HTTP) access to the Internet
Exa mple 2 shows a configuration tha t
opens a tunnel to the remote rout er as
well as allowing users on the local LA N
to brow se the World Wide Web o n the
Internet.
I nternet access setup
To estab lish Int ernet access, a static
route to t he Internet must be configured.
A sta tic route representing the Internet
is 0.0.0.0 wit h subnet mask 0.0.0.0. The
static route must be assigned to the
WAN interface toward the Internet.
The static route must be added under
>Protocols>IP routing >Static R oute>
where:
The netwo rk address is 0.0.0.0
Network mask is 0.0.0.0
Link is the WAN link to wa rd
the Internet.
Fil ter configurati on
Filtering req uirements:
The router must a llow tunnel tra ffic
between the LAN and t he remote
router.
U sers on the local LA N must have
access to Web (H TTP) services on
the Internet.
U sers must be able to access external
D omain Name Servers.
Tunnel fi lter
The rout er must a ccept Tunnel tr af fic
from the remote ro uter via the link to
the IS P.
I nternet access fi l ter
The router must not allow external users
to get a ccess to the local LA N from the
ISP ISP
Router 2Router 1
2. Tunneling with browser (HTTP) access to the Internet
Tunnel
WAN 1 WAN 2
LAN 2LAN 1
Internet
Receive filter on the WAN link toward the Internet
Action Protocol TCP Flag Source IP Source. Port Destination IP Destination Port
Tunnel client Pass TCP ACK IP address of = 1990 (Tunnel) IP address of > 2000the remote the local router router
Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990 (Tunnel)the remote thelocal routerrouter
The Tunnel clientfilter allows the local router to esta blish the tunnel connection.
The Tunnel server filter allows the remote router to establish the tunnel connection.
The I P address of the local routershould be the IP address of either the WAN interface or the L AN interface. For maximum
security, the IP address of the WAN interf ace should be used (if one is assigned).
The I P address of the remote routeris the address to w hich the tunnel should be established.
7/28/2019 Secure Tunnel
8/16
6
I n t e r n e t S e c u r e T u n n e l i n g
Internet, i.e., it must discard all connect
requests from the Internet (receive
filter). At t he same time, it must allow a ll
users on the LAN t o get Web a ccess on
the Internet.
D omain Name Server fi lt er
When connecting to a Web server on the
Internet, you normally connect with a n
U RL . To translate between IP add resses
and U R Ls, you will need to connect to a
D omain Name Server (D NS), which will
give you the IP a ddress of the name you
want to connect to.
Transmit filter: the defa ult action must
be set to Pass.
R eceive filter: the default a ction mustbe set to Discard.
Receive filters on the WAN link toward the Internet
Action Protocol TCP Flag Source IP Source Port Destination IP Destination Port
Tunnel Client Pass TCP ACK IP address of = 1990 IP address of > 2000the remote router (Tunnel) the local router
Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990the remote router the local router (Tunnel)
WWW client Pass TCP ACK All = 80 (HTTP) IP address of > 1023the local net
DNS client Pass UDP IP address of = 53 (DNS) IP address of > 1023external DNS the local netserver
DNS client Pass TCP ACK IP address of = 53 (DNS) IP address of > 1023external DNS the local net
server
The Tunnel client filter allows the local rout er to estab lish the tunnel connection.
The Tunnel server filter allows the remote router to establish the tunnel connection.
The WWW client filter allows local users to esta blish a Web connection to the I nternet, but the default f ilter discards connection
requests from the Internet t o the L AN.
The DNS filtersallow the local users to a ccess D NS servers on the Internet. D NS requests might use either U D P or TCP as a
transport protocol; therefore, both protocols must be allowed to pass the filter.
The I P address of external D NS serveris the address of the external D NS server on the Internet, given by your I nternet provider.
The I P address of the local routershould be the IP a ddress of either the WAN interfa ce or the LAN interfa ce. For better security,the IP address of the WAN interf ace should be used (if one is assigned).
The I P address of the remote routeris the address of the router over the tunnel.
7/28/2019 Secure Tunnel
9/16
7
I m p l e m e n t a t i o n G u i d e
3. Tunneling with browser
access and mail exchange onthe Internet
In this example, users on the LA N have
Web brow ser access to the I nternet a nd
access to the remote LA N via an
Internet t unnel.They also need to be
able to receive and send e-mail over the
Internet via a n internal mail server,
using an external mail transfer agent.
I nternet access setup
To get I nternet a ccess, a sta tic route to
the Internet must be configured.A static
route representing the I nternet is 0.0.0.0
with subnet mask 0.0.0.0.The static route
must be a ssigned to the WAN interface
towa rd the Internet.
The static route must be added under
>Protocols>IP R outing >Static R oute>
where:
The netwo rk address is 0.0.0.0
Network mask is 0.0.0.0
Link is the WAN link towa rd
the Internet.
Fil ter configurati on
These are t he req uirements for filtering:
The router must a llow tunnel tra ffic to
and from LA N and the remote router.
Users on the LAN must have access to
Web (HTTP) services on the Internet. Users must have access to an external
D omain Name Server.
Users must be able to receive and
send e-mails to and from the Internet.
Tunnel fi lt er
The router must a ccept tunnel traf fic
from the remote router via the link to
the ISP.
I nternet access fi l ter
The router must not allow external users
to get a ccess to the local LA N from the
Internet, i.e., it must discard a ll
connection requests from the Internet
(receive filter).A t t he same time, it must
allow all users on the LA N to get Web
and e-mail access on the Internet.
D omain Name Server fi lter
When connecting to a Web server on the
Internet, you normally connect using an
U R L. To translate between IP add resses
and U R Ls, you will need to connect to a
D omain Name Server.The D NS will give
you the IP ad dress of the UR L to w hich
you want to connect.
A l low i ng access to and from an in ternalmai l server and to and from an I nternet
mai l server
The interna l mail server only needs to
communicate wit h one external mail
server on the Internet: a mail transfer
agent. The Internet provider must supply
the IP address of the external mail server.
Transmit filter: the defa ult action must
be set to Pass.
R eceive filter: the default a ction must
be set to Discard.
Internet
ISP ISP
Router 2Router 1
LAN 1
Mail Server
3. Tunneling with browser access and mail exchange on Internet
Tunnel
WAN 1 WAN 2
LAN 2
7/28/2019 Secure Tunnel
10/16
8
I n t e r n e t S e c u r e T u n n e l i n g
Receive filter on the WAN link toward the Internet
Action Protocol TCP Flag Source IP Source Port Destination IP Destination Port
Tunnel client Pass TCP ACK IP address of = 1990 IP address of > 2000the remote (Tunnel) the localrouter router
Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990(Tunnel)the remote the local router router
Receive e-mails Pass TCP All IP address of > 1023 IP address of = 25(SMTP)external mail internal mail server server
Transmit e-mails Pass TCP ACK IP address of = 25 (SMTP) IP address of > 1023external mail internal mail
server server WWW client Pass TCP ACK All = 80 (HTTP) IP address of > 1023
the local net
DNS client Pass UDP IP address of = 53 (DNS) IP address of > 1023external DNS the local net server
DNS client Pass TCP ACK IP address of = 53 (DNS) IP address of > 1023external DNS the local net server
The Tunnel client filter allows the local router to establish the tunnel connection.
The Tunnel server filter allows the remote router to establish the tunnel.
The Mail filtersallow a n internal SMTP mail server to send and receive mail with an externa l mail server (mail transfer agent).
The WWW client filter allows local users to estab lish a connection to the Internet , but the defa ult filter discards connection
requests from the Internet to the LA N.
The DNS filtersallow the local users to a ccess DNS servers on the Internet. D NS requests might use either U D P o r TCP as a
transport protocol; therefore, both protocols must be allowed to pass the filter.
The I P address of external DNS serveris the address of the external D NS server on the Internet. The address must be supplied by
the Internet Service Provider.
The I P address of the local routershould be the IP address of either the WAN interface or the L AN interface. For maximumsecurity, the IP add ress of the WAN interf ace should be used (if one is assigned).
The I P address of the remote rou teris the address of the router over the tunnel.
The I P address of external mai l serveris the address of the external ma il server.The internal ma il server communicates with
the externa l mail server when sending and receiving e-mail. The external ma il server address must be given by the Int ernet
Service Provider.
7/28/2019 Secure Tunnel
11/16
9
I m p l e m e n t a t i o n G u i d e
4. Tunneling with browser
access on the Internet througha proxy server
In this scenario, users on the LAN have
browser access to the Internet.When
users browse the Internet, they will
connect through a proxy server.
I nternet access setup
To get Int ernet access, a sta tic route to
the Internet must be configured.A static
route representing the Internet is 0.0.0.0,with a subnet mask set at 0.0.0.0.The
static route must be assigned to the
WAN interface, towa rd the Internet.
The static route must be ad ded under
>Protocols>IP R outing >Static Ro ute>
where:
The netwo rk address is 0.0.0.0
Network mask is 0.0.0.0
Link is the WAN link tow ard the
Internet.
Fil ter configurati on
These are t he req uirements for filtering:
The router must allow tunnel traf fic
to and from the LA N of the remote
router.
U sers on the LAN must be ab le to
browse on the Internet through the
proxy server. The filter must,
therefore, only allow Web (H TTP)
traffic to the proxy server.
U sers must have D omain Name
Server access to the Internet through
the proxy server.
Tunnel fil ter
The router must a ccept tunnel traff icfrom the remote router via the link to
the ISP.
I nternet access fi l ter
The router must not allow externa l
users to get a ccess to t he local LAN
from the Internet, i.e., it must discard
all connect requests from the Internet
(receive filter).The router should only
accept packets to the pro xy serverfrom the Internet.
D omain Name Server fi lter
When connecting to a Web server on the
Internet, you normally connect using an
U R L. To translate between IP add resses
and U R Ls, you will need to connect to a
D omain Name Server.The D NS will give
you the IP address of the name to which
you want to connect.
Transmit filter: the default action must
be set to Pass.
R eceive filter: the default a ction must
be set to D iscard.
ISP ISP
Express Router
Remote net
Express Router
Local net
Proxy Server
4. Tunneling with browser access on the Internet through a proxy server
Tunnel
WAN 1 WAN 2
Internet
7/28/2019 Secure Tunnel
12/16
10
I n t e r n e t S e c u r e T u n n e l i n g
Receive filter on the WAN link toward the Internet
Action Protocol TCP Flag Source IP Source Port Destination IP Destination Port
Tunnel client Pass TCP ACK IP address of = 1990 IP address of > 2000the remote (Tunnel) the localrouter router
Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990the remote the local (Tunnel)router router
WWW client Pass TCP ACK All = 80 (HTTP) IP address of > 1023the proxyserver
DNS client Pass UDP IP address of = 53 (DNS) IP address of > 1023external DNS the proxy
server server
DNS client Pass TCP ACK IP address of = 53 (DNS) IP address of > 1023external DNS the proxy server server
The Tunnel clientfilter allows the local router to establish the tunnel connection.
The Tunnel server filter allows the remote router to establish the tunnel connection.
The WWW client filter allows local users to estab lish a connection to the Int ernet, but the defa ult filter discards connection
attempts from the Internet to the L AN.
The DNS filtersallow the local users to access D NS servers on the Internet. D NS requests might use either U D P or TCP as a t rans-
port protocol; therefore, both protocols must be a ble to pass the filter.
The I P address of external D NS serveris the address of the external DNS server on the Internet.The address must be provided by
the Internet Service Provider.
The I P address of the local routershould be either the IP add ress of the WAN interfa ce or the LA N interface. For maximum
security, the I P add ress of the WAN interface should be used (if one is a ssigned).
The I P address of the remote routeris the address of the router over t he tunnel.
7/28/2019 Secure Tunnel
13/16
11
I m p l e m e n t a t i o n G u i d e
5. Internet tunneling through
a firewallWhile not required for every a pplicat ion,
a dedicat ed firewa ll for filtering is the
most secure solution fo r tunneling. The
firewall must be set up to allow tunnel
traffic to pa ss between the remote router
and the local router.The router on the
LA N is used as a tunnel end-point to
the remote netw ork; it has no WAN con-
nection. The router tha t connects the fire-
wall to the Internet does not need tunnel
links, nor does it have to be a n Intel
Express Router to pass tunnel traffic.
Fil ter configuration
You do not need to add filters in the local
router. The firewa ll has the responsibility
to filter out unwanted packets. H owever,
the firewall must allow tunnel traffic to
pass both ways betw een the local router
and t he remote router.
Firewall Configuration
The firewa ll must be configured to pass
tunnel traffic in the same way the Express
Router filters are configured to passtunnel traf fic (see tab le below.)
Transmit filter: the default action must
be set to Pass.
R eceive filter: the default a ction must
be set to D iscard.
Internet
ISP ISP
Express Router
Express Router
Router
Firewall
Desktop System Desktop System
5. Internet tunneling through a firewall
Tunnel
WAN 1 WAN 2
Receive filter in the firewall to allow tunnel traffic
Action Protocol TCP Flag Source IP Source Port Destination IP Destination Port
Tunnel client Pass TCP ACK IP address of = 1990 IP address of > 2000the remote (Tunnel) the local routerrouter
Tunnel server Pass TCP All IP address of > 2000 IP address of = 1990the remote the local router (Tunnel)router
The Tunnel client filter allows the local router to establish the tunnel connection.
The Tunnel server filter allows the remot e router to esta blish the tunnel connection.
The I P address of the local routershould be the I P address of the LA N interface.
The I P address of the remote rou teris the address of the router over the tunnel.
7/28/2019 Secure Tunnel
14/16
12
I n t e r n e t S e c u r e T u n n e l i n g
How to ConfigureTunnels and Filters
The follow ing procedure is an
abbreviated guide to configuring a
tunnel, for routing data to a remote site
via the Internet. See the U ser G uide for
deta iled instructions. It is assumed that
the link to the Internet is already
configured; if not, see the Quick Setup
G uide or Chapter 5 of the User G uide
for instructions.
Tunneling over a WANconnection
1. Enter the Links option of
A dvanced Setup.
2. Add a new link. Choose Internet
Tunnelas the WAN pro tocol.
3. For L ocal I P Address, choose either
the address of the LAN interface or
the address of the WAN interfa ce, if
one is assigned. Note: The address
must be an off icial address given by
the Internet Service Provider.
4. For Remote IP A ddress, use the
address of the remote router to which
the tunnel should be established.
Again, either the WAN or t he LAN
IP address of the remote router should
be chosen.
5. Enable encryption for the tunnel.
D ata communication via t he tunnel is
not secure otherw ise.
6. Select IP routingunder the Protocolsoption of A dvanced Setup.
7. Add a static host route to the remote
router. The host route must be set up
with the same IP a ddress as that for
the R emote IP Address. The static
host route must be a ssigned to the
WAN interface toward the Internet.
R emember that the subnet mask to a
host route is always 255.255.255.255.
8. Configure the protocols (IP, IPX
and/or B ridging) to be used over t he
tunnel. See Chapters 6, 7 and 8 in the
U ser G uide manual for information
on configuring the pro tocols.
Tunneling over a LAN
connection
1. Enter the Links option of
Advanced Setup.
2. Add a new link.C hoose Internet
Tunnelas the WAN protocol.
3. For L ocal I P Address, choose the IP
add ress of either the LA N interface
or the WAN interfa ce, if one is
assigned. Note: The address must be
an off icial ad dress given by the
Internet Service Provider.
4. For Remote IP A ddress, use the IP
address of the remote router to which
the tunnel should be estab lished.
Aga in, choose either the WAN or the
LA N address of the remote router.5. Enable encryption for the tunnel.
D ata communication via the tunnel
is not secure otherw ise.
6. Select IP r outingunder the Protocols
option of A dvanced Setup.
7. Add a static host route to the remote
router. The host route must be set up
with the same IP a ddress as that for
the R emote IP Address. The static
host route must be a ssigned to the
LA N interface. R emember thatthe subnet mask to a host route
is 255.255.255.255.
8. Forwarding Address must be the IP
address of the local router connected
to the Internet. If a firewall is used, the
Forwarding Address must be the IP
address of the firewall.
9. Configure the protocols (IP, IPX or
B ridging) to be used over the tunnel.
See Cha pters 6, 7 and 8 in the User
Guidemanual fo r configuring the
protocols.
How to configure IP filters
U se the following procedure to
configure IP filtering on the LA N or
the WAN interfa ce.
1. Enter the A dvancedscreen under
the IP link you would like to add
a filter.
2. Set the Filteringparameter toEnabledon the Adva nced screen for
the IP link.
3. Select the Tx Fi lterson the Advanced
screen for the IP link. Set the D efault
Action to Pass. Filter only on
receiving t raffic.
4. G o back to the Rx Fi ltersto define
receive filters.
5. Set the Default Actionto D iscard.
6. U seAdd
to add a new filter.7. Set Actionto Pass
8. Set the filter parameter as described
in the examples given earlier in this
document.
The filtering of IP packets is based on the
following criteria:
IP protocol
A filter can process packets based on
U D P, TCP or ICMP. Other protocols can
be defined by the IP number. TCP
filtering also can be based on TCP Flags
for all Flags or just with the acknowledge
(ACK ) flag set.
7/28/2019 Secure Tunnel
15/16
13
I m p l e m e n t a t i o n G u i d e
Source address
Use the Source Address to filter packets
entering the router via t he link from a
specific host or netw ork.
Source port
The Source P ort filters packets
originating from a single port (e.g.,
SMTP or H TTP), from a ra nge of
ports, or from all ports.
Destination address
A filter can process packets addressed to
a host address or a network address.
Destination port
A filter can process packets addressed to
a single port, a range of ports or a ll ports.
Port values and port operator
For the ports value, it is possible to define
whether the port value should be eq ual
(= ), different (!= ), greater than (>) or less
than (
7/28/2019 Secure Tunnel
16/16
C Please R ecycle.NP1040