User manual NETOPIA 3300-ENT FIRMWARE USER GUIDE V8.7

[. . . ] Netopia Firmware User Guide 3300-ENT Enterprise-Series Netopia Firmware Version 8. 7 ® Copyright Copyright© 2006, Netopia, Inc. Netopia, the Netopia logo, Broadband Without Boundaries, and 3-D Reach are registered trademarks belonging to Netopia, Inc. , registered U. S. 6001 Shellmound Street Emeryville, CA 94608 U. S. A. Part Number Netopia part number 6161236-00-01 Contents Contents iii Chapter 1 -- Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 What's New in 8. 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Telnet-based Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [. . . ] Phase 2 establishes the tunnel and provides for secure transport of data. · IPsec can be configured without IKE, but IKE offers additional features, flexibility, and ease of configuration. Key exchange between your local Router and a remote point can be configured either manually or by using the key exchange protocol. 6-2 Firmware User Guide The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communications without having to manually enter the lengthy encryption keys at both ends of the connection. You enter a human-readable pass phrase or shared secret English sentence, like "my dog has fleas" on each end once. Thereafter, the two ends periodically use a public key encryption method called Diffie-Hellman to exchange key material and then securely generate new authentication and encryption keys. The keys are automatically and continually changing, making the data exchanged using the keys inherently secure. It also allows you to specify a lifetime for the IPsec Security Association and allows encryption keys to change periodically during IPsec sessions. You can set this period for key generation to as often as your security requirements dictate. A Security Policy Database (SPD) now defines the security requirements. This is a significant change from earlier firmware implementations of IPsec. Traffic with a source IP address that falls within the local member specification of an IPsec tunnel and that is addressed to a destination IP address that falls within the remote member specification of that tunnel is not routed using the normal routing table. Instead it is forwarded using the security policy database to the remote security gateway (remote tunnel endpoint) specified in the IPsec tunnel configuration. It is not possible to send traffic outside the tunnel by bypassing the tunnel and the remote security gateway. Note: To fully protect against IP address "spoofing" of local member addresses requires firewall rules to be installed on the WAN interface. These must prevent packets coming in through that interface with local member source addresses, since local member source addresses should only originate from the LAN. Otherwise it is theoretically possible for a malicious hacker to send packets through the tunnel by impersonating local member IP addresses. See the chapter "Security" on page 10-1 for more information. Traffic originating from local member LAN addresses that is not addressed to remote member addresses, as well as traffic originating from local LAN IP addresses that do not match any local member specifications, is routed using the normal routing table. This means that if you want to restrict traffic from local members from going out to the Internet and force it all to go through one or more tunnels you need to specify remote members of 0. 0. 0. 0 - 255. 255. 255. 255 or 0. 0. 0. 0/0. Traffic originating from the gateway, for example, Telnet, ping, DNS queries, will not use the default VPN definition even if the source addresses match. Traffic to and from the gateway is included in specific VPNs. Internet Key Exchange (IKE) Configuration IPsec tunnels are defined in the same manner as PPTP tunnels. (See "Virtual Private Networks (VPNs)" on page 5-1 for more information. ) You configure the Connection Profile as follows. From the Main Menu navigate to WAN Configuration and then Add Connection Profile. Main Menu WAN Configuration Add Connection Profile Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-3 The Add Connection Profile screen appears. Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type. . . Profile 1 +-------------+ +-------------+ | PPP | | RFC1483 | | ATMP | | PPTP | | IPsec | | L2TP | +-------------+ IP Profile Parameters. . . COMMIT CANCEL · · From the Encapsulation Type pop-up menu select IPsec. The IPsec Tunnel Options screen appears. IPsec Tunnel Options Key Management. . . [. . . ] Check the WAN statistics and LAN statistics screens to see more specific information on data traffic flow and address serving. See "Statistics & Logs" on page 9-3 for more information. Troubleshooting A-3 How to Reset the Router to Factory Defaults Lose your password?This section shows how to reset the Netopia Router so that you can access the configuration screens once again. Note: Keep in mind that all of your settings may need to be reconfigured. If you don't have a password, the only way to access the Netopia Router is the following: 1. Referring to the diagram below, find the round Reset Switch opening. Example Netopia Router back panel Factory Reset Switch: Push to clear all settings 2. [. . . ]