add a new tunnel
you can select tunnel to create a tunnel for a single mobile user, or select group vpn to create tunnels for multiple vpn clients. the group vpn feature facilitates the setup of tunnels for multiple vpn clients, so you do not need to individually configure multiple remote vpn clients. after you have selected tunnel or group vpn, the settings available on this screen may change, depending on which selection you have made.
tunnel no. a tunnel number between 1-50 will be automatically generated.
tunnel name. enter a name for this vpn tunnel, such as home office or new york branch. this allows you to identify multiple tunnels and does not have to match the name used at the other end of the tunnel.
interface. select the appropriate interface (wan1, wan2...) from the pull-down menu. if you designate more than two wan ports on the network or port management page, then additional wan ports will be available.
enable. check this box to enable this vpn tunnel.
group vpn
the group vpn settings will appear only if you are adding a new group vpn. up to two group vpns are supported by the router.
group no. a group number will be automatically generated.
group name. enter a name for this group vpn, such as american managers group or west coast locations. interface. select the appropriate interface (wan1, wan2...) from the pull-down menu. if you designate more than two wan ports on the network or port management page, then additional wan ports will be available.
enable. check the box to enable this group vpn.
local group setup
local security gateway type (not applicable to group vpns)
select one of these five available types: ip only, ip + domain name(fqdn) authentication, ip + e-mail addr.(user fqdn) authentication, dynamic ip + domain name(fqdn) authentication, or dynamic ip + e-mail addr.(user fqdn) authentication.
(if you want to use a fully qualified domain name (fqdn) for authentication but you do not have one, visit www.dyndns.org to set up a dynamic domain name system (ddns) account. then enable and configure the 10/100 16-port vpn router’s ddns settings on the ddns screen.)
the local security gateway type you select should match the remote security gateway type selected on the remote vpn client(s) at the other end of the tunnel(s).
after you have selected the local security gateway type, the settings available on this screen may change, depending on which selection you have made.
ip only. if you select ip only, then only the computer with a specific ip address will be able to access the tunnel. the wan (or internet) ip address of the router will automatically appear in the ip address field.
ip + domain name(fqdn) authentication. if you select this type, enter the fqdn (fully qualified domain name) in the domain name field, and an ip address will automatically appear in the ip address field. the fqdn is the host name and domain name for a specific computer on the internet. an example of a fqdn is vpn.myvpnserver.com. the fqdn and ip address must match the fqdn and ip address of the remote client at the other end of the tunnel. the fqdn and ip can be used for only one tunnel connection.
ip + e-mail addr.(user fqdn) authentication. if you select this type, enter the appropriate e-mail address in the e-mail address fields, and an ip address will automatically appear in the ip address field.
dynamic ip + domain name(fqdn) authentication. if the local security gateway has a dynamic ip and you want to use the domain name for authentication, then select this type. when the remote client asks to create a tunnel with the router, the router will work as a responder. for authentication, complete the domain name field, and make sure it matches the domain name set on the remote client. the domain name can be used for only one tunnel connection, so you can’t use the same domain name to create another new tunnel connection.
dynamic ip + e-mail addr.(user fqdn) authentication. if the local security gateway has a dynamic ip and you want to use the e-mail address for authentication, then select this type. when the remote client asks to create a tunnel with the router, the router will work as a responder. for authentication, enter the appropriate e-mail address in the e-mail address fields.
local security group type
select the local lan user(s) behind the router that can use this vpn tunnel. select one of these three available types: ip, subnet, or ip range. the local security group type you select should match the remote security group type selected on the remote vpn client(s) at the other end of the tunnel(s).
after you have selected the local security group type, the settings available on this screen may change, depending on which selection you have made.
ip. if you select ip only, then only the computer with a specific ip address will be able to access the tunnel.
enter the appropriate ip address. the default ip is 192.168.1.0.
subnet. if you select subnet, which is the default, then all computers on the local subnet will be able to access the tunnel. complete the ip address and subnet mask fields. the default ip is 192.168.1.0, and the default subnet mask is 255.255.255.0.
ip range. if you select ip range, then you can specify a range of ip addresses within the subnet that will be able to access the tunnel. complete the ip range fields. the default ip range is 192.168.1.0~254.
remote client setup for a vpn tunnel
you will have different remote client setup settings depending on whether you are adding a new tunnel or a new group vpn. if you are adding a new group vpn, proceed to the “remote client setup for a group vpn” section.
remote client
select one of these five available types: ip only, ip + domain name(fqdn) authentication, ip + e-mail addr.(user fqdn) authentication, dynamic ip + domain name(fqdn) authentication, or dynamic ip + e-mail addr.(user fqdn) authentication.
(if you want the remote client to use a fully qualified domain name (fqdn) for authentication but the remoteclient does not have one, visit www.dyndns.org to set up a dynamic domain name system (ddns) account.)
after you have selected the remote client, the settings available on this screen may change, depending on which selection you have made.
ip only. if you know the fixed ip address of the remote client, select ip only. only the computer with this specific ip address will be able to access the tunnel. in the ip address field, enter the ip address of the remote client at the other end of the tunnel. (the remote client can be a computer with vpn client software that support ipsec.)
ip + domain name(fqdn) authentication. if you select this type, enter the fqdn (fully qualified domain name) and ip address of the remote client, which can be a computer with vpn client software that supports ipsec. (enter the fqdn in the domain name field, and enter the ip address in the ip address field.) the fqdn is the host name and domain name for a specific computer on the internet. an example of a fqdn is vpn.remotevpnserver.com. the fqdn and ip address must match the fqdn and ip address of the local security gateway type selected on the remote client. the fqdn and ip can be used for only one tunnel connection.
ip + e-mail addr.(user fqdn) authentication. if you select this type, enter the e-mail address and ip address of the remote client at the other end of the tunnel. (the remote client can be a computer with vpn client software that support ipsec.)
dynamic ip + domain name(fqdn) authentication. if the remote security gateway has a dynamic ip and you want to use the domain name for authentication, then select this type. when the remote security gateway asks to create a tunnel with the router, the router will work as a responder. for authentication, complete the domain name field, and make sure it matches the domain name set on the local gateway of the remote client. the domain name can be used for only one tunnel connection, so you can’t use the same domain name to create another new tunnel connection.
dynamic ip + e-mail addr.(user fqdn) authentication. if the remote security gateway has a dynamic ip and you want to use the e-mail address for authentication, then select this type. when the remote security gateway asks to create a tunnel with the router, the router will work as a responder. for authentication, enter the appropriate e-mail address in the e-mail address fields.
remote client setup for a group vpn
remote client. there are three types of remote client: domain name (fqdn), e-mail address (user fqdn), and microsoft xp/2000 vpn client.
remote client
select one of these three types: domain name(fqdn), e-mail address(user fqdn), or microsoft xp/2000 vpn client.
(if you want to use an fqdn (fully qualified domain name) but you have not set it up, visit www.dyndns.org to set up a dynamic domain name system (ddns) account.) after you have selected the remote client, the settings available on this screen may change, depending on which selection you have made.
domain name(fqdn). if you select this type, enter the fqdn (fully qualified domain name) of the remote client in the domain name field. the fqdn is the host name and domain name for a specific computer on the internet. an example of a fqdn is vpn.remotevpnserver.com. the fqdn must match the fqdn setting on the remote client. when the remote client asks to create a tunnel with the router, the router will work as a responder.
e-mail address(user fqdn). if you select this type, enter the e-mail address of the remote client at the other end of the tunnel.
microsoft xp/2000 vpn client. if the remote client has a dynamic ip address and is a microsoft vpn client, select this type. the difference between microsoft and other vpn clients is that the microsoft vpn client does not support aggressive mode and the two remote client options, domain name(fqdn) and e-mail address(user fqdn).