! " # &' ! " # (' $% ('
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the BM2022w using the Web Configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology. Related Documentation • Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your BM2022w. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The product(s) described in this book may be referred to as the “BM2022w”, the “device”, the “system” or the “product” in this User’s Guide.
Document Conventions Table 1 Common Icons BM2022w Computer Wireless Signal Notebook Server Base Station Telephone Switch Router Internet Cloud Network Cloud BM2022w User’s Guide 5
Safety Warnings Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device.
Contents Overview Contents Overview User’s Guide ........................................................................................................................... 15 Getting Started ...........................................................................................................................17 Introducing the Web Configurator ..............................................................................................21 Setup Wizard...................................................
Contents Overview 8 BM2022w User’s Guide
Table of Contents Table of Contents About This User's Guide .......................................................................................................... 3 Document Conventions ........................................................................................................... 4 Safety Warnings........................................................................................................................ 6 Contents Overview .......................................................
Table of Contents 3.1.7 Setup Complete ..........................................................................................................37 Chapter 4 Tutorials ................................................................................................................................... 39 4.1 Overview ..............................................................................................................................39 4.2 WiMAX Connection Settings ...................................
Table of Contents 6.7 RAPL Settings ......................................................................................................................83 6.8 Home NSP Settings .............................................................................................................84 6.9 Connect ................................................................................................................................85 6.10 Link Status ............................................................
Table of Contents 8.1 Overview ............................................................................................................................129 8.1.1 What You Need to Know ...........................................................................................129 8.2 IP Filter ...............................................................................................................................129 8.3 MAC Filter .....................................................................
Table of Contents 10.2 Status ...............................................................................................................................166 10.3 Server ...............................................................................................................................168 10.4 SIP ...................................................................................................................................169 10.5 Feature ..................................................
Table of Contents 12.20 Traceroute Test ..............................................................................................................200 12.21 About ..............................................................................................................................200 12.22 Reboot ............................................................................................................................201 Chapter 13 Troubleshooting...............................................
P ART I User’s Guide 15
16
C HAPTER 1 Getting Started 1.1 About Your BM2022w The BM2022w has a built-in switch and two phone ports. It allows you to access the Internet by connecting to a WiMAX wireless network. You can use a traditional analog telephone to make Internet calls using the BM2022w’s Voice over IP (VoIP) communication capabilities. Additionally, The web browser-based Graphical User Interface (GUI), also known as the web configurator, provides easy management of the device and its features.
Chapter 1 Getting Started 1.1.2 Make Calls via Internet Telephony Service Provider In a home or small office environment, you can use the BM2022w to make and receive the following types of VoIP telephone calls: • Peer-to-Peer calls - Use the BM2022w to make a call directly to the recipient’s IP address without using a SIP proxy server.
Chapter 1 Getting Started 1.2.1 LEDs The following figure shows the LEDs (lights) on the BM2022w. Figure 4 The BM2022w’s LEDs POWER LED WIMAX LINK SIGNAL STRENGTH INDICATORS VOICE LEDS 1&2 WLAN LED The following table describes your BM2022w’s LEDs (from top to bottom). Table 2 The BM2022w LEDs behavior LED STATE DESCRIPTION Power Off The BM2022w is not receiving power. Red The BM2022w is receiving power but has been unable to start up correctly or is not receiving enough power.
Chapter 1 Getting Started Table 2 The BM2022w LEDs behavior LED STATE DESCRIPTION Voice 1 & 2 Off No SIP account is registered, or the BM2022w is not receiving power. Green A SIP account is registered. Green (Blinking) A SIP account is registered, and the phone attached to the VoIP port is in use (off the hook). Yellow A SIP account is registered and has a voice message on the SIP server.
C HAPTER 2 Introducing the Web Configurator 2.1 Overview The Web Configurator is an HTML-based management interface that allows easy device set up and management via any web browser that supports: HTML 4.0, CSS 2.0, and JavaScript 1.5, and higher. The recommended screen resolution for using the web configurator is 1024 by 768 pixels and 16-bit color, or higher. In order to use the Web Configurator you need to allow: • Web browser pop-up windows from your device.
Chapter 2 Introducing the Web Configurator 2.1.2 The Reset Button If you forget your password or cannot access the Web Configurator, you will need to use the Reset button to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to “1234”. 2.1.2.1 Using The Reset Button 1 Make sure the Power light is on (not blinking).
Chapter 2 Introducing the Web Configurator 2.1.4 Working with Tables Many screens in the BM2022w contain tables to provide information or additional configuration options. Figure 7 Tables Example This screen contains the following fields: Table 4 Saving and Canceling Changes LABEL DESCRIPTION Items per Page This displays the number of items displayed per table page. Use the menu to change this value. First Page Click this to go to the first page in the table.
Chapter 2 Introducing the Web Configurator Figure 8 Main Screen The following table describes the icons in this screen. Table 5 Main > Icons ICON DESCRIPTION System Status Click this to open the Main screen, which shows your BM2022w status and other information. WiMAX Click this to open the WiMAX menu, which gives you options for configuring your WiMAX settings. Network Setting Click this to open the Network menu, which gives you options for configuring your network settings.
Chapter 2 Introducing the Web Configurator Table 5 Main > Icons (continued) ICON DESCRIPTION Maintenance Click this to open the Maintenance menu, which gives you options for maintaining your BM2022w and performing basic network connectivity tests. Language Use this menu to select the Web Configurator’s language. Setup Wizard Click this to open the Setup Wizard, where you can configure the most essential settings for your BM2022w to work. Logout Click this to log out of the Web Configurator.
Chapter 2 Introducing the Web Configurator 26 BM2022w User’s Guide
C HAPTER 3 Setup Wizard 3.1 Overview This chapter provides information on the Setup Wizard. The wizard guides you through several steps for configuring your network settings. 3.1.1 Welcome to the Setup Wizard This screen provides a quick summary of the configuration tasks the wizard helps you to perform. They are: 1 Set up your Local Area Network (LAN) options, which determine how the devices in your home or office connect to the BM2022w.
Chapter 3 Setup Wizard 5 Set up your BM2022w’s WLAN so that other devices, such as a laptop or a smartphone, can connect wirelessly to the Internet using the BM2022w.
Chapter 3 Setup Wizard 3.1.2 LAN Settings The LAN Settings screen allows you to configure your local network options. Figure 10 Setup Wizard > LAN Settings The following table describes the labels in this screen. Table 6 Setup Wizard > LAN Settings LABEL DESCRIPTION LAN TCP/IP IP Address Enter the IP address of the BM2022w on the LAN. Note: This field is the IP address you use to access the BM2022w on the LAN.
Chapter 3 Setup Wizard Table 6 Setup Wizard > LAN Settings (continued) LABEL DESCRIPTION DNS Server assigned by DHCP Server First DNS Server Specify the first IP address of three DNS servers that the network can use. The BM2022w provides these IP addresses to DHCP clients. Second DNS Server Specify the second IP address of three DNS servers that the network can use. The BM2022w provides these IP addresses to DHCP clients.
Chapter 3 Setup Wizard The following table describes the labels in this screen. Table 7 Setup Wizard > WiMAX Frequency Settings LABEL DESCRIPTION Setting Type Select the WiMAX frequency setting type from the list. • • Step By Range - Select this to set up the frequency based on a range of MHz. By List - Select this to set up the frequency on an individual MHz basis. You can add multiple MHz values to the list. Enter the increments in MHz by which to increase the frequency range.
Chapter 3 Setup Wizard Figure 12 Setup Wizard > WiMAX Authentication Settings The following table describes the labels in this screen. Table 8 Setup Wizard > WiMAX Authentication Settings LABEL DESCRIPTION Authentication Authenticatio n Mode Select a WiMAX authentication mode for authentication network sessions with the ISP. Options are: • • • • No authentication User authentication Device authentication User and Device authentication EAP Supplication EAP Mode 32 Select an EAP authentication mode.
Chapter 3 Setup Wizard Table 8 Setup Wizard > WiMAX Authentication Settings (continued) LABEL Anonymous Id DESCRIPTION Enter your anonymous ID. Note: Some modes may not require this. Ignore Cert Verification Select this to ignore base station certification verification when a certificate is received during EAP-TLS or EAP-TTLS. Server Root CA Cert. File Browse for and choose a server root certificate file, if required. Server Root CA Cert.
Chapter 3 Setup Wizard Note: This settings should be provided by your VoIP service provider. Figure 13 Setup Wizard > VoIP Settings The following table describes the labels in this screen. Table 9 Setup Wizard > VoIP Settings LABEL DESCRIPTION Line 1 SIP Account - Configure this section to use the PHONE 1 port. Enable Select this to activate the SIP account. SIP Server Enter the IP address or domain name of the SIP server. Port Number Enter the SIP server’s listening port number.
Chapter 3 Setup Wizard Table 9 Setup Wizard > VoIP Settings (continued) LABEL DESCRIPTION Back Click to display the previous screen. Next Click to proceed to the next screen. 3.1.6 WLAN Settings The WLAN Settings screen lets you set up how other devices connect to the Internet wirelessly using the BM2022w. Figure 14 Setup Wizard > WLAN Settings Figure 15 Setup Wizard > WLAN Settings > Encryption Type: WPA Personal The following table describes the labels in this screen.
Chapter 3 Setup Wizard Table 10 Setup Wizard > WLAN Settings (continued) LABEL DESCRIPTION WLAN Mode Select the mode that the BM2022w will be using to communicate: 802.11 B/G/N mixed, 802.11 B/G mixed, 802.11 B only, 802.11 G only, or 802.11 N only. WLAN Channel Select one channel from 1 to 11 for wireless communications with the wireless stations. SSID Settings WLAN SSID This field displays the name of the wireless network associated with the BM2022w.
Chapter 3 Setup Wizard 3.1.7 Setup Complete Click Save to save the Setup Wizard settings and close it. Figure 16 Setup Wizard > Setup Complete Launch your web browser and navigate to www.huawei.com. If everything was configured properly, the web page should display. You can now surf the Internet! Refer to the rest of this guide for more detailed information on the complete range of BM2022w features available in the more advanced web configurator.
Chapter 3 Setup Wizard 38 BM2022w User’s Guide
C HAPTER 4 Tutorials 4.1 Overview This chapter shows you how to configure some of the BM2022w’s features. Note: Be sure to read Introducing the Web Configurator on page 21 before working through the tutorials presented here. For field descriptions for individual screens, see the related technical reference in this User's Guide.
Chapter 4 Tutorials 4.3 Configuring LAN DHCP This tutorial shows you how to set up a small network in your office or home. Goal: Connect three computers to your BM2022w to form a small network. Required: The following table provides a summary of the information you will need to complete the tasks in this tutorial. INFORMATION 40 VALUE SEE ALSO LAN IP Address 192.168.100.1 Chapter 7 on page 102 Starting IP Address 192.168.100.10 Chapter 7 on page 103 Ending IP Address 192.168.100.
Chapter 4 Tutorials 4 Log into the Web Configurator and open the Network Setting > LAN > DHCP screen. 5 Select Server for the DHCP mode, then enter 192.168.100.10 and 192.168.100.30 as your DHCP starting and ending IP addresses. 6 Leave the other settings as their defaults and click Save. 7 Next, go to the Network Setting > WAN screen and select NAT in the Operation Mode field. Click Save.
Chapter 4 Tutorials 4.4 Changing Certificate This tutorial shows you how to import a new security certificate, which allows your device to communicate with another network servers. Goal: Import a new security certificate into the BM2022w. See Also: Appendix E on page 263. 1 Go to the WiMAX > Profile > Authentication Settings screen. In the EAP Supplicant section, click each Browse button and locate the security certificates that were provided by your new ISP.
Chapter 4 Tutorials 4.5 Blocking Web Access If your BM2022w is in a home or office environment you may decide that you want to block an Internet website access. You may need to block both the website’s IP address and domain name. Goal: Configure the BM2022w’s content filter to block a website with a domain name www.example.com. See Also: Section 7.23 on page 126. 1 Open the Network Setting > Content Filter. 2 Select Enable URL Filter. 3 Select Blacklist.
Chapter 4 Tutorials 44 1 First of all, you have to know the MAC address of the computer. If not, you can look for the MAC address in the Network Setting > LAN > DHCP screen. (192.168.100.3 mapping to 00:02:E3:53:16:95 in this example). 2 Click Security > Firewall > MAC Filter. Select Blacklist and click the Add button in the MAC Filter Rules table.
Chapter 4 Tutorials 3 An empty entry appears. Enter the computer’s MAC address in the Source MAC field and leave the other fields set to their defaults. Click Save. The computer will no longer be able to access any host on the WiMAX network through the BM2022w. 4.7 Setting Up NAT Port Forwarding Thomas recently received an Xbox 360 as his birthday gift. His friends invited him to play online games with them on Xbox LIVE.
Chapter 4 Tutorials 46 2 NAT mode is required to use port forwarding. Click Network Setting > WAN and make sure NAT is selected in the Operation Mode field. Click Save. 3 Click Network Setting > NAT > Port Forwarding and then click the first entry to edit the rule. 4 Configure the screen as follows to open TCP/UDP port 53 for the Xbox 360. Click OK.
Chapter 4 Tutorials 5 Repeat steps 2 and 3 to open the rest of the ports for the Xbox 360. The port forwarding settings you configured are listed in the Port Forwarding screen. 6 Click Save. Thomas can then connect his Xbox 360 to the Internet and play online games with his friends. In this tutorial, all port 80 traffic is forwarded to the Xbox 360, but port 80 is also the default listening port for remote management via WWW.
Chapter 4 Tutorials changes dynamically. Dynamic DNS (DDNS) allows you to access the BM2022w using a domain name. http://mywimax.dyndns.org A w.x.y.z a.b.c.d To use this feature, you have to apply for DDNS service at www.dyndns.org. This tutorial covers: • Registering a DDNS Account on www.dyndns.org • Configuring DDNS on Your BM2022w • Testing the DDNS Setting Note: If you have a private WAN IP address (see Private IP Addresses on page 260), then you cannot use DDNS. 4.8.
Chapter 4 Tutorials 1 Select Enable Dynamic DNS. 2 Select dyndns.org for the service provider. 3 Select Dynamic for the service type. 4 Type mywimax.dyndns.org in the Domain Name field. 5 Enter the user name (UserName1) and password (12345). 6 Select WAN IP for the IP update policy. 7 Click Save. 4.8.3 Testing the DDNS Setting Now you should be able to access the BM2022w from the Internet. To test this: 1 Open a web browser on the computer (using the IP address a.b.c.
Chapter 4 Tutorials N1 network) to computer B (in N2 network), the traffic is sent to the BM2022w’s WAN default gateway by default. In this case, computer B will never receive the traffic. N1 A R N2 B You need to specify a static routing rule on the BM2022w to specify R as the router in charge of forwarding traffic to N2. In this case, the BM2022w routes traffic from computer A to R and then R routes the traffic to computer B.
Chapter 4 Tutorials Table 11 IP Settings in this Tutorial DEVICE / COMPUTER IP ADDRESS R’s IP address on N2 192.168.10.2 B 192.168.10.33 To configure a static route to route traffic from N1 to N2: 1 Click Network Setting > Route > Static Route. 2 Click Add to create a new route. 3 Configure the Edit Static Route screen using the following settings: 3a Enter 192.168.10.0 and subnet mask 255.255.255.0 for the destination, N2. 3b Enter 192.168.1.
Chapter 4 Tutorials 1 Open the Maintenance > Remote MGMT > HTTP screen. 2 Select Enable in both HTTP Server and HTTPS Server sections and leave the Port Number settings as “80” and “443”. 3 Select Allow Connection from WAN. This allows remote management connections not only from the local network but also the WAN network (Internet). 4 Click Save. 4.11 VLAN Configuration Examples This section shows VLAN configuration scenarios. See Section 7.20 on page 122 if you need more information about VLAN.
Chapter 4 Tutorials Click Network Setting > WAN. Change the BM2022w to bridge mode and then click Save. If you cannot obtain IP address settings from a WAN DHCP server, select User as the Get IP Method and enter the WAN IP Address, WAN IP Subnet Mask and Gateway IP Address. 4.11.1 Scenario 1 In this scenario, PC A is connected directly to interface LAN1 on the BM2022w. PC B is connected to interface WiMAX and interface IAD for managing the BM2022w.
Chapter 4 Tutorials 1 Configure the Link Type, PVID and Tag/Untag settings for the interfaces as below by clicking each row. Then press OK. 2 Next, configure the Name, VID and Ports for the Filter Setting. The BM2022w will tag packets it receives on each interface so that they are recognized in VLAN 5. Tagged packets will be untagged when they are forwarded out of each interface since the devices attached to these interfaces do not support VLAN tagged packets. 4.11.
Chapter 4 Tutorials Note: You will need to configure the VLAN supporting switches to tag the received packets with the appropriate VLAN IDs. For example, packets received on switch S1 from PC A on the LAN would be tagged to VLAN 5.
Chapter 4 Tutorials 2 Next, configure the Name, VID and Ports for the Filter Setting. Interfaces LAN1 and WiMAX are Trunk links, so the BM2022w will recognize VLAN 5 and VLAN 10 tagged packets it receives on these interfaces from the VLAN supporting switches. VLAN tagged packets will also be forwarded out of these interfaces. Interface IAD is configured as an Access port, so tagged packets will be untagged when they are forwarded. 4.11.
Chapter 4 Tutorials Note: You will need to configure the VLAN supporting switches to tag the received packets with the appropriate VLAN IDs. For example, packets received on switch S1 from PC A on the LAN would be tagged to VLAN 5.
Chapter 4 Tutorials 2 Next, configure the Name, VID and Ports for the Filter Setting. Interfaces LAN1 and WiMAX are Trunk links, so the BM2022w will recognize VLAN 5 and VLAN 10 tagged packets it receives on these interfaces from the VLAN supporting switches. VLAN tagged packets will also be forwarded out of these interfaces. Interface IAD is configured as an Access port, so tagged packets will be untagged when they are forwarded. 4.11.
Chapter 4 Tutorials Note: You will need to configure the VLAN supporting switches to tag the received packets with the appropriate VLAN IDs. For example, packets received on switch S1 from PC B on the LAN would be tagged to VLAN 5.
Chapter 4 Tutorials 2 Next, configure the Name, VID and Ports for the Filter Setting. Interfaces LAN1 and WiMAX are Trunk links. On the WiMAX interface, the BM2022w will recognize VLAN 5 tagged packets it receives from the VLAN supporting switch. VLAN tagged packets will also be forwarded out of this interface. On the LAN1 interface, the BM2022w will tag packets it receives so that they are recognized in VLAN 5.
Chapter 4 Tutorials Note: You will need to configure the VLAN supporting switches to tag the received packets with the appropriate VLAN IDs. For example, packets received on switch S1 from PC C on the LAN would be tagged to VLAN 10.
Chapter 4 Tutorials 2 62 Next, configure the Name, VID and Ports for the Filter Setting. Interfaces LAN1 and WiMAX are Trunk links. On the WiMAX interface the BM2022w will recognize VLAN 5 and VLAN 10 tagged packets it receives from the VLAN supporting switch. VLAN tagged packets will also be forwarded out of these interfaces. On the LAN1 interface, the BM2022w will tag packets it receives so that they are recognized in VLAN 10.
P ART II Technical Reference 63
64
C HAPTER 5 System Status 5.1 Overview Use this screen to view a summary of your BM2022w connection status. 5.2 System Status This screen allows you to view the current status of the device, system resources, and interfaces (LAN and WAN). Click System Status to open this screen as shown next. Figure 22 System Status The following tables describe the labels in this screen. Table 12 Status LABEL DESCRIPTION System Information System Model Name This field displays the BM2022w system model name.
Chapter 5 System Status Table 12 Status (continued) LABEL DESCRIPTION CROM Version This field displays the CROM version number. Firmware Version This field displays the current version of the firmware inside the device. Firmware Date This field shows the date the firmware version was created. System Time This field displays the current system time. Uptime This field displays how long the BM2022w has been running since it last started up.
Chapter 5 System Status Table 12 Status (continued) LABEL DESCRIPTION Subnet Mask This field indicates the current subnet mask on the WAN. Gateway This field indicates the IP address of the gateway to which the BM2022w is connected. MTU This field indicates the Maximum Transmission Unit (MTU) between the BM2022w and the ISP servers to which it is connected. DNS This field indicates the Domain Name Server (DNS) to which your BM2022w is connected.
Chapter 5 System Status 68 BM2022w User’s Guide
C HAPTER 6 WiMAX 6.1 Overview This chapter shows you how to set up and manage the connection between the BM2022w and your ISP’s base stations. 6.1.1 What You Need to Know The following terms and concepts may help as you read through this chapter. WiMAX WiMAX (Worldwide Interoperability for Microwave Access) is the IEEE 802.16 wireless networking standard, which provides high-bandwidth, wide-range wireless service across wireless Metropolitan Area Networks (MANs).
Chapter 6 WiMAX WiMAX technology uses radio signals (around 2 to 10 GHz) to connect subscriber stations and mobile stations to local base stations. Numerous subscriber stations and mobile stations connect to the network through a single base station (BS), as in the following figure. Figure 24 WiMAX: Multiple Mobile Stations A base station’s coverage area can extend over many hundreds of meters, even under poor conditions.
Chapter 6 WiMAX Frequency Ranges The following figure shows the BM2022w searching a range of frequencies to find a connection to a base station. Figure 26 Frequency Ranges In this figure, A is the WiMAX frequency range. “WiMAX frequency range” refers to the entire range of frequencies the BM2022w is capable of using to transmit and receive (see the Product Specifications appendix for details). In the figure, B shows the operator frequency range.
Chapter 6 WiMAX • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable form. CINR Carrier to Interference-plus-Noise Ratio (CINR) measures the effectiveness of a wireless signal and plays an important role in allowing the BM2022w to decode signal burst.
Chapter 6 WiMAX Click WiMAX > Profile > Connection Settings to open this screen as shown next. Figure 27 Connection Settings Screen This screen contains the following fields: Table 13 Connection Settings LABEL DESCRIPTION Connection Option Settings Auto Reconnect Select the interval in seconds that the BM2022w waits after getting disconnected from the base station before attempting to reconnect. Auto Connect Mode Select the auto connect mode.
Chapter 6 WiMAX Table 13 Connection Settings (continued) LABEL Mode Select DESCRIPTION Select how the BM2022w connects to the base station. • • Auto Connect Mode - The device connects automatically to the first base station in range. Network Search Mode - The device scans for available base stations then connects to the best one it can. BSID This displays the MAC address of a base station within range of the BM2022w.
Chapter 6 WiMAX Click WiMAX > Profile > Frequency Settings to open this screen as shown next. Figure 28 Frequency Settings Screen (By List) A B Figure 29 Frequency Settings Screen (By Range) A B This screen contains the following fields: Table 14 Frequency Settings LABEL DESCRIPTION Setting Type Select whether to scan base stations by entering specific frequency(-ies) (By List) or a range of frequencies (By Range).
Chapter 6 WiMAX Table 14 Frequency Settings (continued) LABEL Bandwidth (MHz) DESCRIPTION This displays the bandwidth of the frequency band in megahertz (MHz). If you set a center frequency to 2600000 KHz with the bandwidth of 10 MHz, then the frequency band is from 2595000 to 2605000 KHz. Click the number to modify it. Enter the bandwidth of the frequency band in this field when you are adding an entry. Delete Click this button to remove an item from the list.
Chapter 6 WiMAX Click WiMAX > Profile > Authentication Settings to open this screen as shown next.
Chapter 6 WiMAX This screen contains the following fields: Table 15 Authentication Settings LABEL DESCRIPTION Authentication Mode Select the authentication mode from the list. The BM2022w supports the following authentication modes: • • • • No authentication User authentication Device authentication User and device authentication Data Encryption AES-CCM Select this to enable AES-CCM encryption. CCM combines counter-mode encryption with CBC-MAC authentication.
Chapter 6 WiMAX Table 15 Authentication Settings (continued) LABEL Inner Mode DESCRIPTION Sets the EAP-TTLS inner mode. The BM2022w supports the following: • • • • • MS-CHAP v2 - This is version 2 of Microsoft’s variant of Challenge Handshake Authentication Protocol (CHAP). It allows for mutual authentication between devices. MS-CHAP - This is Microsoft’s variant of Challenge Handshake Authentication Protocol (CHAP). It allows for mutual authentication between devices.
Chapter 6 WiMAX Home NSP). Through the NAP’s base station, which is identified by a NAP-ID, the subscriber’s BM2022w can access the Internet through a network service provider (NSP). Access can be through another network service provider (Visited-Network Service Provider or V-NSP) or his own network service provider (Home NSP), depending on his service agreement. In the following scenario, the subscriber’s BM2022w cannot reach a base station owned by his Home NSP (base station with NAP-ID = 1).
Chapter 6 WiMAX This screen contains the following fields: Table 16 Channel Plan Settings LABEL DESCRIPTION Channel Plan Settings - You can configure multiple ranges of frequencies to scan for different NAPs. The configured frequency ranges to scan must be within the Valid Band. Specify the Channel Plan to scan for each NAP on the CAPL Settings: Add screen (Section 6.6.1 on page 82). Start Frequency (KHz) This indicates the beginning of a frequency band in kilohertz (KHz). Click this field to modify it.
Chapter 6 WiMAX Click WiMAX > ND&S > CAPL Settings to open this screen as shown next. Figure 33 CAPL Settings This screen contains the following fields: Table 17 CAPL Settings LABEL DESCRIPTION NAP ID This displays the NAP ID. Priority This displays the priority for the NAP ID. Channel Plan ID This displays the Channel Plan ID. Delete Click this button to remove an item from the list. Add Click this button to add an item to the list. Save Click this to save the changes made.
Chapter 6 WiMAX This screen contains the following fields: Table 18 CAPL Settings: Add LABEL DESCRIPTION NAP ID Specify the NAP ID in the format XX:XX:XX where X is a hexadecimal character. The NAP ID is typically the first three blocks of the BSID of the base station. Priority Specify the priority for the NAP ID. Enter 1-250 where 1 is the highest priority. The BM2022w will search for NAPs according to the priority specified.
Chapter 6 WiMAX This screen contains the following fields: Table 19 RAPL Settings LABEL DESCRIPTION NSP ID Specify the Network Service Provider (NSP) ID in the format XX:XX:XX where X is a hexadecimal character. If the Home NSP ID is entered in this list, the BM2022w will try to use it to establish a connection. Priority Specify the priority for the NSP. Enter 1-250 where 1 is the highest priority. Delete Click this button to remove an item from the list.
Chapter 6 WiMAX Table 20 Home NSP Settings (continued) LABEL RAPL Policy DESCRIPTION Select Strict to only allow V-NSPs specified in the RAPL to be used for establishing connections to the H-NSP. Select Partially Flexible to allow the BM2022w to use V-NSPs not specified in the RAPL to connect to the H-NSP. Before attempting V-NSPs not specified in the RAPL the BM2022w will first try the V-NSPs specified in the RAPL to connect to the H-NSP.
Chapter 6 WiMAX Click WiMAX > Connect to open this screen as shown next. Figure 37 Connect Screen This screen contains the following fields: Table 21 Connect LABEL DESCRIPTION Applied Frequency Information This table shows the scanning result you made in the WiMAX > Profile > Frequency Settings and WiMAX > Wide Scan screens.
Chapter 6 WiMAX Table 21 Connect (continued) LABEL Connected Mode DESCRIPTION Select a connect mode: • • • • • Auto Connect Mode - This allows the BM2022w to connect to any of the base stations on the list automatically. Network Search Mode - This allows the BM2022w to connect to a userspecified base station. Select this option, choose a base station, click Connect. NSP Mode - This allows the BM2022w to connect to a base station with a user-specified NSP ID.
Chapter 6 WiMAX Table 21 Connect (continued) LABEL Device Status DESCRIPTION This field displays the BM2022w current status for connecting to the selected base station. Scanning - The BM2022w is scanning for available base stations. Ready - The BM2022w has finished scanning and you can connect to a base station. Connecting - The BM2022w attempts to connect to the selected base station. Connected - The BM2022w has successfully connected to the selected base station.
Chapter 6 WiMAX Click WiMAX > Wide Scan to open this screen as shown next. Figure 38 Wide Scan Screen This screen contains the following fields: Table 22 Wide Scan LABEL DESCRIPTION Wide Scan Settings Auto Wide Scan Use this to enable (Yes) or disable (No) automatically scanning for base stations. Wide Scan Range Start Frequency (KHz) Enter the start frequency in kilohertz (KHz) for a wide scan range. End Frequency (KHz) Enter the end frequency in kilohertz (KHz) for a wide scan range.
Chapter 6 WiMAX 6.10 Link Status This screen provides a general overview of the current WiMAX connection with the service provider. Click WiMAX > Link Status to open this screen as shown next. Figure 39 Link Status Screen This screen contains the following fields: Table 23 Link Status LABEL DESCRIPTION Profile This field displays the profile name. BSID This field displays the MAC address of the base station to which the BM2022w is currently connected.
Chapter 6 WiMAX Table 23 Link Status (continued) LABEL DESCRIPTION Handover Fail This field displays how many times the BM2022w had been failed to switch its connection from one base station to another base station, since the BM2022w last restarted. Handover This field displays the maximum latency for switching connections from one base Maximum Latency station to another base station, since the BM2022w last restarted.
Chapter 6 WiMAX This screen contains the following sections: Table 24 Link Statistics LABEL DESCRIPTION Link This section provides a detailed overview of link statistics. HARQ This section provides a detailed overview of Hybrid Automatic Repeat Request link statistics. TX/RX This section provides a detailed overview of transmission and receiving link statistics. MCS This section provides a detailed overview of Modulation and Coding Sequence (MCS) link statistics 6.
Chapter 6 WiMAX This screen contains the following fields: Table 26 Service Flow LABEL DESCRIPTION SFID This displays a 32-bit service flow identifier. SF Status This display the service flow status. SF Direction This displays the service flow direction. 6.14 Antenna This option lets you choose which type of antenna you wish to use in the device: Internal or External. The device has both and switching between them might give you a better connection.
Chapter 6 WiMAX 94 BM2022w User’s Guide
C HAPTER 7 Network Setting 7.1 Overview This chapter shows you how to configure the BM2022w’s network setting. 7.1.1 What You Need to Know The following terms and concepts may help as you read through this chapter. IP Address IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.
Chapter 7 Network Setting If the Primary and Secondary DNS Server fields are not specified, for instance, left as 0.0.0.0, the BM2022w tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the BM2022w, the BM2022w forwards the query to the real DNS server learned through IPCP and relays the response back to the computer. Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions.
Chapter 7 Network Setting 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Figure 44 Multiple Servers Behind NAT Example Trigger Ports Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side.
Chapter 7 Network Setting UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT.
Chapter 7 Network Setting Click Network Setting > WAN to open this screen as shown next. Figure 45 WAN Screen This screen contains the following fields: Table 28 WAN LABEL DESCRIPTION Operation Mode Select the BM2022w’s operational mode. • • • WAN Protocol Bridge - This puts the BM2022w in bridge mode, acting as a transparent middle man between devices on the LAN and the devices on the WAN.
Chapter 7 Network Setting Table 28 WAN (continued) LABEL DESCRIPTION WAN IP Request Timeout Enter the number of seconds the BM2022w waits for an IP from the ISP before it times out. WAN IP Address If the BM2022w gets its IP from the user, enter the IP address it is to use. WAN IP Subnet Mask If the BM2022w gets its IP from the ISP, enter the IP address it is to use. Gateway IP Address If the BM2022w gets its gateway IP address from the user, enter the IP address it is to use.
Chapter 7 Network Setting This screen contains the following fields: Table 29 PPPoE LABEL DESCRIPTION User Name Enter the username for PPPoE login into the WAN network. Password Enter the password for PPPoE login into the WAN network. Retype Password Retype the password to confirm it. Auth Protocol Select a PPPoE authentication protocol.
Chapter 7 Network Setting This screen contains the following fields: Table 30 GRE LABEL DESCRIPTION Peer IP Address Enter the IP address of the GRE peer. 7.5 EtherIP Use these settings to configure the peer setting of the EtherIP tunnel between the WiMAX Device and another EtherIP peer. Click Network Setting > WAN > EtherIP to open this screen as shown next.
Chapter 7 Network Setting 7.7 DHCP Use these settings to configure whether the WiMAX Device functions as a DHCP server for your local network, or a DHCP relay between the local network and the service provider. You can also disable the DHCP functions. Click Network Setting > LAN > DHCP to open this screen as shown next.
Chapter 7 Network Setting Table 33 DHCP (continued) LABEL DESCRIPTION Lease Time Enter the duration in minutes that devices on the LAN retain their DHCP-issued IP addresses. At the end of the lease time, they poll the BM2022w for a renewed or replacement IP. Relay IP Enter the name of the IP address to be used. DNS Server Assigned by the DHCP Server First~Third DNS Server Select how the BM2022w acquires its DNS server address. • • • None - Select this to not use a DNS server.
Chapter 7 Network Setting Click Network Setting > WLAN to open this screen as shown next. Figure 51 WLAN Screen This screen contains the following fields: Table 34 Network Setting > WLAN LABEL DESCRIPTION WiFi Settings Enable WLAN Select this to activate the wireless LAN. WLAN Mode Select 802.11B/G mixed to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the BM2022w. Select 802.11B only to allow only IEEE 802.11b compliant WLAN devices to associate with the BM2022w.
Chapter 7 Network Setting Table 34 Network Setting > WLAN LABEL DESCRIPTION SSID WEP Settings Note: You will only see these options if you selected WEP as the Encryption Type Authentication Method Select the type of authentication used to join the network: OPEN SYSTEM or SHARED KEY. WEP Encryption Length Select the length of the encryption key: 64-bit or 128-bit. Key 1 - 4 Pick one of four available keys. The key can be in either HexaDecimal (HEX) or ASCII format.
Chapter 7 Network Setting This screen contains the following fields: Table 35 WPS LABEL DESCRIPTION Enable WPS Select Enable and click Apply to activate WPS on the BM2022w. Select Disable and click Apply to deactivate WPS. Start WPS PBC This field is available after you select Enable in the Enable WPS field and click Apply. Click this to activate the Push Button Configuration. After clicking this you will be able to use the WPS button at the back of the device to add new wireless clients.
Chapter 7 Network Setting Table 36 MAC Address Filter LABEL DESCRIPTION Name Type the name of the device. The name can be up to 20 characters long, and any combination of letters, numbers or symbols. MAC Address Enter the MAC addresses of the wireless devices that are allowed or denied access to the BM2022w in these address fields. Enter the MAC addresses in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.
Chapter 7 Network Setting Click Add in the Network Setting > Route > Static Route screen to open this screen as shown next. Figure 55 Static Route Screen This screen contains the following fields: Table 38 Static Route LABEL DESCRIPTION Destination IP Enter the destination IP address of the static route. Subnet Mask Enter the subnet mask of the static route. Next Hop Select Interface and then select WAN or LAN for the next hop of the static route.
Chapter 7 Network Setting Click Network Setting > Route > RIP to open this screen as shown next. Figure 56 RIP Screen This screen contains the following fields: Table 39 RIP LABEL DESCRIPTION General Setup Enable Select this to enable RIP on the BM2022w. Redistribute Active This indicates whether a route is being redistributed. Type This indicates what type of route is being redistributed. Metric This indicates the metric that is being used for redistribution.
Chapter 7 Network Setting Table 39 RIP (continued) LABEL DESCRIPTION Authentication Use this option to enable or disable RIP authentication. Authentication ID Enter the authentication ID to use for RIP authentication. Authentication Key Enter the authentication key to use for RIP authentication. 7.14 Port Forwarding Use these settings to forward incoming service requests to the ports on your local network.
Chapter 7 Network Setting Table 40 Port Forwarding (continued) LABEL DESCRIPTION Server IP This displays the IP address of the server to which packet for the selected port(s) are forwarded. Delete Click this to delete a specified rule. Wizard Click this to open the port forwarding “wizard”. Add Click this to add a new port forwarding rule. OK Click this to save any changes made to the port forwarding list. 7.14.
Chapter 7 Network Setting 7.15 Port Trigger Use these settings to automate port forwarding and allow computers on local network to provide services that would normally require a fixed address on the local network. Click Network Setting > NAT > Port Trigger to open this screen as shown next. Figure 59 Port Trigger Screen This screen contains the following fields: Table 42 Port Trigger LABEL DESCRIPTION Active This indicates whether the port trigger rule is active or not.
Chapter 7 Network Setting Table 42 Port Trigger (continued) LABEL DESCRIPTION Delete Click this to delete a specified rule. Wizard Click this to open the port trigger “wizard”. Add Click this to add a new port trigger rule. OK Click this to save any changes made to the port trigger list. 7.15.
Chapter 7 Network Setting 7.15.2 Trigger Port Forwarding Example The following is an example of trigger port forwarding. In this example, J is Jane’s computer and S is the Real Audio server. Figure 61 Trigger Port Forwarding Example 1 Jane requests a file from the Real Audio server (port 7070). 2 Port 7070 is a “trigger” port and causes the BM2022w to record Jane’s computer IP address. The BM2022w associates Jane's computer IP address with the "incoming" port range of 6970-7170.
Chapter 7 Network Setting Note: The configuration you set in this screen takes priority than the Network Setting > NAT > Port Forwarding screen. Figure 62 DMZ Screen This screen contains the following fields: Table 44 DMZ LABEL DESCRIPTION DMZ Enable Click this check box to enable DMZ. DMZ Host Enter the IP address of your network DMZ host, if you have one. 0.0.0.0 means this feature is disabled. 7.
Chapter 7 Network Setting Table 45 Network Setting > NAT > ALG (continued) LABEL DESCRIPTION Enable RTSP ALG Turns on the RTSP ALG to detect RTSP traffic and helps build RTSP sessions through the BM2022w’s NAT. Enable SIP ALG Turns on the SIP ALG to detect SIP traffic and helps build SIP sessions through the BM2022w’s NAT. SIP Port If you are using a custom UDP port number (not 5060) for SIP traffic, enter it here.
Chapter 7 Network Setting Click Network Setting > UPnP to open this screen as shown next. Figure 65 UPnP Screen This screen contains the following fields: Table 47 UPnP LABEL DESCRIPTION Enable UPnP Select this to enable UPnP on the BM2022w. Enable NAT-PMP Select this to enable NAT Port Mapping Protocol on the BM2022w. 7.19.1 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 118 1 Click Start > Control Panel. 2 Double-click Network Connections.
Chapter 7 Network Setting 4 The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details. 5 In the Networking Services window, select the Universal Plug and Play check box. 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 7.19.1.1 Auto-discover Your UPnP-enabled Network Device in Windows XP This section shows you how to use the UPnP feature in Windows XP.
Chapter 7 Network Setting 120 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.
Chapter 7 Network Setting 4 You may edit or delete the port mappings or click Add to manually add port mappings. 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. 7 Double-click on the icon to display your current Internet connection status.
Chapter 7 Network Setting 7.19.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the BM2022w without finding out the IP address of the BM2022w first. This becomes helpful if you do not know the IP address of the BM2022w. Follow the steps below to access the web configurator: 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places.
Chapter 7 Network Setting Click Network Setting > VLAN to open the screen as shown next. Figure 66 VLAN Screen This screen contains the following fields: Table 48 VLAN LABEL DESCRIPTION VLAN Utility Enable VLAN Select Yes to enable the VLAN function on the BM2022w. Note: To use VLAN on the BM2022w, you must switch the operation mode to “bridge” on the Network Setting > WAN screen. It will then require system restart to take effect. Port Settings # This is the index number of the port setting.
Chapter 7 Network Setting Table 48 VLAN LABEL DESCRIPTION PVID A PVID (Port VLAN ID) is a tag that adds to incoming untagged packets received on a port so that the packets are forwarded to the VLAN group that the tag defines. Enter a number between 1and 4094 as the port VLAN ID. Priority Enter a priority level (1~7) that the BM2022w assigns to packets belonging to this VLAN. Enter “0” for no priority assigned.
Chapter 7 Network Setting Click Network Setting > DDNS Figure 67 DDNS Screen This screen contains the following fields: Table 49 DDNS LABEL DESCRIPTION Enable Dynamic DNS Select this to enable dynamic DNS on the BM2022w. Service Provider Select the dynamic DNS service provider for the BM2022w. Service Type Select the dynamic DNS service type. Domain Name Enter the domain name. Login Name Enter the user name. Password Enter the password.
Chapter 7 Network Setting Click Network Setting > IGMP Proxy to open this screen as shown next. Figure 68 IGMP Proxy This screen contains the following fields: Table 50 IGMP Proxy LABEL DESCRIPTION Enable IGMP Proxy Internet Group Multicast Protocol (IGMP) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. Select this option to have the BM2022w act as an IGMP proxy.
Chapter 7 Network Setting Table 51 Content Filter (continued) LABEL DESCRIPTION Delete Click this to delete a specified rule. Add Click this to add a new filter rule. OK Click this to save any changes made to the list.
Chapter 7 Network Setting 128 BM2022w User’s Guide
C HAPTER 8 Security 8.1 Overview This chapter shows you how to configure the BM2022w’s network settings. 8.1.1 What You Need to Know The following terms and concepts may help as you read through this chapter. About the BM2022w’s Security Features The BM2022w security features are designed to protect against Denial of Service attacks when activated as well as block access to and from specific URLs and MAC addresses.
Chapter 8 Security This screen contains the following fields: Table 52 IP Filter LABEL DESCRIPTION Active Indicates whether the current IP filter is active or not. Source IP This displays the source IP address for the IP filter rule. Click Add to create a new, empty rule, then enter the incoming IP address for the BM2022w to block. If you want to delete this rule, click the Delete icon. Source Port This displays the source port number for the IP filter rule.
Chapter 8 Security Click Security > Firewall > MAC Filter to open this screen as shown next. Figure 71 MAC Filter Screen This screen contains the following fields: Table 53 MAC Filter LABEL DESCRIPTION Blacklist/Whitelist Select either whitelist or blacklist for viewing and editing. Source MAC This displays the source MAC for the MAC filter rule. Click Add to create a new, empty rule, then enter the incoming MAC address for the BM2022w to block. If you want to delete this rule, click the Delete icon.
Chapter 8 Security Click Security > Firewall > DDOS to open this screen as shown next. Figure 72 DDOS Screen This screen contains the following fields: Table 54 DDOS 132 LABEL DESCRIPTION Prevent from TCP SYN Flood Select this to monitor for and block TCP SYN flood attacks. Prevent from UDP Flood Select this to monitor for and block UDP flood attacks. Prevent from ICMP Flood Select this to monitor for and block ICMP flood attacks.
Chapter 8 Security Table 54 DDOS (continued) LABEL DESCRIPTION Prevent from PING of Death Select this to monitor for and block ping of death attacks. Prevent from PING from WAN Select this to ignore ping requests from the WAN. A Ping of Death (POD) attack is one where larger-than-allowed ping packets are fragmented then sent against a client device. This results in the client device suffering from a buffer overflow and subsequent system crash. 8.
Chapter 8 Security Table 55 PPTP Server LABEL Auth Protocol DESCRIPTION Select the Authentication Protocol allowed for the connection. Options are: PAP - Password Authentication Protocol (PAP) authentication occurs in clear text and does not use encryption. It’s probably not a good idea to rely on this for security. CHAP - Challenge Handshake Authentication Protocol (CHAP) provides authentication through a shared secret key and uses a three way handshake.
Chapter 8 Security 8.6 PPTP VPN Client Use this screen to view settings for Point to Point Tunneling Protocol (PPTP) clients. Click Security > PPTP VPN > PPTP Client to open this screen as shown next. Figure 74 PPTP Client This screen contains the following fields: Table 56 PPTP Client LABEL DESCRIPTION # This is the index number of the connection. Profile Name This is the name of this client connection. Server IP This is the IP address of the PPTP VPN server.
Chapter 8 Security Click Security > PPTP VPN > PPTP Client > Add to open this screen as shown next. Figure 75 PPTP Client: Add This screen contains the following fields: Table 57 PPTP Client: Add LABEL DESCRIPTION Profile Name Enter the name for this client connection. NAT Mode? Select Yes if the client will be located behind a NAT enabled router. This will allow multiple clients using NAT to connect with PPTP at the same time.
Chapter 8 Security Table 57 PPTP Client: Add LABEL DESCRIPTION Password Enter the password for connecting to the PPTP server. Retype Retype the password for connecting to the PPTP server. Get IP automatically Select Yes to have the PPTP server assign a local IP address to the client. Assign IP Address Enter the IP address for the client. Ensure that the IP address is configured to be allowed on the PPTP server. Idle Timeout Enter the time in minutes to timeout PPTP connections. 8.
Chapter 8 Security This screen contains the following fields: Table 58 L2TP Server LABEL DESCRIPTION L2TP Server Enable Use this field to turn the BM2022w’S L2TP VPN function on or off. Server Name Enter the server name for the L2TP VPN connection. Support Protocol Version Select the L2TP Protocol Version 2 or 3. L2TPv2 is a standard method for tunneling Point-to-Point Protocol (PPP) while L2TPv3 provides improved support for other types of networks including frame relay and ATM.
Chapter 8 Security Table 58 L2TP Server LABEL DESCRIPTION Connection List User Name This displays the user name for the remote user. Remote IP Address This displays the remote endpoint IP address of the remote user. L2TP IP Address This displays the local IP address of the L2TP server. Login Time This displays the time the L2TP connection started. Link Time(s) This displays the duration of the L2TP connection. Disconnect Select a client and click this button to disconnect the selected client.
Chapter 8 Security Click Security > L2TP VPN > L2TP Client > Add to open this screen as shown next. Figure 78 L2TP Client: Add This screen contains the following fields: Table 60 L2TP Client: Add LABEL DESCRIPTION Profile Name Enter the name for this client connection. L2TP Protocol Version Select the L2TP Protocol Version 2 or 3. L2TPv2 is a standard method for tunneling Point-to-Point Protocol (PPP) while L2TPv3 provides improved support for other types of networks including frame relay and ATM.
Chapter 8 Security Table 60 L2TP Client: Add LABEL DESCRIPTION User Name Enter the user name for connecting to the L2TP server. Password Enter the password for connecting to the L2TP server. Retype Retype the password for connecting to the L2TP server. Get IP automatically Select Yes to have the L2TP server assign a local IP address to the client. Assign IP Address Enter the IP address for the client. Ensure that the IP address is configured to be allowed on the L2TP server.
Chapter 8 Security Table 61 IPSec VPN LABEL 142 DESCRIPTION Local Endpoint This displays the IP address of the BM2022w. Remote Endpoint This displays the IP address of the remote IPSec router. Local Network This displays the single (static) IP address on the LAN behind your BM2022w or the IP address and subnet mask of a network behind your BM2022w.
Chapter 8 Security 8.11.2 IPSec VPN: Add Use these settings. Click Security > IPSec VPN > Add to open this screen as shown next.
Chapter 8 Security This screen contains the following fields: Table 62 IPSec VPN: Add LABEL DESCRIPTION Property Enable Select Enable to activate this VPN policy. Connection Name Enter the name of the VPN connection. Connection Type Select the scenario that best describes your intended VPN connection. Initiator - Choose this to connect to an IPSec server. The BM2022w is the client (dial-in user) and can initiate the VPN connection.
Chapter 8 Security Table 62 IPSec VPN: Add LABEL Remote ID Type DESCRIPTION Select IP to identify the remote IPSec router by its IP address. Select Domain Name to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. Content The configuration of the remote content depends on the remote ID type. For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.
Chapter 8 Security Table 62 IPSec VPN: Add LABEL Key Group DESCRIPTION Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number DH5 - use a 1536-bit random number The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. SA Life Time Type the maximum number of seconds the IKE SA can last.
Chapter 8 Security Table 62 IPSec VPN: Add LABEL Local Port DESCRIPTION Select how the BM2022w checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the BM2022w regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings.
Chapter 8 Security Table 62 IPSec VPN: Add LABEL Encryption Algorithm DESCRIPTION Select which key size and encryption algorithm to use in the IPSec SA.
Chapter 8 Security 8.12.1 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 82 IPSec Architecture IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
Chapter 8 Security 8.12.2 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. At the time of writing, the BM2022w supports Tunnel mode only. Figure 83 Transport and Tunnel Mode IPSec Encapsulation Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet.
Chapter 8 Security 8.12.3 IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec. Figure 84 Two Phases to Set Up the IPSec SA In phase 1 you must: • Choose a negotiation mode. • Authenticate the connection by entering a pre-shared key. • Choose an encryption algorithm. • Choose an authentication algorithm.
Chapter 8 Security • Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation).
Chapter 8 Security NAT is not normally compatible with ESP in transport mode either, but the BM2022w’s NAT Traversal feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers between the two IPSec routers. Figure 85 NAT Router Between IPSec Routers B A Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet.
Chapter 8 Security addresses. The BM2022w can distinguish up to 48 incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key groups when you configure a VPN rule (see Section 8.11.1 on page 141). The ID type and content act as an extra level of identification for incoming SAs. The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address, domain name, or e-mail address.
Chapter 8 Security 8.12.9 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit, 1024-bit 1536-bit, 2048-bit, and 3072-bit Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated.
Chapter 8 Security 156 BM2022w User’s Guide
