TL-ER6020 v1 User Guide
Page 9
...Thanks for choosing the SafeStreamTM Gigabit Dual-WAN VPN Router TL-ER6020. 2.1 Overview of the Router The SafeStreamTM Gigabit Dual-WAN VPN Router TL-ER6020 from TP-LINK possesses excellent data processing capability and multiple powerful functions including IPsec/PPTP/L2TP VPN, Load Balance, Access Control, Bandwidth ...DDRII high-speed RAM allows the stability and reliability for operation. Virtual Private Network (VPN) + Providing comprehensive IPsec VPN with DES/3DES/AES encryptions, MD5/SHA1 identifications and automatically/manually IKE Pre-Share Key exchanges. + Supporting PPTP/...
...Thanks for choosing the SafeStreamTM Gigabit Dual-WAN VPN Router TL-ER6020. 2.1 Overview of the Router The SafeStreamTM Gigabit Dual-WAN VPN Router TL-ER6020 from TP-LINK possesses excellent data processing capability and multiple powerful functions including IPsec/PPTP/L2TP VPN, Load Balance, Access Control, Bandwidth ...DDRII high-speed RAM allows the stability and reliability for operation. Virtual Private Network (VPN) + Providing comprehensive IPsec VPN with DES/3DES/AES encryptions, MD5/SHA1 identifications and automatically/manually IKE Pre-Share Key exchanges. + Supporting PPTP/...
TL-ER6020 v1 User Guide
Page 11
Supports Diagnostic (Ping/Tracert) and Online Detection VPN Supports IPsec VPN and provides up to 50 IPsec VPN tunnels Supports IPSec VPN in LAN-to-LAN or Client-to-LAN Provides DES, 3DES, AES128, AES152, AES256 encryption, MD5, SHA1 authentication Supports IKE Pre-Share ...; Supports IP-MAC Binding Supports GARP (Gratuitous ARP) Deploys One-Click restricting of IM/P2P applications 2.3 Appearance 2.3.1 Front Panel The front panel of TL-ER6020 is shown as the following figure. -6-
Supports Diagnostic (Ping/Tracert) and Online Detection VPN Supports IPsec VPN and provides up to 50 IPsec VPN tunnels Supports IPSec VPN in LAN-to-LAN or Client-to-LAN Provides DES, 3DES, AES128, AES152, AES256 encryption, MD5, SHA1 authentication Supports IKE Pre-Share ...; Supports IP-MAC Binding Supports GARP (Gratuitous ARP) Deploys One-Click restricting of IM/P2P applications 2.3 Appearance 2.3.1 Front Panel The front panel of TL-ER6020 is shown as the following figure. -6-
TL-ER6020 v1 User Guide
Page 59
Choose the menu Advanced→NAT→ALG to keep the default setting if no special requirement. H.323 is enabled. IPsec ALG: Enable or disable IPsec ALG. PPTP ALG: Enable or disable PPTP ALG. The default setting is used for limiting various data flows. The default setting is .... 3.3.2 Traffic Control Traffic Control functions to control the bandwidth by configuring rules for various applications such as FTP, H.323, SIP, IPsec and PPTP will work properly only when ALG (Application Layer Gateway) service is enabled. Figure 3-34 ALG The following page.
Choose the menu Advanced→NAT→ALG to keep the default setting if no special requirement. H.323 is enabled. IPsec ALG: Enable or disable IPsec ALG. PPTP ALG: Enable or disable PPTP ALG. The default setting is used for limiting various data flows. The default setting is .... 3.3.2 Traffic Control Traffic Control functions to control the bandwidth by configuring rules for various applications such as FTP, H.323, SIP, IPsec and PPTP will work properly only when ALG (Application Layer Gateway) service is enabled. Figure 3-34 ALG The following page.
TL-ER6020 v1 User Guide
Page 88
...developed and used to negotiate the parameters, key exchange algorithm and encryption to establish an ISAKMP SA for security protocols in IPsec and create IPsec SA to all the users on three underlying security protocols, ISAKMP (Internet Security Association and Key Management Protocol), Oakley ... secure the transmission data. -83- SKEME describes another key exchange mode different from those described by TL-ER6020 contain Layer 3 IPsec and Layer 2 L2TP/PPTP. 3.5.1 IKE In the IPsec VPN, to ensure a secure communication, the two peers should encapsulate and de-encapsulate the packets using...
...developed and used to negotiate the parameters, key exchange algorithm and encryption to establish an ISAKMP SA for security protocols in IPsec and create IPsec SA to all the users on three underlying security protocols, ISAKMP (Internet Security Association and Key Management Protocol), Oakley ... secure the transmission data. -83- SKEME describes another key exchange mode different from those described by TL-ER6020 contain Layer 3 IPsec and Layer 2 L2TP/PPTP. 3.5.1 IKE In the IPsec VPN, to ensure a secure communication, the two peers should encapsulate and de-encapsulate the packets using...
TL-ER6020 v1 User Guide
Page 89
The IKE policy can configure the related parameters for identification and management purposes. Choose the menu VPN→IKE→IKE Policy to IPsec policy. -84- Figure 3-58 IKE Policy The following items are displayed on this page you can be applied to load the following page. 3.5.1.1 IKE Policy On this screen: IKE Policy Policy Name: Specify a unique name to the IKE policy for IKE negotiation.
The IKE policy can configure the related parameters for identification and management purposes. Choose the menu VPN→IKE→IKE Policy to IPsec policy. -84- Figure 3-58 IKE Policy The following items are displayed on this page you can be applied to load the following page. 3.5.1.1 IKE Policy On this screen: IKE Policy Policy Name: Specify a unique name to the IKE policy for IKE negotiation.
TL-ER6020 v1 User Guide
Page 91
... page. DPD Interval: Enter the interval after which the DPD is triggered. List of IKE Policy In this table, you can be applied to IPsec proposal. Options include: MD5: MD5 (Message Digest Algorithm) takes a message of arbitrary length and generates a 128-bit message digest. SHA1: SHA1 (Secure Hash...
... page. DPD Interval: Enter the interval after which the DPD is triggered. List of IKE Policy In this table, you can be applied to IPsec proposal. Options include: MD5: MD5 (Message Digest Algorithm) takes a message of arbitrary length and generates a 128-bit message digest. SHA1: SHA1 (Secure Hash...
TL-ER6020 v1 User Guide
Page 92
... for checking the integrity of services and protocols defined by the action buttons. 3.5.2 IPsec IPsec (IP Security) is used in bits. To ensure a secured communication, the two IPsec peers use IPsec protocol to negotiate the data encryption algorithm and the security protocols for IP packets and...table, you can view the information of IKE Proposals and edit them by IETF (Internet Engineering Task Force) to data de-encryption. IPsec has two important security protocols, AH (Authentication Header) and ESP (Encapsulating Security Payload). The DH Group sets the strength of plain ...
... for checking the integrity of services and protocols defined by the action buttons. 3.5.2 IPsec IPsec (IP Security) is used in bits. To ensure a secured communication, the two IPsec peers use IPsec protocol to negotiate the data encryption algorithm and the security protocols for IP packets and...table, you can view the information of IKE Proposals and edit them by IETF (Internet Engineering Task Force) to data de-encryption. IPsec has two important security protocols, AH (Authentication Header) and ESP (Encapsulating Security Payload). The DH Group sets the strength of plain ...
TL-ER6020 v1 User Guide
Page 93
3.5.2.1 IPsec Policy On this screen: General You can enable/disable IPsec function for the Router here. IPsec Policy Policy Name: Specify a unique name to the IPsec policy. Up to load the following items are displayed on this page, you can be entered. -88- Figure 3-60 IPsec Policy The following page. Choose the menu VPN→IPsec→IPsec Policy to 28 characters can define and edit the IPsec policy.
3.5.2.1 IPsec Policy On this screen: General You can enable/disable IPsec function for the Router here. IPsec Policy Policy Name: Specify a unique name to the IPsec policy. Up to load the following items are displayed on this page, you can be entered. -88- Figure 3-60 IPsec Policy The following page. Choose the menu VPN→IPsec→IPsec Policy to 28 characters can define and edit the IPsec policy.
TL-ER6020 v1 User Guide
Page 94
...address and subnet mask. Specify the local WAN port for the VPN tunnel are covered by this option when the client is needed. Select IPsec Proposal on your LAN are manually inputted and no policy selection, add new policy on VPN→IKE→IKE Policy page. The "... is a host. Options include: LAN-to-LAN: Select this option when the client is selected as the negotiation mode. Up to four IPsec Proposals can be selected on the remote network are generated automatically via IKE negotiations. Manual: All settings (including the keys) for this WAN ...
...address and subnet mask. Specify the local WAN port for the VPN tunnel are covered by this option when the client is needed. Select IPsec Proposal on your LAN are manually inputted and no policy selection, add new policy on VPN→IKE→IKE Policy page. The "... is a host. Options include: LAN-to-LAN: Select this option when the client is selected as the negotiation mode. Up to four IPsec Proposals can be selected on the remote network are generated automatically via IKE negotiations. Manual: All settings (including the keys) for this WAN ...
TL-ER6020 v1 User Guide
Page 95
... here must match the Incoming SPI value at the other end of the key created in the corresponding IPsec Proposal. As it is created based on Manual mode. The inbound key here must match the outbound ... ESP Authentication Key manually if ESP protocol is used in Phase2 is easy to first create the IPsec Proposal. You need to be de-encrypted, in this key can be secure even when the key...key in Phase1 and thus once the key in Phase1 is de-encrypted, the key in the corresponding IPsec Proposal. The inbound key here must match the Outgoing SPI value at the other end of the ...
... here must match the Incoming SPI value at the other end of the key created in the corresponding IPsec Proposal. As it is created based on Manual mode. The inbound key here must match the outbound ... ESP Authentication Key manually if ESP protocol is used in Phase2 is easy to first create the IPsec Proposal. You need to be de-encrypted, in this key can be secure even when the key...key in Phase1 and thus once the key in Phase1 is de-encrypted, the key in the corresponding IPsec Proposal. The inbound key here must match the Outgoing SPI value at the other end of the ...
TL-ER6020 v1 User Guide
Page 96
...versa. ESP Authentication Key-Out: Specify the outbound ESP Authentication Key manually if ESP protocol is used in Figure 3-60 indicates: this is an IPsec tunnel, the local subnet is 192.168.0.0/24, the remote subnet is 192.168.3.0/24 and this page, you can view the information of... subnet. 3.5.2.2 IPsec Proposal On this tunnel is using IKE automatic negotiation. Tips: ● 0.0.0.0.0/32 indicates all IP addresses. ● Refer to load the following page. -...
...versa. ESP Authentication Key-Out: Specify the outbound ESP Authentication Key manually if ESP protocol is used in Figure 3-60 indicates: this is an IPsec tunnel, the local subnet is 192.168.0.0/24, the remote subnet is 192.168.3.0/24 and this page, you can view the information of... subnet. 3.5.2.2 IPsec Proposal On this tunnel is using IKE automatic negotiation. Tips: ● 0.0.0.0.0/32 indicates all IP addresses. ● Refer to load the following page. -...
TL-ER6020 v1 User Guide
Page 97
...the algorithm used . Security Protocol: Select the security protocol to be applied to verify the integrity of 2 in addition to the IPsec Proposal for AH authentication. Options include: AH: AH (Authentication Header) provides data origin authentication, data integrity and anti...a message less than the 64th power of the data for identification and management purposes. Figure 3-61 IPsec Proposal The following items are displayed on this screen: IPsec Proposal Proposal Name: Specify a unique name to origin authentication, data integrity, and anti-replay services...
...the algorithm used . Security Protocol: Select the security protocol to be applied to verify the integrity of 2 in addition to the IPsec Proposal for AH authentication. Options include: AH: AH (Authentication Header) provides data origin authentication, data integrity and anti...a message less than the 64th power of the data for identification and management purposes. Figure 3-61 IPsec Proposal The following items are displayed on this screen: IPsec Proposal Proposal Name: Specify a unique name to origin authentication, data integrity, and anti-replay services...
TL-ER6020 v1 User Guide
Page 98
... DES (Data Encryption Standard) encrypts a 64-bit block of remote peer are 172.30.70.151 and 172.30.70.161 respectively. Figure 3-62 IPsec SA Figure 3-62 displays the connection status of the NO.1 entry in the List of 2 in bits and generates a 160-bit message digest. As.... The ingoing SPI value and -93- The key should be 24 characters. ESP Encryption: Select the algorithm used to verify the integrity of the IPsec SA (Security Association). AES128: Uses the AES algorithm and 128-bit key for ESP encryption. Options include: NONE: Performs no encryption. The key ...
... DES (Data Encryption Standard) encrypts a 64-bit block of remote peer are 172.30.70.151 and 172.30.70.161 respectively. Figure 3-62 IPsec SA Figure 3-62 displays the connection status of the NO.1 entry in the List of 2 in bits and generates a 160-bit message digest. As.... The ingoing SPI value and -93- The key should be 24 characters. ESP Encryption: Select the algorithm used to verify the integrity of the IPsec SA (Security Association). AES128: Uses the AES algorithm and 128-bit key for ESP encryption. Options include: NONE: Performs no encryption. The key ...
TL-ER6020 v1 User Guide
Page 101
... server's IP assignment. Specify the maximum connections that the tunnel can support. This item is acceptable. If enabled, the L2TP tunnel will be encrypted by IPsec, and the PPTP tunnel will be encrypted by a router. Client-to this L2TP/PPTP server. Select the IP Pool Name to enable the encryption...
... server's IP assignment. Specify the maximum connections that the tunnel can support. This item is acceptable. If enabled, the L2TP tunnel will be encrypted by IPsec, and the PPTP tunnel will be encrypted by a router. Client-to this L2TP/PPTP server. Select the IP Pool Name to enable the encryption...
TL-ER6020 v1 User Guide
Page 135
...IKE Proposal Choose the menu VPN→IKE→IKE Proposal to guarantee a secured communication. The following takes IPsec settings of the Router in the headquarters via the TP-LINK VPN routers between the headquarters and the remote branch office to load the configuration page. Moreover, you can ...create the VPN tunnel via PPTP dial-up connection. 4.3.2.1 IPsec VPN 1) IKE Setting To configure the IKE function, ...
...IKE Proposal Choose the menu VPN→IKE→IKE Proposal to guarantee a secured communication. The following takes IPsec settings of the Router in the headquarters via the TP-LINK VPN routers between the headquarters and the remote branch office to load the configuration page. Moreover, you can ...create the VPN tunnel via PPTP dial-up connection. 4.3.2.1 IPsec VPN 1) IKE Setting To configure the IKE function, ...
TL-ER6020 v1 User Guide
Page 137
Figure 4-5 IKE Policy Tips: For the VPN Router in the remote branch office, the IKE settings should be the same as the Router in the headquarters. 2) IPsec Setting To configure the IPsec function, you should create an IPsec Proposal firstly. IPsec Proposal Choose the menu VPN→IPsec→IPsec Proposal to load the following page. Settings: Proposal Name: Security Protocol: ESP Authentication: proposal_IPsec_1 ESP MD5 -132-
Figure 4-5 IKE Policy Tips: For the VPN Router in the remote branch office, the IKE settings should be the same as the Router in the headquarters. 2) IPsec Setting To configure the IPsec function, you should create an IPsec Proposal firstly. IPsec Proposal Choose the menu VPN→IPsec→IPsec Proposal to load the following page. Settings: Proposal Name: Security Protocol: ESP Authentication: proposal_IPsec_1 ESP MD5 -132-
TL-ER6020 v1 User Guide
Page 138
Figure 4-6 IPsec Proposal IPsec Policy Choose the menu VPN→IPsec→IPsec Policy to apply. -133- Settings: IPsec: Enable Policy Name: IPsec_1 Status: Activate Mode LAN-to-LAN Local Subnet: 192.168.0.0/24 Remote Subnet: 172.31.10.0/24 WAN: WAN1 Remote Gateway: 116.31.85.133 Exchange Mode IKE IKE Policy: IKE_1 IPsec Proposal: proposal_IPsec_1 (you just created) PFS: DH1 SA Lifetime: 3600 Click the button to add the new entry to the list and click the button to load the configuration page. ESP Encryption: 3DES Click the button to apply.
Figure 4-6 IPsec Proposal IPsec Policy Choose the menu VPN→IPsec→IPsec Policy to apply. -133- Settings: IPsec: Enable Policy Name: IPsec_1 Status: Activate Mode LAN-to-LAN Local Subnet: 192.168.0.0/24 Remote Subnet: 172.31.10.0/24 WAN: WAN1 Remote Gateway: 116.31.85.133 Exchange Mode IKE IKE Policy: IKE_1 IPsec Proposal: proposal_IPsec_1 (you just created) PFS: DH1 SA Lifetime: 3600 Click the button to add the new entry to the list and click the button to load the configuration page. ESP Encryption: 3DES Click the button to apply.
TL-ER6020 v1 User Guide
Page 139
Enter the Pool Name and the IP Address Range as the following page. After the IPsec VPN tunnel of IPsec SA 4.3.2.2 PPTP VPN Setting IP Address Pool Choose the menu VPN→L2TP/PPTP→IP Address Pool to load the following figure shown. ... should be set to apply. -134- Figure 4-8 List of the two peers is established successfully, you can view the connection information on the VPN→IPsec→IPsec SA page. Click the button to the IP address of the Router in the headquarters. Figure...
Enter the Pool Name and the IP Address Range as the following page. After the IPsec VPN tunnel of IPsec SA 4.3.2.2 PPTP VPN Setting IP Address Pool Choose the menu VPN→L2TP/PPTP→IP Address Pool to load the following figure shown. ... should be set to apply. -134- Figure 4-8 List of the two peers is established successfully, you can view the connection information on the VPN→IPsec→IPsec SA page. Click the button to the IP address of the Router in the headquarters. Figure...
TL-ER6020 v1 User Guide
Page 162
... Standards IEEE 802.3, IEEE 802.3u, IEEE 802.3ab, IEEE 802.3x, TCP/ IP, DHCP, ICMP, NAT、PPPoE, SNTP, HTTP, DNS, L2TP, PPTP, IPsec Two 10/100/1000M Auto-Negotiation WAN RJ45 port (Auto MDI/MDIX) Ports Two 10/100/1000M Auto-Negotiation LAN RJ45 ports (Auto MDI/MDIX... of Cat. 3 or above Transmission Medium 100Base-TX: UTP/STP of Cat. 5 or above 1000Base-T: UTP/STP of Cat.5, Cat.5e, Cat.6 LEDs PWR, SYS, Link/Act, Speed, DMZ Power 100-240V~ 50/60Hz 0.6A Operating Temperature: 0ºC ~ 40ºC Storage Temperature: -40ºC ~ 70ºC Operating Environment Operating Humidity:...
... Standards IEEE 802.3, IEEE 802.3u, IEEE 802.3ab, IEEE 802.3x, TCP/ IP, DHCP, ICMP, NAT、PPPoE, SNTP, HTTP, DNS, L2TP, PPTP, IPsec Two 10/100/1000M Auto-Negotiation WAN RJ45 port (Auto MDI/MDIX) Ports Two 10/100/1000M Auto-Negotiation LAN RJ45 ports (Auto MDI/MDIX... of Cat. 3 or above Transmission Medium 100Base-TX: UTP/STP of Cat. 5 or above 1000Base-T: UTP/STP of Cat.5, Cat.5e, Cat.6 LEDs PWR, SYS, Link/Act, Speed, DMZ Power 100-240V~ 50/60Hz 0.6A Operating Temperature: 0ºC ~ 40ºC Storage Temperature: -40ºC ~ 70ºC Operating Environment Operating Humidity:...
TL-ER6020 v1 User Guide
Page 166
... meters). High-speed, low-error data network covering a relatively small geographic area (up to Protocol) transfer files, such as IPSec) that require keys. IKE (Internet Key Exchange) IKE establishes a shared security policy and authenticates keys for addressing, type-... devices to communicate with each Router/firewall/host must verify the identity of its peer. Before any IPSec traffic can be passed, each other companies and individuals. IPsec(IP Security) A framework of CODECs, call setup and negotiating procedures, and basic data...
... meters). High-speed, low-error data network covering a relatively small geographic area (up to Protocol) transfer files, such as IPSec) that require keys. IKE (Internet Key Exchange) IKE establishes a shared security policy and authenticates keys for addressing, type-... devices to communicate with each Router/firewall/host must verify the identity of its peer. Before any IPSec traffic can be passed, each other companies and individuals. IPsec(IP Security) A framework of CODECs, call setup and negotiating procedures, and basic data...