3.3.1.1 Cellular

The Cellular page displays the configuration and status of the IG902’s dial-up interface. You can set dial-up interface parameters to connect the IG902 to a cellular network or view details about the dial-up interface on this page. Follow these steps to configure the dial-up interface:

1. Choose Network > Network Interfaces > Cellular to display the Cellular page.
2. Select Enable Cellular.
3. Set the parameters (default settings recommended). For details about these parameters, see cellular network parameter description.
4. Click Submit to complete the configuration of the dial-up interface.

The cellular network parameters are described as follows:

• Enable Cellular: enables or disables the cellular network connection.
• Profile
  • Network Type: specifies the type of the mobile network to which the gateway is connected, which can be GSM or CDMA.
  • APN: specifies the access point name (APN) that identifies the service type of a WCDMA/LTE network. A WCDMA/LTE system provides services based on the APN of the connected WCDMA/LTE network. (This parameter does not need to be set for the CDMA2000 series.)
  • Access Number: specifies the dial string provided by the network operator. Obtain this dial string from your network operator.
    • If your 3G/LTE data card supports WCDMA or LTE, the default dial string is *99***1#.
    • If your 3G data card supports CDMA 2000, the default dial string is #777.
  • Auth Method
    • Auto: selects an authentication method automatically.
    • PAP: specifies the Password Authentication Protocol, a simple plain-text authentication method implemented through two-way handshakes.
    • CHAP: specifies the Challenge Handshake Authentication Protocol, a security authentication method that verifies message digests through three-way handshakes.
    • MS-CHAP: specifies the CHAP standard defined by Microsoft.
    • MS-CHAPv2: specifies the upgraded version of MS-CHAP, which requires two-way authentication.
  • Username: specifies the user name used for connection to the public data network (PDN). It is provided by your network operator. The default value is gprs.
  • Password: specifies the password of the PDN user. It is provided by your network operator. The default value is gprs.
• Dual SIM Enable: enables or disables the dual-SIM card mode.
  • Main SIM: specifies the main SIM card used. Options are SIM1, SIM2, Random, and Sequential.
  • Max Number Of Dial: specifies the maximum number of dial-up attempts on SIM1. When the number of dial-up failures reaches this number, the gateway switches to SIM2.
  • Min Connected Time: specifies the minimum network connection duration after the gateway dials up successfully. Within this duration, the number of dial-up attempts is counted. When the connection duration exceeds the set value, the number of dial-up attempts is reset. When the value is set to 0, this function is disabled.
  • Backup SIM Timeout: specifies the timeout period of the backup SIM card used currently. The gateway switches to the main SIM card when the timeout period of the backup SIM card is reached.
• Network Type: specifies a network type for the SIM card. Options are Auto, 3G, 4G, and 2G. You can select a specific network type suitable for your gateway and SIM card or choose the auto mode, in which the gateway automatically registers to the suitable network.
• Profile: specifies the index of the dial-up parameter set.
• Roaming: enables the roaming function to allow the gateway to dial up in roaming state or disables the roaming function to prevent the gateway from dialing up in roaming state. When a local SIM card is used, its dial-up capability is not affected whether this option is selected or deselected.
• PIN code: specifies the personal identification number of the SIM card. If you enable PIN code but do not set a PIN code or set a wrong PIN code, the gateway cannot dial up. A valid PIN code enables the gateway to dial up to a network.
• Static IP: enables or disables the use of a static IP address. If you select this option, specify an IP address manually. Then, the gateway obtains the specified static IP address every time it dials up to a network.
• Connection Mode
  • Always Online: indicates that the gateway stays online when it is running properly and will be disconnected and redial up only if the dial-up interface does not transmit any traffic in 30 minutes. This is the default connection mode of the system.
  • On-demand Dial
    • Data Trigger: indicates that the gateway is offline by default and will dial up automatically when data is sent to the Internet.
  • Manual Dial: indicates that the network connection can be established or terminated by clicking Connect or Disconnect in the Status area.
• Redial Interval: specifies the period that the gateway waits before dialing up again.
• ICMP Probes
  • ICMP Detection Server: specifies the IP address or domain name of the remote ICMP server to be probed. (If two ICMP servers are enabled, it is recommended that you enter the IP addresses or domain names of both servers here.) The gateway supports two ICMP servers: a primary server and a backup server. After two servers are configured, the gateway probes the primary server first. It probes the secondary server only when the number of probe retries on the primary server reaches the maximum value. If both the servers fail to be detected, the gateway dials up again and starts a new round of ICMP probe.
  • ICMP Detection Interval: specifies the interval between ICMP probe packets sent from the gateway.
  • ICMP Detection Timeout: specifies the timeout period of an ICMP probe. If the gateway does not receive any ICMP Reply packet within this period, it considers that the ICMP probe times out.
  • ICMP Detection Max Retries: specifies the maximum number of retries after an ICMP probe failure. (The gateway dials up again when the number of retries reaches this value.)
  • ICMP Detection Strict: enables or disables the strict ICMP probe mode. In this mode, the gateway does not send ICMP probe packets when its dial-up interface is transmitting data traffic. It sends ICMP probe packets only when the dial-up interface is idle.
• Advanced Settings
  • Initial Commands: specifies some AT commands used to check the module status.
  • RSSI Poll Interval: specifies the interval at which the gateway checks the signal status after dialing up successfully. For example, the interval is set to 60s. If you remove the antennas after the gateway dials up successfully, the signal strength will remain unchanged in 60s and decrease 60s later. If the interval is set to 0, RSSI polling is disabled.
  • Dial Timeout: specifies the dial-up timeout period. If the gateway fails to dial up to a network within the timeout period, the dial-up times out. In this case, the gateway checks the module status and dials up to the network again.
  • MRU: specifies the maximum receive unit, which is expressed in bytes.
  • MTU: specifies the maximum transmit unit, which is expressed in bytes.
  • Use Default Asyncmap: enables or disables the default Asyncmap.
  • Use Peer DNS: enables or disables the use of the DNS server assigned in the connected network.
  • LCP Interval: specifies the interval at which the gateway checks whether the cellular connection is normal.
  • LCP Max Retries: specifies the maximum number of dial-up retries after the link connection is interrupted.
  • Infinitely Dial Retry: enables the gateway to retry unlimited times upon a dial-up failure.
  • Debug: enables display of more detailed system logs.
  • Expert Options: allows you to set command parameters.

3.3.1.2 Ethernet

The Ethernet page displays the configuration and status of Ethernet interfaces on the IG902. You can set Ethernet interface parameters or view details about the Ethernet interfaces on this page. Follow these steps to configure the Ethernet interfaces:

1. Choose Network > Network Interfaces > Ethernet to display the Ethernet page and click the Gigabitethernet 0/1 tab.
2. Select a network type for interface GE 0/1.
3. Select options or enter values for the parameters. For details about these parameters, see Ethernet parameter description.
4. Click Submit to complete the configuration of GE 0/1.
5. Choose Network > Network Interfaces > Ethernet to display the Ethernet page and click the Gigabitethernet 0/2 tab. (By default, GE 0/2 is a bridge interface. To configure this interface, you must remove gigabitethernet 0/2 from the Bridge page first.)
6. Select a network type for interface GE 0/2.
7. Select options or enter values for the parameters. For details about these parameters, see Ethernet parameter description.
8. Click Submit to complete the configuration of GE 0/2.

The following figure shows the configuration of GE 0/1, with Network Type set to DHCP.

The following figure shows the configuration of GE 0/1, with Network Type set to Static IP.

The following figure shows the configuration of GE 0/2, with Network Type set to Static IP.

The Ethernet parameters are described as follows:

• Network Type (Static IP by default)
  • Static IP: uses a manually configured IP address, matching subnet mask, and other information for the Ethernet interface.
  • Dynamic Address (DHCP): configures the interface as a DHCP client to obtain an IP address, the matching subnet mask, and other information through DHCP.
• Static IP mode
  • Primary IP: specifies the IP address of the Ethernet interface. By default, the IP address of GE 0/1 is 192.168.1.1, and the IP address of GE 0/2 is 192.168.2.1.
  • Netmask: specifies the subnet mask of the Ethernet interface.
  • MTU: specifies the maximum transmit unit, which is expressed in bytes. The default value is 1500.
  • Speed/Duplex, including:
    • Auto Negotiation
    • 1000M Full Duplex
    • 1000M Half Duplex
    • 100M Full Duplex
    • 100M Half Duplex
    • 10M Full Duplex
    • 10M Half Duplex
  • Track L2 State: enables or disables tracking of L2 interface status. After this feature is enabled, the interface is Down when it is not physically connected and is Up when it is physically connected. After this feature is disabled, the interface state is displayed as UP regardless of whether the interface is physically connected.
  • Shutdown: disables the interface.
  • Description: specifies the descriptive information that identifies the Ethernet interface.
  • Secondary IP Setting: allows you to set up to 10 secondary IP addresses in addition to the primary IP address.
• DHCP mode
  • Description: specifies the descriptive information that identifies the Ethernet interface.

3.3.1.3 WLAN

The WLAN page displays the WLAN configuration and status on the IG902. You can set WLAN parameters or view detailed WLAN status information on this page. Follow these steps to configure WLAN parameters:

1. Choose Network > Network Interfaces > WLAN to display the WLAN page.
2. Select Enable Wi-Fi, and then select options or enter values for the parameters. For details about these parameters, see WLAN parameter description.
3. Click Submit to complete the WLAN configuration.

The following figure shows the configuration of the gateway as a wireless access point (AP).

The following figure shows the configuration of the gateway as a wireless client.

The WLAN parameters are described as follows:

• Enable Wi-Fi: enables or disables the Wi-Fi service. After enabling the Wi-Fi service, you can set the basic parameters and security authentication options for the wireless network, so that users can connect to the Internet wirelessly.
• Station Role: specifies the working mode of the gateway, which can be client or AP.
• Client mode
  • Default Route: uses the default route. After you select this option, a wireless route is added automatically.
  • Client SSID: specifies the SSID of the network to be connected.
  • Auth Method: same as the authentication method used on the network to be connected.
  • Encrypt Mode: same as the encryption method used on the network to be connected.
  • WPA/WPA2 PSK Key: same as the key used on the network to be connected.
  • Network Type: same as the type of the network to be connected.
• AP mode
  • SSID Broadcast: enables SSID broadcasting to allow wireless clients to discover this SSID or disables SSID broadcasting to hide this SSID. When the SSID is hidden, beacon frames sent from the AP do not contain the SSID. In this case, a wireless client can connect to the AP only after the SSID is manually specified on the client.
  • AP Isolate: enables or disables client isolation on the AP. After this feature is enabled, the AP does not forward L2 packets between the clients connected to it.
  • Bridge: enables or disables bridging of the radio interface to the bridge interface.
  • Band: specifies the frequency band used by the AP. The gateway supports 2.4 GHz and 5 GHz bands.
  • Radio Type: specifies the radio type of the AP. The AP supports six radio types: 802.11g/n, 802.11g, 802.11n, 802.11b, 802.11b/g, and 802.11b/g/n.
    • 802.11b: works at the 2.4 GHz band, with the maximum rate of 11 Mbit/s.
    • 802.11g: works at the 2.4 GHz band, with the maximum rate of 54 Mbit/s.
    • 802.11n: works at the 2.4 GHz or 5 GHz band, with the maximum theoretical rate of 300 Mbit/s.
  • Channel: specifies a data transmission channel that uses wireless signals as the transmission medium. The AP provides 13 channels with different carrier frequencies.
    • The center frequency of channel 1 is 2.412 GHz.
    • The center frequency of channel 2 is 2.417 GHz.
    • The center frequency of channel 3 is 2.422 GHz.
    • The center frequency of channel 4 is 2.427 GHz.
    • The center frequency of channel 5 is 2.432 GHz.
    • The center frequency of channel 6 is 2.437 GHz.
    • The center frequency of channel 7 is 2.442 GHz.
    • The center frequency of channel 8 is 2.447GHz.
    • The center frequency of channel 9 is 2.452 GHz.
    • The center frequency of channel 10 is 2.457 GHz.
    • The center frequency of channel 11 is 2.462 GHz.
    • The center frequency of channel 12 is 2.467 GHz.
    • The center frequency of channel 13 is 2.472 GHz.
  • SSID: specifies the service set identifier of the AP. The SSID technology allows a WLAN to be divided into multiple sub-networks that require separate identity authentication. Users can connect to a sub-network only after passing the identity authentication of the sub-network. This prevents access from unauthorized users.
  • Auth Method: specifies the authentication method used by the AP. The AP supports five authentication methods: open authentication, shared key authentication, WPA-PSK, WPA2-PSK, and WPAPSK/WPA2PSK. The last three authentication methods are implemented by using encrypted data.
  • Encrypt Mode: specifies the encryption mode used for authentication. The AP supports TKIP and AES encryption modes.
  • WPA/WPA2 PSK Key: specifies the authentication key, which contains 8-63 characters.
  • Bandwidth: specifies the channel bandwidth on the working band of the AP. Options are 20MHz and 40MHz.
  • Stations Limit: specifies the maximum number of clients supported by the AP (a maximum of 128).
  • IP Address: specifies the IP address of the radio interface. (This parameter is unavailable after the bridge interface is enabled.)
  • Netmask: specifies the subnet mask of the radio interface. (This parameter is unavailable after the bridge interface is enabled.)

3.3.1.4 Bridge

The bridge interface is a logical, virtual interface on the IG902. You can bridge the radio interface with interface GE 0/2. (If Station Role is set to client on the WLAN page, the radio interface cannot be selected as a bridge member.) Follow these steps to configure the bridge interface:

1. Select members of the bridge interface.
2. Set parameters for the bridge interface. For details about these parameters, see bridge interface parameter description.
3. Click Submit to save the configuration.

As shown in the following figure, the radio interface is bridged with interface GE 0/2.

The bridge interface parameters are described as follows:

• Primary IP: specifies the primary IP address of the bridge interface.
• Netmask: specifies the subnet mask of the bridge interface.
• Secondary IP Setting: allows you to set up to 10 secondary IP addresses in addition to the primary IP address.
• Bridge Member
  • dot11radio 1: specifies the radio interface.
  • gigabitethernet 0/2: specifies interface GE 0/2.

3.3.1.5 Loopback

The loopback interface is a logical, virtual interface on the IG902. After you create and configure the loopback interface, you can ping its IP address or set up a Telnet connection to it to test the network connectivity. You can set or view loopback interface parameters on the Loopback page. Follow these steps to configure the loopback interface:

1. Choose Network > Network Interfaces > Loopback to display the Loopback page. You can set or view loopback interface parameters on this page.
2. Click the Add icon in the table under Secondary IP Setting to add a secondary IP address for the loopback interface. (The default IP address is 127.0.0.1.)
3. Enter the secondary IP address and subnet mask.
4. Click Submit to complete the configuration of the loopback interface.

As shown in the following figure, a secondary IP address 127.0.0.2 is set for the loopback interface.

Caution: You can set a maximum of 10 secondary IP addresses for the loopback interface.

3.3.2.1 DHCP

3.3.2.2 DNS

A domain name system (DNS) is a distributed database used for TCP/IP applications and provides translation between domain names and IP addresses. DNS allows users to access some applications by using easy-to-remember, meaningful domain names, which are then translated into the correct IP addresses by a DNS server on the network. You can configure a DNS server and the DNS relay service and view the configuration on the DNS page.

• Follow these steps to configure a DNS server:

  1. Choose Network > Network Services > DNS to display the DNS page.
  2. Enter the IP address of the DNS server.
  3. Click Submit to apply the configuration.

  The following figure shows the DNS server configuration.

  

• Follow these steps to configure the DNS relay service:

  1. Choose Network > Network Services > DNS to display the DNS page.
  2. Enable the DNS relay service. The DNS relay service cannot be disabled when the DHCP server feature is enabled.
  3. Click the Add icon to add a [domain name <=> IP address] pair.
  4. Enter the domain name or IP address of a host and specify the matching IP address.
  5. Click OK to save the configuration, and then click Submit to apply the configuration.

  The following figure shows the configuration of the DNS relay service.

  

3.3.2.3 GPS

On the GPS page, you can enable or disable the GPS service, view the IG902 location information, and configure IP forwarding and serial forwarding for GPS. The IG902 can act as a GPS client or server for IP forwarding. Choose Network > Network Services > GPS to display the GPS page.

Follow these steps to configure GPS forwarding:

1. In the Configure area, select Enable GPS.
2. Select Enable under GPS IP Forwarding or GPS Serial Forwarding.
3. Configure the parameters. For details about these parameters, see GPS IP forwarding parameter description and GPS serial forwarding parameter description. (The GPS serial forwarding and DTU features cannot be used at the same time. Therefore, you must disable DTU before enabling GPS serial forwarding.)
4. Click Submit to save the configuration.

The following figure shows the configuration of GPS IP forwarding.

The following figure shows the configuration of GPS serial forwarding.

The parameters of GPS IP forwarding are described as follows:

• Enable: enables or disables GPS IP forwarding.
• Type: specifies the type of GPS IP forwarding.
  • Client
    • Transmit Protocol: specifies the transmission protocol used. Options are TCP and UDP.
    • Connection Type: specifies the type of the transmission connection. Options are Long-Lived and Short-Lived. The setting must be the same as that on the server.
    • Keepalive Interval: specifies the interval at which the gateway sends heartbeat packets over the TCP connection established.
    • Keepalive Retry: specifies the number of heartbeat packet retransmissions upon a heartbeat timeout. If the heartbeat does not resume after heartbeat packets are retransmitted for the specified number of times, the gateway terminates the TCP connection.
    • Min Reconnect Interval: specifies the connection interval at the beginning of TCP connection setup. The interval increases every 30 seconds until it reaches the maximum value.
    • Max Reconnect Interval: specifies the maximum retry interval for TCP connection setup.
    • Source Interface: specifies the interface of which the IP address is used by the gateway to establish a TCP connection to the server.
    • Reporting Interval: specifies the interval at which the gateway reports GPS data.
    • Include RMC: specifies whether the GPS data sent from the gateway includes PMC data.
    • Include GSA: specifies whether the GPS data sent from the gateway includes GSA data.
    • Include GGA: specifies whether the GPS data sent from the gateway includes GGA data.
    • Include GSV: specifies whether the GPS data sent from the gateway includes GSV data.
    • Message Prefix: specifies the user-defined content in the headers of GPS messages sent from the gateway.
    • Message Suffix: specifies the user-defined content at the end of GPS messages sent from the gateway.
  • Server
    • Connection Type: specifies the type of the transmission connection. Options are Long-Lived and Short-Lived. The connection type must be the same as that on the client.
    • Keepalive Interval: specifies the interval at which the gateway sends heartbeat packets over the TCP connection established.
    • Keepalive Retry: specifies the number of heartbeat packet retransmissions upon a heartbeat timeout. If the heartbeat does not resume after heartbeat packets are retransmitted for the specified number of times, the gateway terminates the TCP connection.
    • Local Port: specifies the service port number used by the gateway when it serves as a TCP server.
    • Reporting Interval: specifies the interval at which the gateway reports GPS data.
    • Include RMC: specifies whether the GPS data sent from the gateway includes PMC data.
    • Include GSA: specifies whether the GPS data sent from the gateway includes GSA data.
    • Include GGA: specifies whether the GPS data sent from the gateway includes GGA data.
    • Include GSV: specifies whether the GPS data sent from the gateway includes GSV data.
    • Message Prefix: specifies the user-defined content in the headers of GPS messages sent from the gateway.
    • Message Suffix: specifies the user-defined content at the end of GPS messages sent from the gateway.

Parameters of GPS serial forwarding are described as follows:

• Enable: enables or disables GPS serial forwarding.
• Serial Type: same as that on the remote end (RS232 or RS485).
• Baudrate: same as that on the remote end.
• Data Bits: same as that on the remote end.
• Parity: same as that on the remote end.
• Stop Bit: same as that on the remote end.
• Software Flow Control: enables or disables software flow control.
• Include RMC: specifies whether the GPS data sent from the gateway includes PMC data.
• Include GSA: specifies whether the GPS data sent from the gateway includes GSA data.
• Include GGA: specifies whether the GPS data sent from the gateway includes GGA data.
• Include GSV: specifies whether the GPS data sent from the gateway includes GSV data.

3.3.2.4 Host List

You can view information about hosts connected to the IG902 on the Host List page. Choose Network > Network Services > Host List to display the Host List page, as shown in the following figure.

3.3.3.1 Routing Status

Choose Network > Routing > Routing Status to display the Routing Status page. This page displays information about static routes configured on the IG902, as shown in the following figure.

3.3.3.2 Static Routing

You can configure static routes on the Static Routing page. Then, packets sent to a specific destination are forwarded through the specified route. (Generally, you do not need to configure static routes.) Follow these steps to configure a static route:

1. Choose Network > Routing > Static Routing to display the Static Routing page.
2. Click the Add icon to add a static route.
3. Set the parameters. For details about these parameters, see static routing parameter description.
4. Click OK to save the configuration, and then click Submit to apply the configuration.

The following figure shows the configuration of a static route.

Parameters of a static route are described as follows:

• Destination: specifies the destination IP address to which packets are sent.
• Netmask: specifies the subnet mask of the destination IP address.
• Interface: specifies the interface through which data packets are forwarded to the destination network.
• Gateway: specifies the IP address of the next router that data packets pass through before reaching the destination IP address.
• Distance: specifies the priority of the route. A smaller value indicates a higher priority.
• Track ID: specifies the track index or ID.
  

3.3.4.1 ACL

An access control list (ACL) permits or denies specified data flows (such as the data flow from a specified source IP address or account) based on a series of matching rules to filter the data reaching a network interface. You can configure a data filtering policy for a network interface on the ACL page. The configuration procedure is as follows:

1. Choose Network > Firewall > ACL to display the ACL page.
2. Click the Add icon under Access Control Policy to add an access control policy.
3. Set the parameters. For details about these parameters, see access control policy parameter description.
4. Click the Add or Edit icon under ACL to add an access control list on a specified interface.
5. Set the parameters. For details about these parameters, see access control list parameter description.
6. Click OK to save the configuration, and then click Submit to apply the configuration.

The following figure shows the configuration of a standard access control policy.

The following figure shows the configuration of an extended access control policy.

The following figure shows the configuration of an access control list.

• Parameters of a standard access control policy are described as follows:
  • ID: specifies the ID of an ACL rule, in the range of 1-99. A smaller value indicates a higher priority of the rule.
  • Sequence Number: specifies the sequence number of the ACL rule. A smaller value indicates a higher priority of the rule.
  • Action: permits or denies forwarding of matching packets.
  • Source IP: specifies the source IP address of packets in the ACL rule. If this field is kept blank, the rule matches packets from all networks.
  • Source Wildcard: specifies the wildcard mask of the source IP address in the ACL rule.
  • Log: enables or disables recording of access control logs.
  • Description: records meanings of access control parameters.
• Parameters of an extended access control policy are described as follows:
  • ID: specifies the ID of an ACL rule, in the range of 100-199. A smaller value indicates a higher priority of the rule.
  • Sequence Number: specifies the sequence number of the ACL rule. A smaller value indicates a higher priority of the rule.
  • Action: permits or denies forwarding of matching packets.
  • Protocol: specifies the access control protocol.
  • Source IP: specifies the source IP address of packets in the ACL rule. If this field is kept blank, the rule matches packets from all networks.
  • Source Wildcard: specifies the wildcard mask of the source IP address in the ACL rule.
  • Source Port: specifies the source port number of packets. The value any indicates that TCP/UDP packets with any source ports match the rule. This parameter is available only when the TCP or UDP protocol is selected.
  • Destination IP: specifies the destination IP address of packets in the ACL rule. If this field is kept blank, the rule matches packets destined for all networks.
  • Destination Wildcard: specifies the wildcard mask of the destination IP address in the ACL rule.
  • Destination Port: specifies the destination port number of packets. The value any indicates that TCP/UDP packets with any destination ports match the rule. This parameter is available only when the TCP or UDP protocol is selected.
  • Established Connection: specifies the range of TCP packets controlled. If this option is selected, the system controls TCP packets on established connections and does not control those on unestablished connections. If this option is deselected, the system controls TCP packets on both established and unestablished connections. This parameter is available only when the TCP protocol is selected.
  • Fragments: enables or disables control of fragmented data packets sent from the interface.
  • Log: enables or disables recording of access control logs.
  • Description: records meanings of access control parameters.

• Parameters of an access control list are described as follows:
  • Interface: specifies the name of the interface on which the access control policy is configured.
  • Rule: specifies the inbound, outbound, and administrative rules.

3.3.4.2 NAT

Network address translation (NAT) allows multiple hosts in a LAN to connect to the Internet by using one or multiple public IP addresses. This feature maps a few public IP addresses to many private IP addresses to conserve public IP addresses. You can view and configure NAT rules on the NAT page. The configuration procedure is as follows:

1. Choose Network > Firewall > NAT to display the NAT page.
2. Select an interface from the Interface drop-down list.
3. Click the Add icon under Network Address Translation (NAT) Rules to add an NAT rule and set parameters for the rule. For details about these parameters, see NAT rule parameter description.
4. Click OK to save the configuration, and then click Submit to apply the configuration.

As shown in the following figure, the NAT rule allows hosts connected to the IG902 to connect to the Internet by using the IP address of interface GE 0/2.

Parameters of the NAT rule are described as follows:

• Action
  • SNAT: uses the source network address translation feature that translates source IP addresses of data packets into another IP address. Generally, this feature is used for data packets sent to the Internet through the router.
  • DNAT: uses the destination network address translation feature that translates destination IP addresses of data packets into another IP address. Generally, this feature is used for data packets sent to the private network through the router.
  • 1:1NAT: uses one-to-one IP address translation.
• Source Network (available when the action is set to SNAT or DNAT):
  • Inside: translates private IP addresses.
  • Outside: translates public IP addresses.
• Translation Type, which can be:
  • IP to IP
  • IP to INTERFACE
  • IP PORT to IP PORT
  • ACL to INTERFACE
  • ACL to IP
• Access Control List (unavailable for 1:1 NAT): specifies the ACL rule used to match the packets of which the IP addresses are translated.
• Translated Address (unavailable for 1:1 NAT): specifies the IP address or interface translated from the source address.
• Description: specifies the description of the NAT rule.
  

4.1.2.1 Radius

The RADIUS protocol uses the client/server (C/S) model. A network access server (NAS) is a RADIUS client that transmits user authentication information to a specified RADIUS server and processes the response packets received from the RADIUS server. The RADIUS server receives users’ access requests, authenticates their identities, and sends the required configuration information for users to the client. All data transmitted between the server and client is verified using a shared key. The client and server encrypt user passwords before transmitting them to each other, ensuring the security of passwords. The RADIUS service uses UDP as the transmission protocol and is often used in network environments that require high security and allow remote access.

The RADIUS parameters are described as follows:

• Server: specifies the domain name or IP address of a RADIUS server. You can set a maximum of 10 RADIUS servers.
• Port: specifies the service port number of the RADIUS server.
• Key: specifies the authentication key to be verified before a connection can be established to the RADIUS server. A client can establish a connection to the RADIUS server only if its authentication key is the same as that set on the RADIUS server.
• Source Interface: specifies the source interface of RADIUS packets.

4.1.2.2 Tacacs+

The Terminal Access Controller Access Control System Plus (TACACS+) protocol is a security protocol that enhances functions of the TACACS protocol. This protocol provides functions similarly to RADIUS and uses the client/server model for communication between the NAS and TACACS+ server. TACACS+ supports independent authentication, authorization, and accounting.

The TACACS+ parameters are described as follows:

• Server: specifies the domain name or IP address of a TACACS+ server. You can set a maximum of 10 TACACS+ servers.
• Port: specifies the service port number of the TACACS+ server.
• Key: specifies the authentication key to be verified before a connection can be established to the TACACS+ server. A client can establish a connection to the TACACS+ server only if its authentication key is the same as that set on the TACACS+ server.

4.1.2.3 LDAP

The Lightweight Directory Access Protocol (LDAP) is based on the X.500 standard but is much simpler and is customizable. Unlike X.500, LDAP supports TCP/IP. In simple words, LDAP provides centralized management of user access, authentication, and authorization. This protocol is easy to customize and supports centralized management of users and user groups, centralized information storage, setting of security and access control policies, security delegation reading, change of user rights, and other related functions.

The LDAP parameters are described as follows:

• Name: specifies the name of a user-defined server list.
• Server: specifies the domain name or IP address of an LDAP server. You can set a maximum of 10 LDAP servers.
• Port: specifies the port number of the LDAP server.
• Base DN: specifies the top of the LDAP directory tree.
• Username: specifies the user name used to access the LDAP server.
• Password: specifies the password used to access the LDAP server.
• Security: specifies the encryption mode. Three options are available: None, SSL, and StartTLS.
• Verify Peer: enables or disables peer authentication.

4.1.2.4 AAA Settings

The IG902 supports the following authentication methods:

• Non-authentication (none): Users are fully trusted, and their identities are not verified. Generally, this method is not used.
• Local authentication (local): User information is configured on an NAS. Local authentication is fast and reduces the operation cost, but the amount of user information stored is limited by the hardware capacity.
• Remote authentication (LDAP): User information is configured on an authentication server. Remote authentication can be implemented by using the RADIUS, TACACS+, or LDAP.

The IG902 supports the following authorization methods:

• Non-authorization (none): Authorization is not performed for users.
• Local authorization (local): Users are authorized based on the attributes of local accounts configured on the NAS.
• TACACS+ authorization: Users are authorized by a TACACS+ server.
• Authorization after RADIUS authentication: Authentication and authorization are bound together, and RADIUS authentication cannot be performed separately.
• LDAP authorization

Caution: Authentication method 1 must be consistent with authorization method 1. Authentication method 2 must be consistent with authorization method 2. Authentication method 3 must be consistent with authorization method 3.

4.3.2.1 RIP

The RIP protocol is applicable to small-sized networks. It measures the distance to a destination by hop count, which is called metric. The number of hops from a router to a directly connected network is 0, and the number of hops to a network reachable through another router is 1. That is, the hop count increases with the number of intermediate routers. To limit the convergence time, RIP defines a metric range of 0-15. A hop count of 16 or larger is considered infinite, indicating that the destination network or host is unreachable. To improve the routing performance and prevent routing loops, RIP provides the split horizon feature. RIP can also import routing information learned by other routing protocols.

The RIP parameters are described as follows:

• Enable: enables or disables RIP.
• Update Timer: specifies the interval at which the router sends route updates. The valid value range is 5-2147483647, and the unit is second.
• Timeout Timer: specifies the aging time of a route. If the router does not receive any Update packet for a route within the aging time, it sets the metric of this route to 16 in the routing table. The valid value range is 5-2147483647, and the unit is second.
• Garbage Collection Timer: specifies the amount of time before a route is removed from the routing table after its metric is set to 16. Within the garbage collection period, RIP sends Update packets for this route with the metric of 16. If the route is not updated when the garbage collection timer expires, the route is permanently removed from the routing table. The valid value range is 5-2147483647.
• Version: specifies the version of the RIP protocol. Options are Default, v1, and v2.
• Network: specifies the first IP address in a network segment and the matching subnet mask.
• Advanced Options
  • Default-Information Originate: enables or disables advertisement of default routing information.
  • Default Metric: specifies the default cost from the local router to the destination. The valid value range is 1-16. The value 16 indicates that the destination is unreachable.
  • Redistribute Connected: enables or disables direct route redistribution to RIP.
    • Metric: specifies the metric of the redistributed direct route after direct route redistribution is enabled. The valid value range is 0-16.
  • Redistribute Static: enables or disables static route redistribution to RIP.
    • Metric: specifies the metric of the redistributed static route after static route redistribution is enabled. The valid value range is 0-16.
  • Redistribute OSPF: enables or disables OSPF route redistribution to RIP.Metric: specifies the metric of redistributed OSPF routes after OSPF route redistribution is enabled. The valid value range is 0-16.
  • Distance/Metric Management:
    • Distance: specifies the administrative distance of a route learned by RIP.
    • IP Address: specifies the destination IP address of the RIP route.
    • Netmask: specifies the subnet mask of the RIP route.
    • ACL Name: specifies an access control list used for route redistribution.
    • Metric: changes the metric of the route sent from or received on an interface.
    • Policy In/Out: specifies the direction to which the route filtering policy is applied. Options are In and Out.
      • In: applies the access control list to incoming traffic.
      • Out: applies the access control list to outgoing traffic.
    • Interface: specifies the interface to which the route filtering policy is applied.
    • ACL Name: specifies the name of the access control list referenced in the route filtering policy.
  • Filter Policy
    • Policy Type: specifies the type of the route filtering policy. Options are access-list and prefix-list.
    • Policy Name: specifies the name of the prefix list.
    • Policy In/Out: specifies the direction to which the route filtering policy is applied. Options are In and Out.
    • Interface: specifies the interface to which the route filtering policy is applied.
    • Filter Out (Permit Default Route-Interface): allows only transmission to the default router interface.
  • Passive Interface: specifies an interface as the passive interface.
  • Interface
    • Interface: specifies an interface.
    • Send Version: specifies the RIP version of packets sent from the interface. Options are Default, v1, and v2.
    • Receive Version: specifies the RIP version of packets accepted on the interface. Options are Default, v1, and v2.
    • Split Horizon & Poisoned Reverse: Options are split-horizon and disabled.
    • Authentication Mode: specifies the authentication method used on the interface. Options are text and md5.
    • Key: specifies the authentication key used for RIPv2 packet exchange.
  • Neighbor: specifies the IP address of a RIP neighbor.
• Network
  • IP Address: specifies the interface’s IP address to be advertised by RIP.
  • Netmask: specifies the interface’s subnet mask to be advertised by RIP.

4.3.2.2 OSPF

The Open Shortest Path First (OSPF) protocol is a link state-based interior gateway protocol developed by the IETF.The OSPF parameters are described as follows:

• Enable: enables or disables OSPF.
• Router ID: specifies the ID of the LSA-originating router.
• Route Advanced Options
  • ABR Type: specifies the type of the area border router. Options are cisco, ibm, standard, and shortcut.
  • RFC1583 Compatibility: enables or disables compatibility with RFC1583.
  • OSPF Opaque-LSA: enables or disables OSPF Opaque LSAs.
  • SPF Delay Time: specifies the delay before OSPF SPF computation. The valid value range is 0-600000, and the unit is millisecond.
  • SPF Initial-holdtime: specifies the initial SPF holding time. The valid value range is 0-600000, and the unit is millisecond.
  • SPF Max-holdtime: specifies the maximum SPF holding time. The valid value range is 0-600000, and the unit is millisecond.
  • Reference Bandwidth: The valid value range is 1-4294967, and the unit is Mbit.
• Interface
  • Interface: specifies the interface on which the OSPF parameters are configured.
  • Network: specifies the type of the OSPF network. Options are Broadcast, NBMA, Point-to-Multipoint, and Point-to-Point.
  • Hello Interval: specifies the interval between Hello packets sent from the interface. Two neighboring routers cannot establish a neighbor relationship if they send Hello packets at different intervals. The valid value range is 1-65535.
  • Dead Interval: specifies the timeout period of a neighbor. If the router does not receive any Hello packet from a neighbor within this period, it considers the neighbor invalid. Two neighboring routers cannot establish a neighbor relationship if they have different Dead intervals. The valid value range is 1-65535.
  • Retransmit Interval: specifies the LSA retransmission interval. After the router advertises an LSA to a neighbor, it waits for the Ack packet from the neighbor. If the router does not receive an Ack packet from the neighbor within the retransmission interval, it retransmits the LSA. The valid value range is 3-65535.
  • Transmit Delay: specifies the delay time added to the LSA aging time (Age field) before the LSA is sent. This time is added because it takes some time to transmit OSPF packets on a link. This parameter is especially significant on a low-speed link. The valid value range is 1-65535.
  • Interface Advanced Options
    • Interface: specifies an interface.
    • Passive Interface: allows the interface to receive OSPF packets only and disables it from sending OSPF packets.
    • Cost: specifies the cost of OSPF on the interface. By default, the OSPF cost is calculated automatically based on the interface bandwidth.
    • Priority: specifies the priority of OSPF on the interface.
    • Authentication: specifies the authentication method used in the OSPF area. If you select simple authentication, you need to set a password for simple authentication and confirm the password. If you select MD5 authentication, you need to set an MD5 key and a password and confirm the password.
    • Key ID: specifies the ID of the key for MD5 authentication. This parameter takes effect only for MD5 authentication. The valid value range is 1-255.
    • Key: specifies the authentication key used for OSPF packet exchange.
• Network
  • IP Address: specifies the IP address of the local network.
  • Netmask: specifies the subnet mask of the local network address.
  • Area ID: specifies the ID of the area where the LSA originating router is located.
• Area
  • Area ID: specifies the ID of an OSPF area.
  • Area: configures the OSPF area as a stub or NSSA area. The backbone area (with the ID of 0.0.0.0) cannot be configured as a stub or NSSA area.
  • No Summary: disables the route summarization function that aggregates multiple routes into one broadcast LSA. The result and biggest advantage of route summarization is a smaller routing table.
  • Authentication: specifies the authentication method used for OSPF packets. Options are simple, password, and md5.
  • Area Advanced Options - Area Range
    • Area ID: specifies the ID of the area where the OSPF-enabled interface is located.
    • IP Address: specifies the network segment where the interface is located.
    • Netmask: specifies the subnet mask of the network segment where the interface is located.
    • Not Advertise: disables advertisement of intra-area routing information to other areas.
    • Cost: specifies the OSPF cost on the interface. The valid value range is 0-16777215.
  • Area Advanced Options - Area Filter
    • Area ID: specifies the ID of the OSPF area to which the filtering policy is applied.
    • Filter Type: specifies the mode of route filtering. Options are import, export, filter-in, and filter-out.
    • ACL Name: specifies the name of the access control list used to filter routes. Only the routes allowed by the access control list can take effect.
  • Area Advanced Options - Area Virtual Link
    • Area ID: specifies the ID of an OSPF area.
    • ABR Address: specifies the interface address that the ABR uses to connect to the area. An ABR is a router that connects multiple areas.
    • Authentication: specifies the authentication method used for OSPF packets. Options are simple, password, and md5.
    • Key ID: specifies the ID of the key for MD5 authentication. This parameter takes effect only for MD5 authentication. The valid value range is 1-255.
    • Key: specifies the authentication key used for OSPF packet exchange.
    • Hello Interval: specifies the interval between Hello packets sent from the interface. The valid value range is 1-65535.
    • Dead Interval: specifies the timeout period of a neighbor. If the router does not receive any Hello packet from a neighbor within this period, it considers the neighbor invalid. The valid value range is 1-65535.
    • Retransmit Interval: specifies the interval at which the router retransmits an SLA after the LSA fails to get a response. The valid value range is 1-65535.
    • Transmit Delay: specifies the delay time before LSA transmission. The valid value range is 1-65535.
• Redistribution
  • Redistribution Type: specifies the type of redistributed routes. Options are connected, static, and rip.
  • Metric: specifies the metric of the redistributed route advertised by the router.
  • Metric Type: specifies the type of external routes imported to the OSPF routing table.
    • 1: indicates Type-1 external routes that are highly reliable. For OSPF, cost of a calculated external route is equivalent to the cost of an intra-AS route and is comparable with the cost of an OSPF route. That is, the cost of a Type-1 external route is the sum of the cost from the local router to the corresponding autonomous system boundary router (ASBR) and the cost from the ASBR to the destination address of the external route.
    • 2: indicates Type-2 external routes that are less reliable. For OSPF, the cost of a route from the ASBR to outside the AS is much larger than the cost of an intra-AS route to the ASBR. Therefore, in OSPF route cost calculation, only the cost from the ASBR to outside the AS is considered. That is, the cost of a Type-2 external route is equal to the cost from the ASBR to the destination IP address of the external route.
  • Route Map: This parameter is not configurable currently.
  • Redistribution Advanced Options
    • Always Redistribute Default Route: enables the router to advertise the redistributed default route after startup.
    • Redistribute Default Route Metric: specifies the metric of the redistributed default route advertised by the router.
    • Redistribute Default Route Metric Type: 1 or 2.
    • Default Metric: specifies the default metric used for route redistribution.
    • Distance Management
      • Area Type: specifies the route type. Options are inter-area or external.
      • Distance: specifies the distance of OSPF routes that can be learned in the area.

4.3.2.3 Filtering Route

The parameters of a route filtering policy are described as follows:

• Access Control List
  • ACL Name: specifies the name of an access control list.
  • Action: specifies the action taken on matching packets. Options are permit and deny.
  • Any Address: removes the need to match IP addresses and subnet masks.
  • IP Address: specifies a destination IP address.
  • Netmask: specifies the subnet mask of the IP address.
• IP Prefix-list
  • Prefix-list Name: specifies the name of a prefix list.
  • Sequence Number: specifies the sequence number of a rule in the prefix list. A prefix list can contain multiple rules.
  • Action: specifies the action taken on matching packets. Options are permit and deny.
  • Any Address: removes the need to set the IP address, subnet masks, grand equal prefix length, and less equal prefix length.
  • IP Address: specifies a destination IP address.
  • Netmask: specifies the subnet mask of the IP address.
  • Grand Equal Prefix Length: specifies the network portion length in the subnet mask that determines the minimum IP address in the subnet. The valid value range is 0-32.
  • Less Equal Prefix Length: specifies the network portion length in the subnet mask that determines the maximum IP address in the subnet. The valid value range is 0-32.
    

4.3.3.1 Basic Settings

On the Basic tab page, you can specify a multicast data source. The basic parameters are described as follows:

• Enable: enables or disables multicast routing.
• Source: specifies the IP address of the data source.
• Netmask: specifies the subnet mask of the source IP address.
• Interface: specifies the interface connected to the data source.

4.3.3.2 IGMP

The Internet Group Management Protocol (IGMP) is a multicast protocol in the IP protocol suite, and is used by IP hosts to report their group membership to any immediately neighboring router. This protocol defines the model of multicast communication between hosts on different network segments. Routers on these network segments must support multicast communication. IGMP establishes and maintains multicast group memberships between IP hosts and immediately neighboring multicast routers. It defines how the group memberships of hosts on a network segment are maintained on a multicast router.The IGMP parameters are described as follows:

• Upstream Interface: specifies the interface connected to the upstream network device.
• Downstream Interface List
  • Downstream Interface: specifies the interface connected to a downstream terminal.
  • Upstream Interface: specifies the interface connected to the upstream network device.

4.4.1.1 IPsec Setting

The IPsec parameters are described as follows:

• IKEv1 Policy
  • ID: specifies the ID of an IKEv1 policy.
  • Encryption: specifies the algorithm used to encrypt plain text. Options are 3DES, DES, AES128, AES192, and AES256.
    • 3DES: uses three 64-bit DES keys to encrypt plain text.
    • DES: uses a 64-bit key to encrypt a 64-bit plain-text block.
    • AES: uses a 128-bit, 192-bit, or 256-bit key to encrypt plain text.
  • Hash: specifies the hash algorithm used in the policy. Options are MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512.
    • MD5: generates a 128-bit message digest for a message of any length.
    • SHA1: generates a 160-bit message digest for a message of a length less than 128 bits.
    • SHA2-256: generates a 256-bit message digest.
    • SHA2-384: generates a 384-bit message digest.
    • SHA2-512: generates a 512-bit message digest.
  • Diffie-Hellman Group: specifies the Diffie-Hellman algorithm, an open key algorithm. Two parties calculate a shared key based on the data exchanged between them, without transmitting the key to each other. To encrypt data sent to each other, the two parties must have a shared key. The essence of Internet Key Exchange (IKE) is that the communication parties never transmit the key over an insecure network. Instead, they exchange a series of data to calculate a shared key. Other parties (such as hackers) cannot calculate the key even if they intercept all the data exchanged for key calculation.
  • Lifetime: specifies the lifetime of the IKE security association (SA). The two parties negotiate another SA to replace the old one before the lifetime expires.
• IKEv2 Policy
  • ID: specifies the ID of an IKEv2 policy.
  • Encryption: specifies the algorithm used to encrypt plain text. Options are 3DES, DES, AES128, AES192, and AES256.
    • 3DES: uses three 64-bit DES keys to encrypt plain text.
    • DES: uses a 64-bit key to encrypt a 64-bit plain-text block.
    • AES: uses a 128-bit, 192-bit, or 256-bit key to encrypt plain text.
  • Integrity: specifies the algorithm used to check data integrity. Options are MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512.
    • MD5: generates a 128-bit message digest for a message of any length.
    • SHA1: generates a 160-bit message digest for a message of a length less than 128 bits.
    • SHA2-256: generates a 256-bit message digest.
    • SHA2-384: generates a 384-bit message digest.
    • SHA2-512: generates a 512-bit message digest.
  • Diffie-Hellman Group: specifies the Diffie-Hellman algorithm, an open key algorithm. Two parties calculate a shared key based on the data exchanged between them, without transmitting the key to each other. To encrypt data sent to each other, the two parties must have a shared key. The essence of IKE is that the communication parties never transmit the key over an insecure network. Instead, they exchange a series of data to calculate a shared key. Other parties (such as hackers) cannot calculate the key even if they intercept all the data exchanged for key calculation.
  • Lifetime: specifies the lifetime of the IKE SA. The two parties negotiate another SA to replace the old one before the lifetime expires.
• IPsec Policy
  • Name: specifies the name of the IPsec policy. This parameter cannot be changed after the IPsec policy is configured successfully.
  • Encapsulation: specifies the encapsulation protocol used for IP packets. The Authentication Header (AH) protocol defines an authentication method to authenticate data sources and ensure data integrity. The Encapsulating Security Payload (ESP) protocol defines encryption and authentication (optional) methods to ensure data reliability.
    • AH: provides data source authentication, data integrity check, and packet anti-replay. The sender uses a hash algorithm to calculate a digest field for an IP packet based on the fixed fields in the IP header and the IP payload. The receiver calculates the digest for the received IP packet and compares it with the digest field carried in the packet to determine whether the packet has been tampered with during transmission on the network.
    • ESP: provides all functions of the AH protocol and encrypts payload of IP packets. The ESP protocol can protect data in IP headers of IP packets.
  • Authentication: specifies the algorithm used for authentication. Options are MD5, SHA1, SHA2-256, SHA2-384, and SHA2-512.
    • MD5: generates a 128-bit message digest for a message of any length.
    • SHA1: generates a 160-bit message digest for a message of a length less than 128 bits.
    • SHA2-256: generates a 256-bit message digest.
    • SHA2-384: generates a 384-bit message digest.
    • SHA2-512: generates a 512-bit message digest.
  • IPsec Mode: specifies the IPsec encapsulation mode.
    • Tunnel Mode: adds an IPsec header (AH or ESP) outside the original IP header and adds a new IP header at the outermost layer. Then, the original IP packet is protected by IPsec as a part of payload. The tunnel mode is generally used between two security gateways. The packets encrypted by one security gateway can only be decrypted by the peer security gateway.
    • Transport Mode: inserts an IPsec header (AH or ESP) between the IP header and upper-layer protocol header. This mode retains the original IP header but changes the IP protocol field to AH or ESP, and calculates a new checksum for the IP header. The transport mode is applicable to communication between two hosts or between a host and a security gateway.
• IPsec Tunnels
  • Basic Parameters
    • Destination Address: specifies the IP address or domain name of the IKE peer. (Set this parameter to 0.0.0.0 when the IG902 acts as a server.)
    • Map Interface: specifies the interface to which the IPsec policy is applied.
    • IKE Version: specifies the version of the IKE protocol. Options are IKEv1 and IKEv2.
    • IKEv1 Policy: specifies a policy ID defined in the IKEv1 policy list.
    • IKEv2 Policy: specifies a policy ID defined in the IKEv2 policy list.
    • IPsec Policy: specifies a policy ID defined in the IPsec policy list.
    • Authentication Type: specifies the authentication method used for the IPsec tunnel. Shared key authentication and digital certificate authentication are supported.
      • Shared Key: specifies the shared key used for authentication.
      • Digital Certificate: specifies the digital certificate used for authentication. You need to import a valid certificate on the certificate management page.
    • Negotiation Mode: specifies the mode of IKEv1 negotiation.
      • Main Mode: separates key exchange information from the identity information. This mode protects identity information to enhance the security.
      • Aggressive Mode: does not provide identity authentication but meets requirements of some special network environments. The aggressive mode can be used when the address of the tunnel initiator cannot be obtained in advance or keeps changing, but both parties want to establish an IKE SA by using a pre-shared key.
    • Local Subnet: specifies the source network of the interested flow defined for the IPsec tunnel.
    • Remote Subnet: specifies the destination network of the interested flow defined for the IPsec tunnel.
  • IKE Advance (Phase 1)
    • Local ID: specifies the type of the local device’s identifier for IKE negotiation.
      • IP Address: specifies the peer IP address used to establish the IPsec interface.
      • FQDN: specifies the character string used as the identifier of the local device.
      • User FQDN: specifies the fully qualified domain name used as the identifier of the local device.
    • Remote ID: specifies the type of the peer device’s identifier for IKE negotiation.
      • IP Address: specifies the interface IP address that the local device uses to complete IKE negotiation and exchange identity information with the peer device.
      • FQDN: specifies the identifier string that the peer devices used for IKE negotiation. The value must be the same as that set on the peer device.
      • User FQDN: specifies the fully qualified domain name used as the identifier of the peer device. The value must be the same as that set on the peer device.
    • IKE Keepalive (DPD): enables or disables dead peer detection (DPD).
      • DPD Timeout: specifies the timeout period of a DPD probe. After the receiving end triggers a DPD probe by sending a DPD request to the peer, it waits for a DPD response. If no DPD response is received from the peer, it deletes the IPsec SA. The valid value range is 10-3600, and the unit is second.
      • DPD Interval: specifies the IPsec neighbor detection interval. After DPD is enabled, the receiving end can trigger a DPD probe if it does not receive any IPsec-encrypted packets from the peer within the DPD interval. In this case, the receiving end sends a DPD request to check whether the IKE peer is available. The valid value range is 10-3600, and the unit is second.
    • XAUTH: specifies the XAUTH user name and password.
  • IPsec Advance (Phase 2)
    • PFS: enables or disables Perfect Forward Secrecy (PFS), a feature that ensures security of other keys when a key is encrypted, because these keys are not derived from one another. The key used in phase-2 IPsec negotiation is derived from the key generated in phase 1. If the phase -1 key for IKE negotiation is intercepted by an attacker, the attacker may collect sufficient information to derive the phase-2 key for IPsec SA negotiation. The PFS feature prevents this problem by performing an additional DH exchange, ensuring security of the phase-2 key.
    • IPsec SA Lifetime: specifies the duration in which the IPsec SA is alive. When the two ends perform IPsec negotiation to establish an SA, the smaller value between the lifetime values set on the local and peer devices takes effect.
    • IPsec SA Idletime: specifies the maximum idle duration of an IPsec SA. If no data is transmitted within this duration after the IPsec SA is established, the IPsec SA becomes invalid. When the current IPsec SA is about to expire, IPsec negotiation is triggered to establish a new SA, so that the new SA is ready before the old SA becomes invalid.
  • Tunnel Advance
    • Tunnel Start Mode: specifies how the IPsec tunnel is initiated.
      • Automatically: indicates that the local device completes IKE negotiation automatically to set up an IPsec tunnel after the IPsec policy is applied. This mode is often used on a client.
      • Respond Only: indicates that local device only receives IPsec requests and does not initiate a connection. This mode is often used on a server.
      • On-demand: indicates that the local device completes IKE negotiation to set up an IPsec tunnel only when detecting IPsec packets on the interface.
    • Local/Remote Send Cert Mode: specifies when to send the certificate. Options are Send cert always, Send cert on request, and Not send cert.
      • Send cert always: Some IPsec services do not send certificate requests but need to receive the certificate from the peer because they do not save the certificate. For these IPsec services, you must select this option on the peer to enable the IPsec tunnel to be established.
      • Send cert on request: The local device sends the certificate to the peer only when receiving a request from the peer.
      • Not send cert: The local device sends the certificate to the peer regardless of whether the peer sends a request.
    • ICMP Detect
      • ICMP Detection Server: specifies the address of the peer host to be detected.
      • ICMP Detection Local IP: specifies the source address of the traffic to be protected by IPsec.
      • ICMP Detection Interval: specifies the interval between ICMP probe packets sent from the local device.
      • ICMP Detection Timeout: specifies the timeout period of an ICMP probe. If the local device does not receive any ICMP Reply packet within this period, it considers that the ICMP probe times out.
      • ICMP Detection Max Retries: specifies the maximum number of retries after an ICMP probe failure. (The local device restarts the IPsec service when the number of retries reaches this value.)

4.4.1.2 IPsec Extension Setting

The IPsec extension parameters are described as follows:

• Basic Parameters
  • Name: specifies the name of an IPsec profile.
  • IKE Version: specifies the version of the IKE protocol. Options are IKEv1 and IKEv2.
  • IKEv1 Policy: specifies a policy ID defined in the IKEv1 policy list.
  • IKEv2 Policy: specifies a policy ID defined in the IKEv2 policy list.
  • IPsec Policy: specifies a policy ID defined in the IPsec policy list.
  • Authentication Type: specifies the authentication method used for the IPsec tunnel. Shared key authentication and digital certificate authentication are supported.
    • Shared Key: specifies the shared key used for authentication.
    • Digital Certificate: specifies the digital certificate used for authentication. You need to import a valid certificate on the certificate management page.
  • Negotiation Mode: specifies the mode of IKEv1 negotiation.
    • Main Mode: separates key exchange information from the identity information. This mode protects identity information to enhance the security.
    • Aggressive Mode: does not provide identity authentication but meets requirements of some special network environments. The aggressive mode can be used when the address of the tunnel initiator cannot be obtained in advance or keeps changing, but both parties want to establish an IKE SA by using a pre-shared key.
• IKE Advance (Phase 1)
  • Local ID: specifies the local ID of the specified type.
  • Remote ID: specifies the peer ID of the specified type.
  • IKE Keepalive (DPD): enables or disables dead peer detection (DPD).
    • DPD Timeout: specifies the timeout period of a DPD probe. After the receiving end triggers a DPD probe by sending a DPD request to the peer, it waits for a DPD response. If no IPsec-encrypted packet is received from the peer, it deletes the ISAKMP profile. The valid value range is 10-3600, and the unit is second.
    • DPD Interval: specifies the IPsec neighbor detection interval. After DPD is enabled, the receiving end can trigger a DPD probe if it does not receive any IPsec-encrypted packets from the peer within the DPD interval. In this case, the receiving end sends a DPD request to check whether the IKE peer is available. The valid value range is 10-3600, and the unit is second.
  • IPsec Advance (Phase 2)
    • PFS: enables or disables Perfect Forward Secrecy (PFS), a feature that ensures security of other keys when a key is encrypted, because these keys are not derived from one another. The key used in phase-2 IPsec negotiation is derived from the key generated in phase 1. If the phase -1 key for IKE negotiation is intercepted by an attacker, the attacker may collect sufficient information to derive the phase-2 key for IPsec SA negotiation. The PFS feature prevents this problem by performing an additional DH exchange, ensuring security of the phase-2 key.
    • IPsec SA Lifetime: specifies the duration in which the IPsec SA is alive. When the two ends perform IPsec negotiation to establish an SA, the smaller value between the lifetime values set on the local and peer devices takes effect.

Note:

• Encryption algorithms used for IPsec are AES, 3DES, and DES, listed in descending order of security. The encryption algorithms with higher security are more complex and slower in calculation. Therefore, the DES algorithm can be used to meet ordinary security requirements.
• When the IG902 acts as an IPsec server, set the remote address to 0.0.0.0. Generally, this setting is used when one end uses a public IP address and the other end uses a variable address for dial-up.
• IPsec extensions are often combined with GRE to establish a DMVP or GRE over IPsec network.

4.4.3.1 L2TP Client

The parameters of an L2TP client are described as follows:

• L2TP Class
  • Name: specifies the name of an L2TP class.
  • Authentication: enables or disables peer authentication before network connection setup.
  • Hostname: specifies the host name of the local device. This parameter can be left blank.
  • Challenge Secret: specifies the authentication key used on the tunnel. This parameter is required when authentication is enabled. You do not need to set it if authentication is disabled.
• Pseudowire Class
  • Name: specifies the name of a pseudowire class.
  • L2TP Class: specifies the name of an existing L2TP class.
  • Source Interface: specifies the source interface of the tunnel.
  • Data Encapsulation Method: L2TPV2 or L2TPV3.
  • Tunnel Management Protocol: L2TPV2, L2TPV3, or NONE.
• L2TPv2 Tunnel
  • Enable: enables or disables the L2TP tunnel.
  • ID: specifies the ID of the L2TP virtual interface.
  • L2TP Server: specifies the IP address or domain name of the L2TP server.
  • Pseudowire Class: specifies the name of an existing pseudowire class.
  • Authentication Type: specifies the authentication method used on the tunnel. Options are Auto, PAP, and CHAP.
  • Username: specifies the valid user name specified for the remote server.
  • Password: specifies the valid password specified for the remote server.
  • Local IP Address: specifies the IP address of the L2TP virtual interface. You can leave this field blank and use the IP address allocated by the L2TP server.
  • Remote IP Address: specifies the gateway of the L2TP address pool on the server. You can leave this field blank.
• L2TPv3 Tunnel
  • Enable: enables or disables the L2TPv3 tunnel.
  • ID: specifies the ID of the L2TPV3 virtual interface.
  • L2TP Server: specifies the IP address or domain name of the L2TPv3 server.
  • Pseudowire Class: specifies the name of an existing pseudowire class.
  • Protocol: specifies the packet encapsulation protocol used on the tunnel. Options are IP and UDP.
  • Source Port: specifies the source port used to establish the L2TP tunnel when UDP is used.
  • Destination Port: specifies the destination port used to establish the L2TP tunnel when UDP is used.
  • Xconnect interface: specifies the L2TPv3 bridge interface.
• L2TPv3 Session
  • Local Session ID: specifies the local tunnel ID specified in static L2TPv3 tunnel configuration. The valid value range is 1-65535.
  • Remote Session ID: specifies the remote tunnel ID specified in static L2TPv3 tunnel configuration. The valid value range is 1-65535.
  • Local Tunnel ID: specifies the L2TPv3 tunnel ID set in the L2TPv3 Tunnel area.
  • Local Session IP Address: specifies the IP address of the static L2TPv3 virtual interface.

4.4.3.2 L2TP Server

Parameters of an L2TP server are described as follows:

• Enable: enables or disables the L2TP server.
• Username: specifies the user name used to access the L2TP server.
• Password: specifies the password used to access the L2TP server.
• Authentication Type: specifies the authentication method used by the L2TP server. Options are Auto, PAP, and CHAP.
• Local IP Address: specifies the virtual address of the L2TP server interface.
• Client Start IP Address: specifies the start IP address of the IP address pool on the L2TP server.
• Client End IP Address: specifies the end IP address of the IP address pool on the L2TP server.
• Link Detection Interval: specifies the interval at which the L2TP server sends link detection packets after an L2TP tunnel is established. The valid value range is 0-32767, and the unit is second.
• Max Retries for Link Detection: specifies the maximum number of L2TP link detection failures. The L2TP establishes a new connection after link detection fails for the maximum number of times. The valid value range is 0-100.
• Enable MPPE: enables or disables Microsoft Point-to-Point Encryption (MPPE).
• Enable Tunnel Authentication
  • Challenge Secrets: specifies the key used for authentication during L2TP tunnel setup. The same key must be set on both ends of the tunnel.
  • Server Name: specifies the name of the L2TP server.
  • Client Name: specifies the name of the L2TP client connected to the server.
• Expert Options (recommended: kept blank): specify the parameters used for L2TP debugging.

4.4.4.1 OpenVPN Client

The parameters of an OpenVPN client are described as follows:

• Enable: enables or disables the OpenVPN client.
• Index: specifies a tunnel ID.
• OpenVPN Server: specifies the IP address or domain name of an OpenVPN server.
• Port: specifies the port number used to establish an OpenVPN tunnel.
• Protocol Type: specifies the protocol used for data transmission. Options are UDP and TCP.
• Authentication Type: Select an authentication type and set parameters for the authentication type.
• Description: specifies the description of the OpenVPN tunnel.
• Advanced Options
  • Source Interface: specifies the interface used to establish the OpenVPN tunnel.
  • Interface Type: specifies the type of data sent from the interface.
    • Tun: mostly used for IP-based communication.
    • Tap: allows complete Ethernet frames to pass through the OpenVPN tunnel and provides support for non-IP protocols.
  • Network Type: Options are net30, p2p, and subnet.
    • net30: Four IP addresses with a 30-bit mask are selected from the IP address pool. The larger one between the two intermediate IP addresses is used as the IP address of the client’s virtual NIC, and the smaller one is used as the peer IP address.
    • p2p: An IP address is selected from the IP address pool as the IP address of the client’s virtual NIC, and the actual IP address of the virtual NIC is used as the peer IP address.
    • subnet: An IP address is selected from the IP address pool as the IP address of the client’s virtual NIC, and the subnet mask of the virtual NIC is used as the peer IP address.
  • Cipher: specifies the protocol used to encrypt the data transmitted over the OpenVPN tunnel. The setting must be the same on the client and server.
  • HMAC: specifies the authentication method used for data transmitted over the OpenVPN tunnel. Data cannot be transmitted if the authentication fails. The setting must be the same on the client and server.
  • Compression LZO: specifies the compression format of data transmitted over the OpenVPN tunnel.
  • Redirect-Gateway: enables the OpenVPN interface to act as the default gateway for the client, so that all traffic of the client is forwarded through the OpenVPN interface.
  • Remote Float: allows the remote device to change its IP address or port.
  • Link Detection Interval: specifies the interval for sending link detection packets after an OpenVPN tunnel is established. The valid value range is 10-1800, and the unit is second.
  • Link Detection Timeout: specifies the timeout period of OpenVPN link detection. After the number of link detection failures reaches the maximum value, the local device initiates a new L2TP connection. The valid value range is 60-3600.
  • MTU: specifies the maximum transmit unit on the OpenVPN interface, which is expressed in bytes.
  • Enable Debug: enables or disables debugging logs.
  • Expert Configuration: specifies OpenVPN extension parameters.
  • Import Configuration: Select the OpenVPN configuration file you want to import.

4.4.4.2 OpenVPN Server

The parameters of an OpenVPN server are described as follows:

• Enable: enables or disables the OpenVPN server.
• Config Mode: specifies whether to complete the configuration manually or import a configuration file.
  • Manual Config
    • Authentication Type: specifies the authentication method used.
    • Local IP Address: specifies the virtual IP address of the OpenVPN server interface.
    • Remote IP Address: specifies the virtual IP address of the OpenVPN client.
    • Description: specifies the description of the OpenVPN tunnel.
    • Show Advanced Options: enables or disables display of advanced options.
      • Source Interface: specifies the interface used to establish the OpenVPN tunnel.
      • Interface Type: specifies the type of data sent from the interface.
        • Tun: mostly used for IP-based communication.
        • Tap: allows complete Ethernet frames to pass through the OpenVPN tunnel and provides support for non-IP protocols.
      • Network Type: Options are net30, p2p, and subnet.
      • Protocol Type: specifies the communication protocol used between the client and server. The setting must be the same on the client and server.
      • Port: specifies the port number of the OpenVPN service.
      • Cipher: specifies the protocol used to encrypt the data transmitted over the OpenVPN tunnel. The setting must be the same on the client and server.
      • HMAC: specifies the authentication method used for data transmitted over the OpenVPN tunnel. Data cannot be transmitted if the authentication fails. The setting must be the same on the client and server.
      • Compression LZO: specifies the compression format of data transmitted over the OpenVPN tunnel. The setting must be the same as that on the client.
      • Link Detection Interval: specifies the interval for sending link detection packets after an OpenVPN tunnel is established. The valid value range is 10-1800, and the unit is second.
      • Link Detection Timeout: specifies the timeout period of OpenVPN link detection. If the local device does not receive a response to the link detection packet within this period, link detection fails. The valid value range is 60-3600.
      • MTU: specifies the maximum transmit unit on the OpenVPN interface, which is expressed in bytes.
      • Enable Debug: enables or disables debugging logs.
      • Expert Configuration: specifies OpenVPN extension parameters.
      • Username/Password: specifies the user name and password used for server access when password authentication is used.
      • Local Subnet: specifies the route from the OpenVPN server to the client. Enter the subnet address on which the client is located.
      • Client Subnet: specifies the static route that the OpenVPN server sends to the client.
      • Client ID: specifies the attribute ID of the client, generally the certificate name or user name of the client.

4.5.1.1 Serial Port

To ensure proper communication between the IG902 and terminals, you need to set its serial port parameters based on serial port settings on the terminals.The serial port parameters are described as follows:

• Serial Type: The type of serial port 1 is RS232, and the type of serial port 2 is RS485, which cannot be changed.
• Baudrate: specifies the symbol transmission speed measured by the number of symbols transmitted per second.
• Data Bits: specifies the number of data bits in communication.
• Parity: specifies the error check method used in serial communication. Generally, parity check or no check is performed.
• Stop Bit: specifies the last bit of a packet. Typical values are 1, 1.5, and 2.
• Software Flow Control: enables or disables software flow control on the serial port. It is a mechanism to block flows when communication fails for some reason. This mechanism enables a data receiving device to instruct the sender to stop sending data when it cannot receive data.
• Description: specifies the description of the serial port.

Caution:

• Serial port settings on the IG902 must be the same as those on the terminals connected to it.
• DTU and GPS serial forwarding cannot be enabled at the same time.

4.5.1.2 DTU1

The parameters of DTU1 are described as follows:

• Enable: enables or disables DUT1.
• DTU Protocol: specifies the communication protocol used on DTU1. Options are Transparent, TCP Server, RFC2217 Mode, IEC101 to 104, Modbus Bridge, and DC Protocol.
  • Transparent and TCP Server: In transparent transmission mode, the IG902 acts as a client. In TCP server mode, the IG902 acts as a server.
  • RFC2217 Mode: removes the need to configure serial port settings.
  • IEC101 to 104: provides similar functions to TCP. This mode is applicable to the electric power industry.
• Transmit Protocol: specifies the transmission protocol used. Options are TCP and UDP.
• Connection Type: specifies the type of the TCP connection. Options are Long-lived and Short-lived.
  • Long-lived: indicates that the TCP client retains the TCP connection to the TCP server.
  • Short-lived: indicates that the TCP client terminates the TCP connection to the TCP server if no data is transmitted over the connection within the idle timeout period.
• Keepalive Interval: specifies the interval at which the TCP client sends TCP keepalive packets after establishing a connection to the TCP server. The valid value range is 1-3600, and the unit is second.
• Keepalive Retry: specifies the maximum number of TCP keepalive packet retransmissions. The device retransmits TCP keepalive packets when a TCP keepalive probe times out. If the device does not receive any response after retransmitting TCP keepalive packets for the specified number of times, it initiates a TCP connection again. The valid value range is 1-100.
• Serial Buffer Frame: specifies the buffer size on the serial port. The default value is 4K.
• Packet Size: specifies the size of each frame sent from the serial port. The serial port starts frame transmission when the frame size reaches this value. The valid value range is 1-1024, and the unit is byte.
• Force Transmit Timer: specifies the maximum data transmission interval. If the data transmission interval exceeds the specified value, the device sends the data in multiple frames. The valid value range is 10-65535, and the unit is millisecond.
• Min Reconnect Interval: specifies the minimum interval for reestablishing a TCP connection. When a connection fails to be established, the device attempts to reestablish a connection at the specified minimum interval. It retries continuously until the specified maximum reconnection interval is reached. The valid value range is 15-60, and the unit is second.
• Max Reconnect Interval: specifies the maximum interval for reestablishing a TCP connection. When the reconnection period reaches the maximum interval, the device attempts to reestablish a connection at this interval (maximum reconnection interval). The valid value range is 60-3600, and the unit is second.
• Multi-server Policy: specifies the policy used when multiple servers are available. Options are parallel and polling.
  • Parallel: connects to all the servers specified in the destination IP address list concurrently.
  • Polling: connects to the servers in the list sequentially. If the first server is connected successfully, the device does not connect to other servers. If the first server cannot be connected, the device tries the other servers in the listed order until a server is connected successfully.
• Source Interface: Generally, you do not need to set this parameter.
• Local IP Address: specifies the IP address of the interface. Set this parameter when you select IP for the Source Interface field. You can leave this field blank.
• DTU ID: specifies the DTU ID that the device will send to the server after connecting to the server. You can leave this field blank.
• Enable Debug: enables or disables debugging logs.
• Enable Report ID: enables or disables ID reporting.
• Keepalive Interval: You need to set this parameter only when Enable Report ID is selected. The valid value range is 1-65535, and the unit is second.
• Keepalive Content: You need to set this parameter only when Enable Report ID is selected.
• Destination IP Address
  • Server Address: specifies the IP address of a server to be connected.
  • Server Port: specifies the port number of the server to be connected.

Note: You can specify a maximum of 10 destination IP addresses.

4.5.1.3 DTU2

The parameters are same as those of DUT1.