This section describes the two special features of the DI-824VUP++ router: VPN-server and print-server. It’s all simple with the print-server feature. First of all, you should install the necessary software from the CD enclosed in the router’s box. This is in fact a driver of a special port called PRTmate which will be used to exchange data with the printer you attach to your DI-824VUP++.
The rest of the printer setup procedure is ordinary for Windows. But when you choose the printer port, you should specify the printer’s IP address (it’s the same as the router’s IP) and physical interface in its properties.
Setting up a VPN-server is somewhat more complex. You’ll find everything you need to do that on the VPN page of the router’s Web interface. It contains a few buttons that open up new pages when clicked on. These pages contain additional parameters that are missing on the main page. The router supports up to 40 IPsec tunnels and can acts like a PPTP or an L2TP server. There are separate settings pages for the latter two protocols. The selection of settings for PPTP and L2TP is identical.
First of all, you should enable the server by clicking the appropriate checkbox. Next, enter the VPN server IP address that must differ from the IP address of the router’s WAN interface. Then, select the authentication protocol and traffic encryption parameters. The client can be authenticated using the following protocols: PAP, CHAP or MSCHAP. If you select MSCHAP, you must then specify if the traffic in the channel is encrypted with MPPE or not. When all the parameters are specified, you can add tunnels into the list at the bottom part of the page. Don’t forget to click the Apply button after you’ve added a tunnel.
More parameters must be specified if you want to create an IPsec tunnel. First, you must enable the VPN-server and specify the maximum number of tunnels. Then each of the tunnels is to be set up independently. To do this, specify the tunnel’s ID and key exchange method (manually or with the IKE protocol). For further setup, click the More button next to the necessary tunnel.
I’d want to remind you about one shortcoming of the router’s Web interface. If you don’t press the Apply button, all the changes you’ve made on one page are cancelled after your going to another page. Don’t forget about that! So, after you click the More button, you find yourself on a page where the rest of the tunnel’s parameters are set up.
The particular settings you’ll see here depend on what key exchange method you’ve selected before. I chose IKE as the most frequently used one. First you must specify the tunnel’s operation mode, normal or aggressive. Then, there are the addresses and masks of the subnets that will be used on both sides of the tunnel and the client’s IP address. If you enter an IP address in the IKE Keep Alive field, the status of the tunnel will be checked by the server by pinging this address in the client’s subnet. Further down the list there are client authentication settings: a key, a key and a name, or a user password. You should enable the IPSec NAT Traversal option (it’s the same as NAT-T) if the packets are undergoing NAT on their way between the endpoints of the IPsec tunnel. And finally you should choose a Security Association (SA) variant for IPsec and IKE. Pages with settings for these variants appear on your pressing the appropriate buttons. The pages are almost identical. You can set up 10 SA variants, four (or fewer) of which can be made active by entering their IDs into the appropriate list:
Each SA variant consists of several fields. First, let’s consider the case of IKE. Besides the ID, the first field of the rule is DH Group in which the version of Diffie-Hellman key exchange is specified: group 1 – 768bit, group 2 – 1024bit, group 5 – 1536bit. The encryption algorithm is specified in the next field: DES or 3DES. Next goes the authentication algorithm: SHA1 or MD5. The association lifetime in seconds or kilobytes is the last field.
The IPsec variants are somewhat different. First, you can disable the Diffie-Hellman encryption. Second, there is a field for you to choose the encapsulation protocol: ESP or AH. And third, you may not use authentication. After you’ve performed these operations, the IPsec tunnel may be considered as set up. Besides standard IPsec tunnels, you can also create a dynamic IPsec tunnel whose difference from a static one is that you don’t specify the IP addresses of the remote subnet and the remote VPN gateway for it.
It can be set up by pressing the appropriate button. I won’t describe the setup procedure as it is similar to the one of creating a static VPN tunnel.
Summarizing this section, I should agree that the VPN-server’s settings are indeed up to today’s requirements. It thus can be utilized successfully by a majority of users. The bandwidth of the VPN-server will be tested in the next section of the review.