Billion BiPaC-7402NX Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Billion

BiPaC-7402NX

Page 116 / 165 Scroll up to view Page 111 - 115

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

112

IPSec (IP Security Protocol)

Active:

This function activates or deactivates the IPSec connection.

Check Active checkbox if you want

the protocol of tunnel to be activated and vice versa.

Note:

When the Active checkbox is checked, the function of Edit and Delete will not be available.

Name:

This is a given name of the connection.

Local Subnet:

Displays IP address and subnet of the local network.

Remote Subnet:

Displays IP address and subnet of the remote network.

Remote Gateway:

This is the IP address or Domain Name of the remote VPN device that is connected

and established a VPN tunnel.

IPSec Proposal:

This is selected IPSec security method.

Page 117 / 165

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

113

IPSec VPN Connection

Name:

A given name for the connection (e.g. “connection to office”).

Local Network:

Set the IP address, subnet or address range of the local network.



Single Address:

The IP address of the local host.



Subnet:

The subnet of the local network. For example, IP: 192.168.1.0 with netmask

255.255.255.0 specifies one class C subnet starting from 192.168.1.1 (i.e. 192.168.1.1 through

to 192.168.1.254).



IP Range:

The IP address range of the local network. For example, IP: 192.168.1.1, end IP:

192.168.1.10.

Remote Secure Gateway Address (or Domain Name):

The IP address or hostname of the remote VPN

device that is connected and establishes a VPN tunnel.

Remote Network:

Set the IP address, subnet or address range of the remote network.

IKE (Internet key Exchange) Mode:

Select IKE mode to Main mode or Aggressive mode. This IKE

provides secured key generation and key management.

Local ID:



Content:

Input ID’s information, like domain name

www.ipsectest.com

Remote ID:

Page 118 / 165

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

114

b) Identifier:

Input remote ID’s information, like domain name

www.ipsectest.com

Hash Function:

It is a Message Digest algorithm which coverts any length of a message into a unique

set of bits. It is widely used MD5 (Message Digest) and SHA-1 (Secure Hash Algorithm) algorithms.

SHA1 is more resistant to brute-force attacks than MD5, however it is slower.



MD5:

A one-way hashing algorithm that produces a 128

−

bit hash.



SHA1:

A one-way hashing algorithm that produces a 160

−

bit hash

Encryption:

Select the encryption method from the pull-down menu. There are several options,

DES

3DES

and

AES (128, 192 and 256)

. 3DES and AES are more powerful but increase latency.

DES:

Stands for Data Encryption Standard, it uses 56 bits as an encryption method.

3DES:

Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption

method.



AES:

Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as

encryption method.

DH (Diffie-Hellman) Group:

It is a public-key cryptography protocol that allows two parties to establish a

shared secret over an unsecured communication channel (i.e. over the Internet). There are three modes,

MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for Modular Exponentiation Groups.

IPSec Proposal:

Select the IPSec security method. There are two methods of checking the

authentication information, AH (authentication header) and ESP (Encapsulating Security Payload). Use

ESP for greater security so that data will be encrypted and authenticated. Using AH data will be

authenticated but not encrypted.

Authentication:

Authentication establishes the integrity of the datagram and ensures it is not tampered

with in transmit. There are three options, Message Digest 5 (

MD5

), Secure Hash Algorithm (

SHA1

) or

NONE

. SHA1 is more resistant to brute-force attacks than MD5, however it is slower.

MD5:

A one-way hashing algorithm that produces a 128

−

bit hash.

SHA1:

A one-way hashing algorithm that produces a 160

−

bit hash.

Encryption:

Select the encryption method from the pull-down menu. There are several options,

DES

3DES

AES (128, 192 and 256)

and

NULL

. NULL means it is a tunnel only with no encryption. 3DES and

AES are more powerful but increase latency.

DES:

Stands for Data Encryption Standard, it uses 56 bits as an encryption method.

3DES:

Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption

method.

AES:

Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as

encryption method.

Perfect Forward Secrecy:

Choose whether to enable PFS using Diffie-Hellman public-key cryptography

to change encryption keys during the second phase of VPN negotiation. This function will provide better

security, but extends the VPN negotiation time. Diffie-Hellman is a public-key cryptography protocol that

allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the

Internet). There are three modes, MODP 768-bit, MODP 1024-bit and MODP 1536-bit. MODP stands for

Modular Exponentiation Groups.

Pre-shared Key:

This is for the Internet Key Exchange (IKE) protocol, a string from 4 to 128 characters.

Both sides should use the same key. IKE is used to establish a shared security policy and authenticated

keys for services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router

must be able to verify the identity of its peer. This can be done by manually entering the pre-shared key

into both sides (router or hosts).

SA Lifetime:

Specify the number of minutes that a Security Association (SA) will stay active before new

encryption and authentication key will be exchanged. There are two kinds of SAs, IKE and IPSec. IKE

negotiates and establishes SA on behalf of IPSec, an IKE SA is used by IKE.



Phase 1 (IKE):

To issue an initial connection request for a new VPN tunnel. The range can be

Page 119 / 165

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

115

from 5 to 15,000 minutes, and the default is 480 minutes.



Phase 2 (IPSec):

To negotiate and establish secure authentication. The range can be from 5 to

15,000 minutes, and the default is 60 minutes.

A short SA time increases security by forcing the two parties to update the keys. However, every

time the VPN tunnel re-negotiates, access through the tunnel will be temporarily disconnected.

PING for Keep Alive:



None:

The default setting is

None

. To this mode, it will not detect the remote IPSec peer has

been lost or not. It only follows the policy of

Disconnection time after no traffic

, which the remote IPSec

will be disconnected after the time you set in this function.



PING:

This mode will detect the remote IPSec peer has lost or not by pinging specify IP address.



DPD:

Dead peer detection (DPD) is a keeping alive mechanism that enables the router to be

detected lively when the connection between the router and a remote IPSec peer has lost. Please be

noted, it must be enabled on the both sites.

PING to the IP:

It is able to IP Ping the remote PC with the specified IP address and alert when the

connection fails. Once alter message is received, Router will drop this tunnel connection. Re-establish of

this connection is required. Default setting is 0.0.0.0 which disables the function.

Interval:

This sets the time interval between

Pings to the IP

function to monitor the connection status.

Default interval setting is 10 seconds. Time interval can be set from 0 to 3600 second, 0 second disables

the function.

Ping to the IP

Interval (sec)

Ping to the IP

Action

0.0.0.0

2000

xxx.xxx.xxx.xxx (A valid IP Address)

xxx.xxx.xxx.xxx(A valid IP Address)

2000

Yes, activate it in every 2000

second.

Disconnection Time after no traffic:

It is the NO Response time clock.

When no traffic stage time is

beyond the Disconnection time set, Router will automatically halt the tunnel connection and re-establish it

base on the

Reconnection Time

set.

180 seconds

is minimum time interval for this function.

Reconnection Time:

It is the reconnecting time interval after NO TRAFFIC is initiated.

3 minutes

minimum time interval for this function.

Click

Edit/Delete

to save your changes.

Page 120 / 165

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

116

Example: Configuring a IPSec LAN-to-LAN VPN Connection

Table 3: Network Configuration and Security Plan

Branch Office

Head Office

Local Network ID

192.168.0.0/24

192.168.1.0/24

Local Router IP

69.121.1.30

69.121.1.3

Remote Network ID

192.168.1.0/24

192.168.0.0/24

Remote Router IP

69.1.121.3

69.1.121.30

IKE Pre-shared Key

12345678

VPN Connection Type

Tunnel mode

Security Algorithm

ESP:MD5 with AES

Both office LAN networks

MUST in different subnet

with LAN to LAN application.

Functions of

Pre-shared Key, VPN Connection Type and Security Algorithm

MUST BE

identically set up on both sides.

Attention

Rate

Popular Billion Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share