Page 56 / 106 Scroll up to view Page 51 - 55
56
4021192 Rev B
Configure Security
Security > VPN Passthrough
Use this page to configure Virtual Private Network (VPN) support. Enabling the
settings on this page allows VPN tunnels using IPsec or PPTP protocols to pass
through the gateway's firewall. Select the
VPN Passthrough
tab to open the Security
VPN Passthrough page.
Use the descriptions and instructions in the following table to configure the VPN
passthrough for your residential gateway. After you make your selections, click
Save
Settings
to apply your changes or
Cancel Changes
to cancel.
Section
Field Description
VPN
Passthrough
IPSec Passthrough
Enables/disables Internet Protocol Security (IPsec). IPsec is a suite of
protocols used to implement secure exchange of packets at the IP layer. If
you enable IPSec Passthrough, applications that use IPsec (IP Security) can
pass through the firewall. To disable IPSec Passthrough select
Disable
.
Select the desired option:
Enable
(factory default)
Disable
PPTP Passthrough
Enables/disables Point-to-Point Tunneling Protocol (PPTP). PPTP allows the
Point-to-Point Protocol (PPP) to be tunneled through an IP network. If you
enable PPTP passthrough, applications that use Point to Point Tunneling
Protocol (PPTP) can pass through the firewall To disable PPTP Passthrough
select
Disable
.
Select the desired option:
Enable
(factory default)
Disable
Page 57 / 106
4021192 Rev B
57
Configure Security
Security > VPN
A Virtual Private Network (VPN) is a connection between two endpoints in different
networks that allows private data to be sent securely over public networks or other
private networks. This is accomplished by creating a "VPN tunnel." A VPN tunnel
connects the two PCs or networks and allows data to be transmitted over the
Internet as if it were on a private network. The VPN tunnel uses IPsec to encrypt the
data sent between the two endpoints and encapsulate the data within a normal
Ethernet/IP frame allowing the data to pass between networks securely and
seamlessly.
A VPN provides a cost-effective and more secure alternative to using a private,
dedicated, leased line for a private network. Using industry standard encryption and
authentication techniques, an IPsec VPN creates a secure connection that operates as
if you were directly connected to your local private network.
For example, a VPN allows users to sit at home and connect to his/her employer's
corporate network and receive an IP address in their private network just as though
they were sitting in their office connected to their corporate LAN.
Select the
VPN
tab to open the Security VPN page.
Use this page to configure the VPN for your residential gateway.
Page 58 / 106
58
4021192 Rev B
Configure Security
Security VPN Tunnel Page Description
Use the descriptions and instructions in the following table to configure the VPN
tunnel for your gateway. After you make your selections, click
Save Settings
to
apply your changes or
Cancel Changes
to cancel.
Section
Field Description
VPN Tunnel
Select Tunnel Entry
Allows you to display a list of created VPN tunnels
Create Button
Click this button to create a new tunnel entry
Delete Button
Click this button to delete all settings for the selected tunnel
Summary Button
Click this button to display the settings and status of all enabled tunnels
IPSec VPN Tunnel
Allows you to enable or disable Internet Security Protocol for the VPN tunnel
Tunnel Name
Enter the name for this tunnel
Local Secure
Group
Select the local LAN user(s) that can use this VPN tunnel. This may be a single IP
address or sub-network. Note that the Local Secure Group must match the remote
gateway's Remote Secure Group.
IP
Enter the IP address of the local network
Mask
If the Subnet option is selected, enter the mask to determine the IP address on the
local network
Remote
Secure
Group
Select the remote LAN user(s) behind the remote gateway who can use this VPN
tunnel. This may be a single IP address, a sub-network, or any addresses. If "Any"
is set, the Gateway acts as responder and accepts requests from any remote user.
Note that the Remote Secure Group must match the remote gateway's Local Secure
Group.
IP
Enter the IP address of the remote network
Mask
If the Subnet option is selected, enter the mask to determine the IP addresses on
the remote network
Page 59 / 106
4021192 Rev B
59
Configure Security
Section
Field Description
Remote
Secure
Gateway
Select the desired option,
IP Addr.
,
Any
, or
FQDN
. If the remote gateway has a
dynamic IP address, select
Any
or
FQDN
. If
Any
is selected, then the Gateway will
accept requests from any IP address.
FQDN
If
FQDN
is selected, enter the domain name of the remote gateway, so the
Gateway can locate a current IP address using DDNS
IP
The IP address in this field must match the public (WAN or Internet) IP address of
the remote gateway at the other end of this tunnel
Key
Management
Key Exchange Method
The gateway supports both automatic and manual key management. When
automatic key management is selected, Internet Key Exchange (IKE) protocols are
used to negotiate key material for Security Association (SA). If manual key
management is selected, no key negotiation is needed. Basically, manual key
management is used in small static environments or for troubleshooting purposes.
Note that both sides must use the same key management method.
Page 60 / 106
60
4021192 Rev B
Configure Security
Section
Field Description
Key
Management
(continued)
Select one of the following options for the key exchange method:
Auto (IKE)
Encryption:
The Encryption method determines the length of the key used
to encrypt/decrypt ESP packets. Notice that both sides must use the same
method.
Authentication:
The Authentication method authenticates the
Encapsulating Security Payload (ESP) packets. Select
MD5
or
SHA
. Notice
that both sides (VPN endpoints) must use the same method.
MD5: A one-way hashing algorithm that produces a 128-bit digest
SHA: A one-way hashing algorithm that produces a 160-bit digest
Perfect Forward Secrecy (PFS)
: If PFS is enabled, IKE Phase 2 negotiation
will generate new key material for IP traffic encryption and authentication.
Note that both sides must have PFS enabled.
Pre-Shared Key:
IKE uses the Pre-Shared Key to authenticate the remote
IKE peer. Both character and hexadecimal values are acceptable in this
field, e.g., "My_@123" or "0x4d795f40313233". Note that both sides must use
the same Pre-Shared Key.
Key Lifetime:
This field specifies the lifetime of the IKE generated key. If
the time expires, a new key will be renegotiated automatically. The Key
Lifetime may range from 300 to 100,000,000 seconds. The default lifetime is
3600
seconds.
Manual
Encryption:
The Encryption method determines the length of the key used
to encrypt/decrypt ESP packets. Notice that both sides must use the same
method.
Encryption Key:
This field specifies a key used to encrypt and decrypt IP
traffic. Both character and hexadecimal values are acceptable in this field.
Note that both sides must use the same Encryption Key.
Authentication:
The Authentication method authenticates the
Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice
that both sides (VPN endpoints) must use the same method.
MD5: A one-way hashing algorithm that produces a 128-bit digest
SHA: A one-way hashing algorithm that produces a 160-bit digest
Authentication Key:
This field specifies a key used to authenticate IP
traffic. Both character and hexadecimal values are acceptable in this field.
Note that both sides must use the same Authentication Key.
Inbound SPI/Outbound SPI:
The Security Parameter Index (SPI) is carried
in the ESP header. This enables the receiver to select the SA, under which a
packet should be processed. The SPI is a 32-bit value. Both decimal and
hexadecimal values are acceptable. e.g., "987654321" or "0x3ade68b1". Each
tunnel must have a unique Inbound SPI and Outbound SPI. No two tunnels
share the same SPI. Note that the Inbound SPI must match the remote
gateway's Outbound SPI, and vice versa.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top