Page 131 / 199 Scroll up to view Page 126 - 130
VPN
Setting Up a Gateway to Gateway (Site to Site) VPN
Cisco Small Business RV0xx Series Routers Administration Guide
131
9
NOTE
Before navigating away from this page, click
Save
to save your settings, or click
Cancel
to undo them. Any unsaved changes are abandoned.
Add a New Tunnel
Tunnel No:
The ID number, which is automatically generated
Tunnel Name:
Enter a name for this VPN tunnel, such as Los Angeles Office,
Chicago Branch, or New York Division. This description is for your reference.
It does not have to match the name used at the other end of the tunnel.
Interface:
Select the WAN port to use for this tunnel.
Enable:
Check this box to enable the VPN tunnel, or uncheck it to disable
the tunnel. By default, the tunnel is enabled.
Local Group Setup and Remote Group Setup
Enter the settings described below. The Local settings are for this router, and the
Remote settings are for the router on the other end of the tunnel. Mirror these
settings when configuring the VPN tunnel on the other router.
Local/Remote Security Gateway Type:
Specify the method for identifying
the router to establish the VPN tunnel. The Local Security Gateway is on this
router; the Remote Security Gateway is on the other router. At least one of
the routers must have either a static IP address or a dynamic DNS hostname
to make a connection.
Page 132 / 199
VPN
Setting Up a Gateway to Gateway (Site to Site) VPN
Cisco Small Business RV0xx Series Routers Administration Guide
132
9
-
IP Only:
Choose this option if this router has a static WAN IP address.
The WAN IP address appears automatically.
For the
Remote Security Gateway Type
, an extra field appears. If you
know the IP address of the remote VPN router, choose
IP Address
, and
then enter the address. If you do not know the IP address of the remote
VPN router, select
IP by DNS Resolved
, and then enter the real domain
name of the router on the Internet. Cisco RV082 will get the IP address of
remote VPN device by DNS Resolved, and IP address of remote VPN
device will be displayed in the VPN Status section of the
VPN >
Summary
page.
-
IP + Domain Name (FQDN) Authentication:
Choose this option if this
router has a static IP address and a registered domain name, such as
MyServer.MyDomain.com
. Also enter the
Domain Name
to use for
authentication. The domain name can be used only for one tunnel
connection.
For the
Remote Security Gateway Type
, an extra field appears. If you
know the IP address of the remote VPN router, choose
IP Address
, and
then enter the address. If you do not know the IP address of the remote
VPN router, select
IP by DNS Resolved
, and then enter the real domain
name of the router on the Internet. Cisco RV082 will get the IP address of
remote VPN device by DNS Resolved, and the IP address of remote VPN
device will be displayed in the VPN Status section of the
VPN >
Summary
page.
-
IP + E-mail Addr.(USER FQDN) Authentication:
Choose this option if
this router has a static IP address and you want to use an email address
for authentication. The current WAN IP address appears automatically.
Enter any
Email Address
to use for authentication.
For the
Remote Security Gateway Type
, an extra field appears. If you
know the IP address of the remote VPN router, choose
IP Address
, and
then enter the address. If you do not know the IP address of the remote
VPN router, select
IP by DNS Resolved
, and then enter the real domain
name of the router on the Internet. Cisco RV082 will get the IP address of
remote VPN device by DNS Resolved, and IP address of remote VPN
device will be displayed in the VPN Status section of the
VPN >
Summary
page.
-
Dynamic IP + Domain Name (FQDN) Authentication:
Choose this
option if this router has a dynamic IP address and a registered Dynamic
DNS hostname (available from providers such as DynDNS.com). Enter a
Domain Name
to use for authentication. The domain name can be used
only for one tunnel connection.
Page 133 / 199
VPN
Setting Up a Gateway to Gateway (Site to Site) VPN
Cisco Small Business RV0xx Series Routers Administration Guide
133
9
-
Dynamic IP +
E-mail Addr.(USER FQDN) Authentication:
Choose this
option if this router has a dynamic IP address and does not have a
Dynamic DNS hostname. Enter any
Email Address
to use for
authentication.
If both routers have dynamic IP addresses (as with PPPoE connections),
do not choose Dynamic IP + Email Addr. for both gateways. For the
remote gateway, choose
IP Address
and
IP Address by DNS Resolved
.
Local/Remote Security Group Type:
Specify the LAN resources that can
use this tunnel. The Local Security Group is for this router’s LAN resources;
the Remote Security Group is for the other router’s LAN resources.
-
IP Address:
Choose this option to specify one device that can use this
tunnel. Then enter the IP address of the device.
-
Subnet:
Choose this option (the default option) to allow all devices on a
subnet to use the VPN tunnel. Then enter the subnetwork IP address and
mask.
-
IP Range:
Choose this option to specify a range of devices that can use
the VPN tunnel. Then identify the range of IP addresses by entering the
first address in the
Begin IP
field and the final address in the
End IP
field.
IPSec Setup
Enter the Internet Protocol Security settings for this tunnel.
IMPORTANT:
In order for any encryption to occur, the two ends of a VPN tunnel
must agree on the methods of encryption, decryption, and authentication. Enter
exactly the same settings on both routers.
Keying Mode:
Choose one of the following key management methods:
-
Manual:
Choose this option if you want to generate the key yourself and
you do not want to enable key negotiation. Manual key management is
used in small static environments or for troubleshooting purposes. Enter
the required settings. For information, see
Required fields for Manual
mode, page 134
.
-
IKE with Preshared Key:
Choose this option to use the Internet Key
Exchange protocol to set up a Security Association (SA) for your tunnel.
IKE uses a preshared key to authenticate the remote IKE peer. This
setting is recommended and is selected by default. Enter the required
settings. For more information, see
Required fields for IKE with
Page 134 / 199
VPN
Setting Up a Gateway to Gateway (Site to Site) VPN
Cisco Small Business RV0xx Series Routers Administration Guide
134
9
Preshared Key, page 135
and
Advanced settings for IKE with
Preshared Key, page 136
.
Required fields for Manual mode
Enter the settings for manual mode. Be sure to enter the same settings when
configuring other router for this tunnel. The Incoming / Outgoing SPI settings
must be mirrored on the other router.
-
Incoming
/
Outgoing SPI:
The Security Parameter Index is carried in the
ESP (Encapsulating Security Payload Protocol) header and enables the
receiver and sender to select the security association, under which a
packet should be processed. You can enter hexadecimal values from
100~ffffffff. Each tunnel must have a unique Incoming SPI and Outgoing
SPI. No two tunnels share the same SPI. The Incoming SPI here must
match the Outgoing SPI value at the other end of the tunnel, and vice
versa.
-
Encryption:
Select a method of encryption: DES or 3DES. This setting
determines the length of the key used to encrypt or decrypt ESP
packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES
is recommended because it is more secure.
-
Authentication:
Select a method of authentication: MD5 or SHA1. The
authentication method determines how the ESP packets are validated.
MD5 is a one-way hashing algorithm that produces a 128-bit digest.
SHA1 is a one-way hashing algorithm that produces a 160-bit digest.
SHA1 is recommended because it is more secure. Make sure that both
ends of the VPN tunnel use the same authentication method.
-
Encryption Key:
Enter a key to use to encrypt and decrypt IP traffic. If
you selected DES encryption, enter 16 hexadecimal values. If you
selected 3DES encryption enter 40 hexadecimal values. If you do not
enter enough hexadecimal values, then zeroes will be appended to the
key to meet the required length.
-
Authentication Key:
Enter a key to use to authenticate IP traffic. If you
selected MD5 authentication, enter 32 hexadecimal values. If you
selected SHA1, enter 40 hexadecimal values. If you do not enter enough
hexadecimal values, then zeroes will be appended to the key to meet
the required length.
Page 135 / 199
VPN
Setting Up a Gateway to Gateway (Site to Site) VPN
Cisco Small Business RV0xx Series Routers Administration Guide
135
9
Required fields for IKE with Preshared Key
Enter the settings for Phase 1 and Phase 2. Phase 1 establishes the
preshared keys to create a secure authenticated communication channel. In
Phase 2, the IKE peers use the secure channel to negotiate Security
Associations on behalf of other services such as IPsec. Be sure to enter the
same settings when configuring other router for this tunnel.
-
Phase 1 / Phase 2 DH Group:
DH (Diffie-Hellman) is a key exchange
protocol. There are three groups of different prime key lengths: Group 1
- 768 bits, Group 2 - 1,024 bits, and Group 5 - 1,536 bits. For faster speed
but lower security, choose
Group 1
. For slower speed but higher
security, choose
Group 5
. Group 1 is selected by default.
-
Phase 1 / Phase 2 Encryption:
Select a method of encryption for this
phase: DES, 3DES, AES-128, AES-192, or AES-256. The method
determines the length of the key used to encrypt or decrypt ESP
packets. AES-256 is recommended because it is more secure.
-
Phase 1 / Phase 2 Authentication:
Select a method of authentication
for this phase: MD5 or SHA1. The authentication method determines how
the ESP (Encapsulating Security Payload Protocol) header packets are
validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA1 is a one-way hashing algorithm that produces a 160-bit
digest. SHA1 is recommended because it is more secure. Make sure that
both ends of the VPN tunnel use the same authentication method.
-
Phase 1 / Phase 2 SA Life Time:
Configure the length of time a VPN
tunnel is active in this phase. The default value for Phase 1 is 28800
seconds. The default value for Phase 2 is 3600 seconds.
-
Perfect Forward Secrecy:
If the Perfect Forward Secrecy (PFS) feature
is enabled, IKE Phase 2 negotiation will generate new key material for IP
traffic encryption and authentication, so hackers using brute force to
break encryption keys will not be able to obtain future IPSec keys.
Check the box to enable this feature, or uncheck the box to disable this
feature. This feature is recommended.
-
Preshared Key:
Enter a pre-shared key to use to authenticate the
remote IKE peer. You can enter up to 30 keyboard characters and
hexadecimal values, such as My_@123 or 4d795f40313233. Both ends
of the VPN tunnel must use the same Preshared Key. It is strongly
recommended that you change the Preshared Key periodically to
maximize VPN security.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top