Cisco RV042G Router Manual PDF (Setup & Configuration Guide)

Page 131 / 199 Scroll up to view Page 126 - 130

VPN

Setting Up a Gateway to Gateway (Site to Site) VPN

Cisco Small Business RV0xx Series Routers Administration Guide

131

9

NOTE

Before navigating away from this page, click

Save

to save your settings, or click

Cancel

to undo them. Any unsaved changes are abandoned.

Add a New Tunnel

•

Tunnel No:

The ID number, which is automatically generated

•

Tunnel Name:

Enter a name for this VPN tunnel, such as Los Angeles Office,

Chicago Branch, or New York Division. This description is for your reference.

It does not have to match the name used at the other end of the tunnel.

•

Interface:

Select the WAN port to use for this tunnel.

•

Enable:

Check this box to enable the VPN tunnel, or uncheck it to disable

the tunnel. By default, the tunnel is enabled.

Local Group Setup and Remote Group Setup

Enter the settings described below. The Local settings are for this router, and the

Remote settings are for the router on the other end of the tunnel. Mirror these

settings when configuring the VPN tunnel on the other router.

•

Local/Remote Security Gateway Type:

Specify the method for identifying

the router to establish the VPN tunnel. The Local Security Gateway is on this

router; the Remote Security Gateway is on the other router. At least one of

the routers must have either a static IP address or a dynamic DNS hostname

to make a connection.

Page 132 / 199

VPN

Setting Up a Gateway to Gateway (Site to Site) VPN

Cisco Small Business RV0xx Series Routers Administration Guide

132

9

-

IP Only:

Choose this option if this router has a static WAN IP address.

The WAN IP address appears automatically.

For the

Remote Security Gateway Type

, an extra field appears. If you

know the IP address of the remote VPN router, choose

IP Address

, and

then enter the address. If you do not know the IP address of the remote

VPN router, select

IP by DNS Resolved

, and then enter the real domain

name of the router on the Internet. Cisco RV082 will get the IP address of

remote VPN device by DNS Resolved, and IP address of remote VPN

device will be displayed in the VPN Status section of the

VPN >

Summary

page.

-

IP + Domain Name (FQDN) Authentication:

Choose this option if this

router has a static IP address and a registered domain name, such as

MyServer.MyDomain.com

. Also enter the

Domain Name

to use for

authentication. The domain name can be used only for one tunnel

connection.

For the

Remote Security Gateway Type

, an extra field appears. If you

know the IP address of the remote VPN router, choose

IP Address

, and

then enter the address. If you do not know the IP address of the remote

VPN router, select

IP by DNS Resolved

, and then enter the real domain

name of the router on the Internet. Cisco RV082 will get the IP address of

remote VPN device by DNS Resolved, and the IP address of remote VPN

device will be displayed in the VPN Status section of the

VPN >

Summary

page.

-

IP + E-mail Addr.(USER FQDN) Authentication:

Choose this option if

this router has a static IP address and you want to use an email address

for authentication. The current WAN IP address appears automatically.

Enter any

Email Address

to use for authentication.

For the

Remote Security Gateway Type

, an extra field appears. If you

know the IP address of the remote VPN router, choose

IP Address

, and

then enter the address. If you do not know the IP address of the remote

VPN router, select

IP by DNS Resolved

, and then enter the real domain

name of the router on the Internet. Cisco RV082 will get the IP address of

remote VPN device by DNS Resolved, and IP address of remote VPN

device will be displayed in the VPN Status section of the

VPN >

Summary

page.

-

Dynamic IP + Domain Name (FQDN) Authentication:

Choose this

option if this router has a dynamic IP address and a registered Dynamic

DNS hostname (available from providers such as DynDNS.com). Enter a

Domain Name

to use for authentication. The domain name can be used

only for one tunnel connection.

Page 133 / 199

VPN

Setting Up a Gateway to Gateway (Site to Site) VPN

Cisco Small Business RV0xx Series Routers Administration Guide

133

9

-

Dynamic IP +

E-mail Addr.(USER FQDN) Authentication:

Choose this

option if this router has a dynamic IP address and does not have a

Dynamic DNS hostname. Enter any

Email Address

to use for

authentication.

If both routers have dynamic IP addresses (as with PPPoE connections),

do not choose Dynamic IP + Email Addr. for both gateways. For the

remote gateway, choose

IP Address

and

IP Address by DNS Resolved

.

•

Local/Remote Security Group Type:

Specify the LAN resources that can

use this tunnel. The Local Security Group is for this router’s LAN resources;

the Remote Security Group is for the other router’s LAN resources.

-

IP Address:

Choose this option to specify one device that can use this

tunnel. Then enter the IP address of the device.

-

Subnet:

Choose this option (the default option) to allow all devices on a

subnet to use the VPN tunnel. Then enter the subnetwork IP address and

mask.

-

IP Range:

Choose this option to specify a range of devices that can use

the VPN tunnel. Then identify the range of IP addresses by entering the

first address in the

Begin IP

field and the final address in the

End IP

field.

IPSec Setup

Enter the Internet Protocol Security settings for this tunnel.

IMPORTANT:

In order for any encryption to occur, the two ends of a VPN tunnel

must agree on the methods of encryption, decryption, and authentication. Enter

exactly the same settings on both routers.

•

Keying Mode:

Choose one of the following key management methods:

-

Manual:

Choose this option if you want to generate the key yourself and

you do not want to enable key negotiation. Manual key management is

used in small static environments or for troubleshooting purposes. Enter

the required settings. For information, see

Required fields for Manual

mode, page 134

.

-

IKE with Preshared Key:

Choose this option to use the Internet Key

Exchange protocol to set up a Security Association (SA) for your tunnel.

IKE uses a preshared key to authenticate the remote IKE peer. This

setting is recommended and is selected by default. Enter the required

settings. For more information, see

Required fields for IKE with

Page 134 / 199

VPN

Setting Up a Gateway to Gateway (Site to Site) VPN

Cisco Small Business RV0xx Series Routers Administration Guide

134

9

Preshared Key, page 135

and

Advanced settings for IKE with

Preshared Key, page 136

.

•

Required fields for Manual mode

Enter the settings for manual mode. Be sure to enter the same settings when

configuring other router for this tunnel. The Incoming / Outgoing SPI settings

must be mirrored on the other router.

-

Incoming

/

Outgoing SPI:

The Security Parameter Index is carried in the

ESP (Encapsulating Security Payload Protocol) header and enables the

receiver and sender to select the security association, under which a

packet should be processed. You can enter hexadecimal values from

100~ffffffff. Each tunnel must have a unique Incoming SPI and Outgoing

SPI. No two tunnels share the same SPI. The Incoming SPI here must

match the Outgoing SPI value at the other end of the tunnel, and vice

versa.

-

Encryption:

Select a method of encryption: DES or 3DES. This setting

determines the length of the key used to encrypt or decrypt ESP

packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES

is recommended because it is more secure.

-

Authentication:

Select a method of authentication: MD5 or SHA1. The

authentication method determines how the ESP packets are validated.

MD5 is a one-way hashing algorithm that produces a 128-bit digest.

SHA1 is a one-way hashing algorithm that produces a 160-bit digest.

SHA1 is recommended because it is more secure. Make sure that both

ends of the VPN tunnel use the same authentication method.

-

Encryption Key:

Enter a key to use to encrypt and decrypt IP traffic. If

you selected DES encryption, enter 16 hexadecimal values. If you

selected 3DES encryption enter 40 hexadecimal values. If you do not

enter enough hexadecimal values, then zeroes will be appended to the

key to meet the required length.

-

Authentication Key:

Enter a key to use to authenticate IP traffic. If you

selected MD5 authentication, enter 32 hexadecimal values. If you

selected SHA1, enter 40 hexadecimal values. If you do not enter enough

hexadecimal values, then zeroes will be appended to the key to meet

the required length.

Page 135 / 199

VPN

Setting Up a Gateway to Gateway (Site to Site) VPN

Cisco Small Business RV0xx Series Routers Administration Guide

135

9

•

Required fields for IKE with Preshared Key

Enter the settings for Phase 1 and Phase 2. Phase 1 establishes the

preshared keys to create a secure authenticated communication channel. In

Phase 2, the IKE peers use the secure channel to negotiate Security

Associations on behalf of other services such as IPsec. Be sure to enter the

same settings when configuring other router for this tunnel.

-

Phase 1 / Phase 2 DH Group:

DH (Diffie-Hellman) is a key exchange

protocol. There are three groups of different prime key lengths: Group 1

- 768 bits, Group 2 - 1,024 bits, and Group 5 - 1,536 bits. For faster speed

but lower security, choose

Group 1

. For slower speed but higher

security, choose

Group 5

. Group 1 is selected by default.

-

Phase 1 / Phase 2 Encryption:

Select a method of encryption for this

phase: DES, 3DES, AES-128, AES-192, or AES-256. The method

determines the length of the key used to encrypt or decrypt ESP

packets. AES-256 is recommended because it is more secure.

-

Phase 1 / Phase 2 Authentication:

Select a method of authentication

for this phase: MD5 or SHA1. The authentication method determines how

the ESP (Encapsulating Security Payload Protocol) header packets are

validated. MD5 is a one-way hashing algorithm that produces a 128-bit

digest. SHA1 is a one-way hashing algorithm that produces a 160-bit

digest. SHA1 is recommended because it is more secure. Make sure that

both ends of the VPN tunnel use the same authentication method.

-

Phase 1 / Phase 2 SA Life Time:

Configure the length of time a VPN

tunnel is active in this phase. The default value for Phase 1 is 28800

seconds. The default value for Phase 2 is 3600 seconds.

-

Perfect Forward Secrecy:

If the Perfect Forward Secrecy (PFS) feature

is enabled, IKE Phase 2 negotiation will generate new key material for IP

traffic encryption and authentication, so hackers using brute force to

break encryption keys will not be able to obtain future IPSec keys.

Check the box to enable this feature, or uncheck the box to disable this

feature. This feature is recommended.

-

Preshared Key:

Enter a pre-shared key to use to authenticate the

remote IKE peer. You can enter up to 30 keyboard characters and

hexadecimal values, such as My_@123 or 4d795f40313233. Both ends

of the VPN tunnel must use the same Preshared Key. It is strongly

recommended that you change the Preshared Key periodically to

maximize VPN security.

Rate

Popular Cisco Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share