Page 136 / 199 Scroll up to view Page 131 - 135
VPN
Setting Up a Gateway to Gateway (Site to Site) VPN
Cisco Small Business RV0xx Series Routers Administration Guide
136
9
-
Minimum Preshared Key Complexity:
Check the
Enable
box if you
want to enable the Preshared Key Strength Meter.
-
Preshared Key Strength Meter:
If you enable Minimum Preshared Key
Complexity, this meter indicates the preshared key strength. As you
enter a preshared key, colored bars appear. The scale goes from red
(weak) to yellow (acceptable) to green (strong).
TIP:
Enter a complex preshared key that includes more than eight
characters, upper- and lowercase letters, numbers, and symbols such as
-*^+=.
Advanced settings for IKE with Preshared Key
When the Keying Mode is set to IKE with Preshared Key mode, advanced
settings are available. For most users, the basic settings should suffice;
advanced users can click
Advanced +
to view the advanced settings. To
hide these settings, click
Advanced -
.
Important:
If you change the Advanced settings on one router, be sure to
enter the same settings on the other router.
-
Aggressive Mode:
Two modes of IKE SA negotiation are possible: Main
Mode and Aggressive Mode. If network security is preferred, Main Mode
is recommended. If network speed is preferred, Aggressive Mode is
recommended. You can adjust this setting if the Remote Security
Gateway Type is
IP Only
or one of the
IP +
types. Check this box to
enable Aggressive Mode, or uncheck the box to disable Aggressive
Mode and use Main Mode.
NOTE:
If the Remote Security Gateway Type is one of the
Dynamic IP
types, Aggressive Mode is required. The box is checked automatically,
and this setting cannot be changed.
-
Compress (Support IP Payload Compression Protocol (IP Comp))
: IP
Comp is a protocol that reduces the size of IP datagrams. Check the box
to enable the router to propose compression when it initiates a
connection. If the responder rejects this proposal, then the router will not
implement compression. When the router works as a responder, it will
always accept compression, even if compression is not enabled. If you
enable this feature for this router, also enable it on the router at the other
end of the tunnel.
-
Keep-Alive:
This feature enables the router to attempt to automatically
re-establish the VPN connection if it is dropped. Check the box to enable
this feature, or uncheck the box to disable it.
Page 137 / 199
VPN
Setting Up a Gateway to Gateway (Site to Site) VPN
Cisco Small Business RV0xx Series Routers Administration Guide
137
9
-
AH Hash Algorithm:
The AH (Authentication Header) protocol describes
the packet format and default standards for packet structure. With the
use of AH as the security protocol, protection is extended forward into
the IP header to verify the integrity of the entire packet. Check the box to
use this feature. Then select an authentication method: MD5 or SHA1.
MD5 produces a 128-bit digest to authenticate packet data. SHA1
produces a 160-bit digest to authenticate packet data. Both sides of the
tunnel should use the same algorithm.
-
NetBIOS Broadcast:
NetBIOS broadcast messages are used for name
resolution in Windows networking, to identify resources such as
computers, printers, and file servers. These messages are used by
some software applications and Windows features such as Network
Neighborhood. LAN broadcast traffic is typically not forwarded over a
VPN tunnel. However, you can check this box to allow NetBIOS
broadcasts from one end of the tunnel to be rebroadcast to the other
end.
-
NAT Traversal:
Network Address Translation (NAT) enables users with
private LAN addresses to access Internet resources by using a publicly
routable IP address as the source address. However, for inbound traffic,
the NAT gateway has no automatic method of translating the public IP
address to a particular destination on the private LAN. This issue
prevents successful IPsec exchanges. If your VPN router is behind a NAT
gateway, check this box to enable NAT traversal. Uncheck the box to
disable this feature. The same setting must be used on both ends of the
tunnel.
-
Dead Peer Detection (DPD):
Check the box to enable the router to send
periodic HELLO/ACK messages to check the status of the VPN tunnel.
This feature can be used only when it is enabled on both ends of the
VPN tunnel. Specify the interval between HELLO/ACK messages (how
often you want the messages to be sent).
Tunnel Backup:
When DPD determines that the remote peer is
unavailable, this feature enables the router to re-establish the VPN tunnel
by using either an alternative IP address for the remote peer or an
alternative local WAN interface. Check the box to enable this feature.
Then enter the settings described below. This feature is available only if
Dead Peer Detection is enabled.
Remote Backup IP Address:
Specify an alternative IP address for the
remote peer, or re-enter the WAN IP address that was already set for the
remote gateway.
Page 138 / 199
VPN
Setting Up a Gateway to Gateway (Site to Site) VPN
Cisco Small Business RV0xx Series Routers Administration Guide
138
9
Local Interface:
Choose the WAN interface to use to reestablish the
connection.
VPN Tunnel Backup Idle Time:
This setting is used when the router
boots up. If the primary tunnel is not connected within the specified
period, then the backup tunnel is used. The default idle time is 30
seconds.
-
Split DNS:
Split DNS enables the router to send some DNS requests to
one DNS server and other DNS requests to another DNS server, based
on specified domain names. When the router receives an address
resolution request from client, it inspects the domain name. If it matches
one of the domain names in the Split DNS settings, then it passes the
request to the specified DNS server. Otherwise, the request is passed to
the DNS server that is specified in the WAN interface settings. Check the
box to enable this feature, or uncheck the box to disable it.
DNS1:
Specify the IP address of the DNS server to use for the specified
domains. Optionally, specify a secondary DNS server in the
DNS2
field.
Domain Name 1 - Domain Name 4:
Specify the domain names for
these DNS servers. Requests for these domains will be passed to the
specified DNS server(s).
Page 139 / 199
VPN
Setting Up a Remote Access Tunnel for VPN Clients (Client To Gateway)
Cisco Small Business RV0xx Series Routers Administration Guide
139
9
Setting Up a Remote Access Tunnel for VPN Clients (Client To
Gateway)
Use
VPN > Client To Gateway
page to create a new VPN tunnel to allow
teleworkers and business travelers to access to your network by using third-party
VPN client software, such as TheGreenBow.
NOTE
For information about third-party clients, see application notes by visiting
www.cisco.com/go/smallbizrouters
(see the
Technical Documentation
section).
To open this page:
Click
VPN > Client to Gateway
in the navigation tree.
Alternatively, you can click the
Add Tunnel
button on the
VPN > Summary
page, in
the
Tunnel Status
section. Then choose
Client to Gateway
.
199469
Outside
209.165.200.226
DNS Server
WINS Server
192.168.1.30
Personal Computer
Using VPN Software Client
Personal Computer
Using VPN Software Client
Personal Computer
Using VPN Software Client
Inside
192.168.1.1
RV0xx
router
Internet
Internal
network
Page 140 / 199
VPN
Setting Up a Remote Access Tunnel for VPN Clients (Client To Gateway)
Cisco Small Business RV0xx Series Routers Administration Guide
140
9
Add a New Tunnel
You can configure a VPN tunnel for one remote user or configure a group VPN for
multiple remote users. You have two options:
Tunnel:
Choose this option to create a tunnel for a single remote user. The
tunnel number is automatically generated and appear in the
Tunnel No
field.
Group VPN:
Choose this option to create a tunnel for a group of users.
Group VPN facilitates setup and eliminates the need to configure individual
users. All of the remote users can use the same Preshared Key to connect
to RV0xx, up to the maximum number of supported tunnels. The router
supports up to two VPN groups. The group number is automatically
generated and appears in the
Group No
field.
Enter the following information:
Tunnel Name:
Enter a name to describe the tunnel. For a single user, you
could enter the user’s name or location. For a group VPN, you could identify
the group’s business role or location. This description is for your reference
and does not have to match the name used at the other end of the tunnel.
Interface:
Select the appropriate WAN port.
Enable:
Check this box to enable a group VPN.
Local Group Setup
Enter the following information about this router.
Local Security Gateway Type:
Specify the method for identifying this
router to establish the VPN tunnel.
-
IP Only:
Choose this option if this router has a static WAN IP address.
The WAN IP address appears automatically.
-
IP + Domain Name (FQDN) Authentication:
Choose this option if this
router has a static IP address and a registered domain name. Also enter
any
Domain Name
to use for authentication. The domain name can only
be used only for one tunnel connection.
-
IP + E-mail Addr.(USER FQDN) Authentication:
Choose this option if
this router has a static IP address and you want to use an email address
for authentication. The current WAN IP address appears automatically.
Enter any
Email Address
to use for authentication.
-
Dynamic IP + Domain Name (FQDN) Authentication:
Choose this
option if this router has a dynamic IP address and a registered Dynamic

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top