Page 141 / 199 Scroll up to view Page 136 - 140
VPN
Setting Up a Remote Access Tunnel for VPN Clients (Client To Gateway)
Cisco Small Business RV0xx Series Routers Administration Guide
141
9
DNS hostname (available from providers such as DynDNS.com). Enter a
Domain Name
to use for authentication. The domain name can be used
only for one tunnel connection.
-
Dynamic IP +
E-mail Addr.(USER FQDN) Authentication:
Choose this
option if this router has a dynamic IP address and does not have a
Dynamic DNS hostname. Enter any
Email Address
to use for
authentication.
Local Security Group Type:
Specify the LAN resources that can access
this tunnel.
-
IP Address:
Choose this option to allow only one LAN device to access
the VPN tunnel. Then enter the IP address of the computer. Only this
device can use this VPN tunnel.
-
Subnet:
Choose this option (the default option) to allow all devices on a
subnet to access the VPN tunnel. Then enter the subnetwork IP address
and mask.
-
IP Range:
Choose this option to allow a range of devices to access the
VPN tunnel. Then identify the range of IP addresses by entering the first
address in the
Begin IP
field and the final address in the
End IP
field.
Domain Name
: If you chose to use domain name authentication, enter the
domain name.
Email
: If you chose to use email authentication, enter the email address.
Remote Client Setup for Single User (“Tunnel” Type)
Specify the method for identifying the client to establish the VPN tunnel. The
following options are available for a Single User, or “Tunnel” type, VPN.
IP Only:
Choose this option if the remote VPN client has a static WAN IP
address. If you know the IP address of the client, choose
IP Address
, and
then enter the address. If you do not know the IP address of the client,
select
IP by DNS Resolved
, and then enter the real domain name of the
client on the Internet. The router will get the IP address of the remote VPN
client by DNS Resolved, and the IP address of the remote VPN client will be
displayed in the VPN Status section of the
Summary
page.
IP + Domain Name (FQDN) Authentication:
Choose this option if this client
has a static IP address and a registered domain name. Also enter a
Domain
Name
to use for authentication. The domain name can only be used only for
one tunnel connection.
Page 142 / 199
VPN
Setting Up a Remote Access Tunnel for VPN Clients (Client To Gateway)
Cisco Small Business RV0xx Series Routers Administration Guide
142
9
If you know the IP address of the remote VPN client, choose
IP Address
,
and then enter the address. If you do not know the IP address of the remote
VPN client, select
IP by DNS Resolved
, and then enter the real domain
name of the client on the Internet. The router will get the IP address of
remote VPN client by DNS Resolved, and the IP address of remote VPN
client will be displayed in the VPN Status section of the
Summary
page.
IP + Email Address (USER FQDN) Authentication:
Choose this option if
this client has a static IP address and you want to use any email address for
authentication. The current WAN IP address appears automatically. Enter
any
Email Address
to use for authentication.
If you know the IP address of the remote VPN client, choose
IP Address
,
and then enter the address. If you do not know the IP address of the remote
VPN client, select
IP by DNS Resolved
, and then enter the real domain
name of the client on the Internet. Cisco RV082 will get the IP address of
remote VPN client by DNS Resolved, and IP address of remote VPN device
will be displayed in the VPN Status section of the
Summary
page.
Dynamic IP + Domain Name (FQDN) Authentication:
Choose this option if
this client has a dynamic IP address and a registered Dynamic DNS
hostname (available from providers such as DynDNS.com). Enter the
Domain Name
to use for authentication. The domain name can be used only
for one tunnel connection.
Dynamic IP +
E-mail Addr.(USER FQDN) Authentication:
Choose this
option if this client has a dynamic IP address and does not have a Dynamic
DNS hostname. Enter any
Email Address
to use for authentication.
Remote Client Setup for a Group (“Group VPN” Type)
Specify the method for identifying the clients to establish the VPN tunnel. The
following options are available for a Group VPN.
Domain Name (FQDN) Authentication:
Choose this option to identify the
client by a registered domain name. Also enter a
Domain Name
to use for
authentication. The domain name can only be used only for one tunnel
connection.
Email Address (USER FQDN) Authentication:
Choose this option to
identify the client by an email address for authentication. Enter the address
in the fields provided.
Microsoft XP/2000 VPN Client:
Choose this option if the client software is
the built-in Microsoft XP/2000 VPN Client.
Page 143 / 199
VPN
Setting Up a Remote Access Tunnel for VPN Clients (Client To Gateway)
Cisco Small Business RV0xx Series Routers Administration Guide
143
9
IPSec Setup
Enter the Internet Protocol Security settings for this tunnel.
IMPORTANT:
In order for any encryption to occur, the two ends of a VPN tunnel
must agree on the methods of encryption, decryption, and authentication.
Keying Mode:
Choose one of the following key management methods:
-
Manual:
Choose this option if you want to generate the key yourself and
you do not want to enable key negotiation. Manual key management is
used in small static environments or for troubleshooting purposes. Enter
the required settings. For information, see
Required fields for Manual
mode, page 143
.
-
IKE with Preshared Key:
Choose this option to use the Internet Key
Exchange protocol to set up a Security Association (SA) for your tunnel.
IKE uses a preshared key to authenticate the remote IKE peer. This
setting is recommended and is selected by default. Enter the required
settings. For more information, see
Required fields for IKE with
Preshared Key, page 144
and
Advanced settings for IKE with
Preshared Key, page 145
.
Required fields for Manual mode
Enter the settings for manual mode.
-
Incoming
/
Outgoing SPI:
The Security Parameter Index is carried in the
ESP (Encapsulating Security Payload Protocol) header and enables the
receiver and sender to select the security association, under which a
packet should be processed. You can enter hexadecimal values from
100~ffffffff. Each tunnel must have a unique Incoming SPI and Outgoing
SPI. No two tunnels share the same SPI. The Incoming SPI here must
match the Outgoing SPI value at the other end of the tunnel, and vice
versa.
-
Encryption:
Select a method of encryption: DES or 3DES. This setting
determines the length of the key used to encrypt or decrypt ESP
packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES
is recommended because it is more secure.
-
Authentication:
Select a method of authentication: MD5 or SHA1. The
authentication method determines how the ESP packets are validated.
MD5 is a one-way hashing algorithm that produces a 128-bit digest.
SHA1 is a one-way hashing algorithm that produces a 160-bit digest.
SHA1 is recommended because it is more secure. Make sure that both
ends of the VPN tunnel use the same authentication method.
Page 144 / 199
VPN
Setting Up a Remote Access Tunnel for VPN Clients (Client To Gateway)
Cisco Small Business RV0xx Series Routers Administration Guide
144
9
-
Encryption Key:
Enter a key to use to encrypt and decrypt IP traffic. If
you selected DES encryption, enter 16 hexadecimal values. If you
selected 3DES encryption enter 40 hexadecimal values. If you do not
enter enough hexadecimal values, then zeroes will be appended to the
key to meet the required length.
-
Authentication Key:
Enter a key to use to authenticate IP traffic. If you
selected MD5 authentication, enter 32 hexadecimal values. If you
selected SHA1, enter 40 hexadecimal values. If you do not enter enough
hexadecimal values, then zeroes will be appended to the key to meet
the required length.
Required fields for IKE with Preshared Key
Enter the settings for Phase 1 and Phase 2. Phase 1 establishes the
preshared keys to create a secure authenticated communication channel. In
Phase 2, the IKE peers use the secure channel to negotiate Security
Associations on behalf of other services such as IPsec.
-
Phase 1 / Phase 2 DH Group:
DH (Diffie-Hellman) is a key exchange
protocol. There are three groups of different prime key lengths: Group 1
- 768 bits, Group 2 - 1,024 bits, and Group 5 - 1,536 bits. For faster speed
but lower security, choose
Group 1
. For slower speed but higher
security, choose
Group 5
. Group 1 is selected by default.
-
Phase 1 / Phase 2 Encryption:
Select a method of encryption for this
phase: DES, 3DES, AES-128, AES-192, or AES-256. The method
determines the length of the key used to encrypt or decrypt ESP
packets. AES-256 is recommended because it is more secure.
-
Phase 1 / Phase 2 Authentication:
Select a method of authentication
for this phase: MD5 or SHA1. The authentication method determines how
the ESP (Encapsulating Security Payload Protocol) header packets are
validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA1 is a one-way hashing algorithm that produces a 160-bit
digest. SHA1 is recommended because it is more secure. Make sure that
both ends of the VPN tunnel use the same authentication method.
-
Phase 1 / Phase 2 SA Life Time:
Configure the length of time a VPN
tunnel is active in this phase. The default value for Phase 1 is 28800
seconds. The default value for Phase 2 is 3600 seconds.
-
Perfect Forward Secrecy:
If the Perfect Forward Secrecy (PFS) feature
is enabled, IKE Phase 2 negotiation will generate new key material for IP
traffic encryption and authentication, so hackers using brute force to
break encryption keys will not be able to obtain future IPSec keys.
Page 145 / 199
VPN
Setting Up a Remote Access Tunnel for VPN Clients (Client To Gateway)
Cisco Small Business RV0xx Series Routers Administration Guide
145
9
Check the box to enable this feature, or uncheck the box to disable this
feature. This feature is recommended.
-
Preshared Key:
Enter a pre-shared key to use to authenticate the
remote IKE peer. You can enter up to 30 keyboard characters and
hexadecimal values, such as My_@123 or 4d795f40313233. Both ends
of the VPN tunnel must use the same Preshared Key. It is strongly
recommended that you change the Preshared Key periodically to
maximize VPN security.
-
Minimum Preshared Key Complexity:
Check the
Enable
box if you
want to enable the Preshared Key Strength Meter.
-
Preshared Key Strength Meter:
If you enable Minimum Preshared Key
Complexity, this meter indicates the preshared key strength. As you
enter a preshared key, colored bars appear. The scale goes from red
(weak) to yellow (acceptable) to green (strong).
TIP:
Enter a complex preshared key that includes more than eight
characters, upper- and lowercase letters, numbers, and symbols such as
-*^+=.
Advanced settings for IKE with Preshared Key
When the Keying Mode is set to IKE with Preshared Key mode, advanced
settings are available. For most users, the basic settings should suffice;
advanced users can click
Advanced +
to view the advanced settings. To
hide these settings, click
Advanced -
-
Aggressive Mode
(available for Tunnel, not Group VPN)
:
Two modes of
IKE SA negotiation are possible: Main Mode and Aggressive Mode. If
network security is preferred, Main Mode is recommended. If network
speed is preferred, Aggressive Mode is recommended. You can adjust
this setting if the Remote Security Gateway Type is
IP Only
or one of the
IP +
types. Check this box to enable Aggressive Mode, or uncheck the
box to disable Aggressive Mode and use Main Mode.
NOTE:
If the Remote Security Gateway Type is one of the
Dynamic IP
types, Aggressive Mode is required. The box is checked automatically,
and this setting cannot be changed.
-
Compress (Support IP Payload Compression Protocol (IP Comp))
: IP
Comp is a protocol that reduces the size of IP datagrams. Check the box
to enable the router to propose compression when it initiates a
connection. If the responders reject this proposal, then the router will not
implement compression. When the device works as a responder, it will

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top