1. Home
    2. /
  2. Manuals
    3. /
  3. Cisco
    4. /
  4. RV-120W
    5. /
  5. 22
Page 106 / 163 Scroll up to view Page 101 - 105
Configuring Virtual Private Networks (VPNs) and Security
Configuring Advanced VPN Parameters
Cisco RV120W Administration Guide
97
5
NOTE
Ensure that the authentication algorithm is configured identically on both
sides.
STEP
3
Choose the authentication method:
Select Pre-Shared Key for a simple password based key that is shared with
the IKE peer.
Select RSA-Signature to disable the pre-shared key text field and use the
Active Self Certificate uploaded in the Certificates page. A certificate must
be configured in order for RSA-Signature to work.
NOTE
The double quote character (“) is not supported in the pre-shared key.
STEP
4
Choose the Diffie-Hellman (DH) Group algorithm, which is used when exchanging
keys. The DH Group sets the strength of the algorithm in bits.
NOTE
Ensure that the DH Group is configured identically on both sides of the IKE
policy.
STEP
5
In the SA Lifetime field, enter the interval, in seconds, after which the Security
Association becomes invalid.
STEP
6
To enable dead peer detection, check the Enable box. Dead Peer Detection is
used to detect whether the peer is alive or not. If peer is detected as dead, the
router deletes the IPsec and IKE Security Association.
STEP
7
In the Detection Period field, enter the interval, in seconds, between consecutive
DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the
IPsec traffic is idle.
STEP
8
In the Reconnect after Failure Count field, enter the maximum number of DPD
failures allowed before tearing down the connection.
Page 107 / 163
Configuring Virtual Private Networks (VPNs) and Security
Configuring Advanced VPN Parameters
Cisco RV120W Administration Guide
98
5
Extended Authentication (XAUTH) Parameters
Rather than configuring a unique VPN policy for each user, you can enable the VPN
gateway router to authenticate users from a stored list of user accounts or with an
external authentication server such as a RADIUS server. When connecting many
VPN clients to a VPN gateway router, Extended Authentication (XAUTH) allows
authentication of users with methods in addition to the authentication method
mentioned in the IKE SA parameters. XAUTH can be configured in the following
modes:
STEP 1
Select the XAUTH type:
None—Disables XAUTH.
Edge Device—Authentication is done by one of the following:
-
User Database—User accounts created in the router are used to
authenticate users. See
Configuring VPN Users, page 105
.
-
RADIUS-PAP—Authentication is done using a RADIUS server and
password authentication protocol (PAP).
-
RADIUS-CHAP—Authentication is done using a RADIUS server and
challenge handshake authentication protocol (CHAP).
IPsec Host—The router is authenticated by a remote gateway with a
username and password combination. In this mode, the router acts as a VPN
Client of the remote gateway.
STEP
2
If you selected IPsec Host, enter the username and password for the host.
Configuring VPN Policies
To configure a VPN policy:
STEP 1
Choose VPN > IPsec > Advanced VPN Setup.
STEP
2
In the VPN Policy Table, click Add.
STEP
3
Enter a unique name to identify the policy.
STEP
4
Choose the Policy Type:
Page 108 / 163
Configuring Virtual Private Networks (VPNs) and Security
Configuring Advanced VPN Parameters
Cisco RV120W Administration Guide
99
5
Auto Policy—Some parameters for the VPN tunnel are generated
automatically. This requires using the IKE (Internet Key Exchange) protocol
to perform negotiations between the two VPN Endpoints.
Manual Policy—All settings (including the keys) for the VPN tunnel are
manually input for each end point. No third-party server or organization is
involved.
To create an Auto VPN Policy, you need to first create an IKE policy and then add
the corresponding Auto Policy for that IKE Policy. (See
Auto Policy Parameters,
page 102
.)
STEP
5
In the Remote Endpoint field, select the type of identifier that you want to provide
for the gateway at the remote endpoint: IP Address or FQDN (Fully Qualified
Domain Name).
STEP
6
In the NetBIOS field, check the Enable box to allow NetBIOS broadcasts to travel
over the VPN tunnel, or uncheck this box to disable NetBIOS broadcasts over the
VPN tunnel. For client policies, the NetBIOS feature is available by default.
Local Traffic Selection and Remote Traffic Section
STEP 1
For both of these sections, configure the following settings:
Local/Remote IP—Select the type of identifier that you want to provide for
the endpoint:
-
Any—Specifies that the policy is for traffic from the given end point
(local or remote). Note that selecting Any for both local and remote end
points is not valid.
-
Single—Limits the policy to one host. Enter the IP address of the host
that will be part of the VPN in Start IP Address field.
-
Range—Allows computers within an IP address range to connect to the
VPN. Enter the Start IP Address and End IP Address in the provided
fields.
-
Subnet—Allows an entire subnet to connect to the VPN. Enter the
network address in the Start IP Address field, and enter the Subnet
Mask in the Subnet Mask field.
STEP
2
In the Start Address field, enter the first IP address in the range. If you selected
Single, enter the single IP address in this field and leave the End IP Address field
blank.
Page 109 / 163
Configuring Virtual Private Networks (VPNs) and Security
Configuring Advanced VPN Parameters
Cisco RV120W Administration Guide
100
5
STEP
3
In the End Address field, enter the last IP address in the range.
STEP
4
If you chose Subnet as the type, enter the Subnet Mask of the network.
Split DNS
Split DNS allows the Cisco RV120W to find the DNS server of the remote router
without going through the ISP (Internet).
To enable split DNS:
STEP 1
Check the Enable box.
STEP
2
In the Domain Name Server 1 field, specify a Domain Name server IP address,
which is used only to resolve the domain configured in the Domain Name 1 field.
STEP
3
In the Domain Name Server 2 field, specify a Domain Name server IP address,
which is used only to resolve the domain configured in the Domain Name 2 field.
STEP
4
In the Domain Name 1 field, specify a domain name, which will be queried only
using the DNS server configured in the Domain Name Server 1 field.
STEP
5
In the Domain Name 2 field, specify a domain name, which will be queried only
using the DNS server configured in the Domain Name Server 2 field.
NOTE
Make sure that you avoid using overlapping subnets for remote or local traffic
selectors. Using these subnets would require adding static routes on the router and
the hosts to be used.
For example, a combination to avoid would be:
Local Traffic Selector: 192.168.1.0/24
Remote Traffic Selector: 192.168.0.0/16
Page 110 / 163
Configuring Virtual Private Networks (VPNs) and Security
Configuring Advanced VPN Parameters
Cisco RV120W Administration Guide
101
5
Manual Policy Parameters
If you chose manual as the policy type in Step 4, configure the manual policy
parameters. The Manual Policy creates an SA (Security Association) based on the
following static inputs:
SPI-Incoming, SPI-Outgoing—Enter a hexadecimal value between 3 and 8
characters; for example, 0x1234.
Encryption Algorithm—Select the algorithm used to encrypt the data.
Key-In—Enter the encryption key of the inbound policy. The length of the
key depends on the algorithm chosen:
-
DES—8 characters
-
3DES—24 characters
-
AES-128—16 characters
-
AES-192—24 characters
-
AES-256—32 characters
-
AES-CCM—16 characters
-
AES-GCM—20 characters
Key-Out—Enter the encryption key of the outbound policy. The length of the
key depends on the algorithm chosen, as shown above.
Integrity Algorithm—Select the algorithm used to verify the integrity of the data.
Key-In—Enter the integrity key (for ESP with Integrity-mode) for the inbound
policy. The length of the key depends on the algorithm chosen:
-
MD5—16 characters
-
SHA-1— 20 characters
-
SHA2-256—32 characters
-
SHA2-384— 48 characters
-
SHA2-512—64 characters
Key-Out—Enter the integrity key (for ESP with Integrity-mode) for the
outbound policy. The length of the key depends on the algorithm chosen, as
shown above.

Rate

124.8 / 5 based on 304 votes.

Popular Cisco Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top