Cisco RV-120W Router Manual PDF (Setup & Configuration Guide)

Page 111 / 163 Scroll up to view Page 106 - 110

Configuring Virtual Private Networks (VPNs) and Security

Configuring Advanced VPN Parameters

Cisco RV120W Administration Guide

102

5

Manual Policy Example:

Creating a VPN tunnel between two routers:

Router 1: WAN1=10.0.0.1 LAN=192.168.1.1 Subnet=255.255.255.0

Policy Name: manualVPN

Policy Type: Manual Policy

Local Gateway: WAN1

Remote Endpoint: 10.0.0.2

Local IP: Subnet 192.168.1.0 255.255.255.0

Remote IP: Subnet 192.168.2.0 255.255.255.0

SPI-Incoming: 0x1111

Encryption Algorithm: DES

Key-In: 11112222

Key-Out: 33334444

SPI-Outgoing: 0x2222

Integrity Algorithm: MD5

Key-In: 1122334444332211

Key-Out: 5566778888776655

Router 2: WAN1=10.0.0.2 LAN=192.168.2.1 Subnet=255.255.255.0

Policy Name: manualVPN

Policy Type: Manual Policy

Local Gateway: WAN1

Remote Endpoint: 10.0.0.1

Local IP: Subnet 192.168.2.0 255.255.255.0

Remote IP: Subnet 192.168.2.0 255.255.255.0

SPI-Incoming: 0x2222

Encryption Algorithm: DES

Key-In: 33334444

Key-Out: 11112222

SPI-Outgoing: 0x1111

Integrity Algorithm: MD5

Key-In: 5566778888776655

Key-Out: 1122334444332211

Auto Policy Parameters

If you chose auto as the policy type in Step 4, configure the following:

STEP 1

SA Lifetime—Enter the duration of the Security Association and choose the unit

from the drop-down list:

•

Seconds—Choose this option to measure the SA Lifetime in seconds. After

the specified number of seconds passes, the Security Association is

renegotiated. The default value is 3600 seconds. The minimum value is 300

seconds.

•

Kbytes—Choose this option to measure the SA Lifetime in kilobytes. After

the specified number of kilobytes of data is transferred, the SA is

renegotiated. The minimum value is 1920000 KB.

Page 112 / 163

Configuring Virtual Private Networks (VPNs) and Security

Configuring Advanced VPN Parameters

Cisco RV120W Administration Guide

103

5

NOTE

When configuring a lifetime in kilobytes (also known as lifebytes), be aware

that two SAs are created for each policy. One SA applies to inbound traffic,

and one SA applies to outbound traffic. Due to differences in the upstream

and downstream traffic flows, the SA may expire asymmetrically. For

example, if the downstream traffic is very high, the lifebyte for a download

stream may expire frequently. The lifebyte of the upload stream may not

expire as frequently. It is recommended that the values be reasonably set, to

reduce the difference in expiry frequencies of the SAs; otherwise the

system may eventually run out of resources as a result of this asymmetry.

The lifebyte specifications are generally recommended for advanced users

only.

STEP

2

Select the algorithm used to encrypt the data.

STEP

3

Select the algorithm used to verify the integrity of the data.

STEP

4

Under PFS Key Group, check the Enable box to enable Perfect Forward Secrecy

(PFS) to improve security. While slower, this protocol helps to prevent

eavesdroppers by ensuring that a Diffie-Hellman exchange is performed for every

phase-2 negotiation.

STEP

5

Choose the IKE policy that will define the characteristics of phase 1 of the

negotiation. (For information on creating these policies, see

Configuring IKE

Policies, page 95

.)

Configuring VPN Clients

VPN clients must be configured with the same VPN policy parameters used in the

VPN tunnel the client wishes to use: encryption, authentication, life time, and PFS

key-group. Upon establishing these authentication parameters, the VPN Client

user database must also be populated with an account to give a user access to

the tunnel.

VPN client software is required to establish a VPN tunnel between the router and

remote endpoint. Open source software (such as OpenVPN or Openswan) as well

as Microsoft IPsec VPN software can be configured with the required IKE policy

parameters to establish an IPsec VPN tunnel. Refer to the client software guide for

detailed instructions on setup as well as the router’s online help.

Page 113 / 163

Configuring Virtual Private Networks (VPNs) and Security

Configuring Advanced VPN Parameters

Cisco RV120W Administration Guide

104

5

The user database contains the list of VPN user accounts that are authorized to

use a given VPN tunnel. Alternatively VPN tunnel users can be authenticated using

a configured RADIUS database. Refer to the online help to determine how to

populate the user database and/or configure RADIUS authentication.

Monitoring VPN Tunnel Status

You can view and change the status of (connect or drop) the router’s IPsec

security associations by performing one of the following actions:

•

Choose VPN > IPsec > Advanced VPN Setup and click IPsec VPN

Connection Status.

•

Choose Status > IPsec Connection Status.

Here the active IPsec SAs (security associations) are listed along with the traffic

details and tunnel state. The traffic is a cumulative measure of transmitted/

received packets since the tunnel was established.

If a VPN policy state is “not connected”, it can be enabled from the List of VPN

Policies in the VPN > IPsec > Advanced VPN Setup page.

Page 114 / 163

Configuring Virtual Private Networks (VPNs) and Security

Configuring Advanced VPN Parameters

Cisco RV120W Administration Guide

105

5

The Active IPsec SAs table displays a list of active IPsec SAs. Table fields are as

follows:

Configuring VPN Users

To view a list of VPN users, choose VPN > IPsec > VPN Users. The VPN gateway

authenticates users in this list when XAUTH is used in an IKE policy. QuickVPN

clients can access only default LAN hosts.

Configuring a PPTP Server

If you are using a Point-to-Point Tunneling Protocol VPN server:

STEP 1

Choose VPN > IPsec > VPN Users.

STEP

2

Under PPTP Server, check the Enable box.

STEP

3

Enter the IP address of the PPTP server.

STEP

4

In the Starting IP Address field, enter the starting IP address of the range of IPs to

assign to connecting users.

STEP

5

In the Ending IP Address field, enter the ending IP address of the range of IPs to

assign to connecting users.

Field

Description

Policy Name

IKE or VPN policy associated with this SA.

Endpoint

IP address of the remote VPN gateway or client.

Packets

Number of IP packets transmitted over this SA.

Kbytes

Kilobytes of data transmitted over this SA.

State

Status of the SA for IKE policies: Not Connected or

IPsec SA Established.

Action

Choose Connect to establish a connection, or Drop

to terminate an established connection.

Page 115 / 163

Configuring Virtual Private Networks (VPNs) and Security

Configuring Advanced VPN Parameters

Cisco RV120W Administration Guide

106

5

NOTE

The starting IP of the PPTP client IP range is used as the PPTP server IP of the Cisco

RV120W and the remaining PPTP client IP address range is used to assign IP

addresses to PPTP clients.

Adding New VPN Users

To add new users:

STEP 1

Choose VPN > IPsec > VPN Users.

STEP

2

In the VPN Client Setting Table, click Add.

STEP

3

Check the Enabled box.

STEP

4

Enter the username.

STEP

5

Enter the password. If you want the user to be able to change the password, check

the Enabled box.

STEP

6

Under Protocol, choose the type of user:

•

QuickVPN—The user is authenticated by the VPN server. See

Creating

Cisco QuickVPN Client Users, page 93

.

•

PPTP—The user is authenticated by a PPTP server.

•

XAUTH—The user is authenticated by an external authorization server, such

as a RADIUS server.

STEP

7

Click Save.

.

Configuring VPN Passthrough

VPN passthrough allows VPN traffic that originates from VPN clients to pass

through the router. For example, if you are not using a VPN that is configured on the

Cisco RV120W, but are using a laptop to access a VPN at another site, configuring

VPN passthrough allows that connection.

Rate

Popular Cisco Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share