Page 226 / 357 Scroll up to view Page 221 - 225
Vigor2830 Series User’s Guide
214
z
When you check
PPTP
, you will see the following graphic:
z
When you check
PPTP/IPSec/L2TP
(three types) or
PPTP/IPSec
(two types) or
L2TP
with Policy (Nice to Have/Must)
, you will see the following graphic:
Page 227 / 357
Vigor2830 Series User’s Guide
215
z
When you check
IPSec
, you will see the following graphic:
Profile Name
Type a name for such profile. The length of the file is
limited to 10 characters.
User Name
This field is used to authenticate for connection when
you select PPTP or L2TP with or without IPSec policy
above.
Password
This field is used to authenticate for connection when
you select PPTP or L2TP with or without IPSec policy
above.
Pre-Shared Key
For IPSec/L2TP IPSec authentication, you have to type a
pre-shared key.
Confirm Pre-Shared Key
Type the pre-shared key again for confirmation.
Digital Signature (X.509)
Check the box of Digital Signature to invoke this
function.
Use the drop down list to choose one of the certificates
for using. You have to configure one certificate at least
previously in
Certificate Management >> Local
Certificate.
Otherwise, the setting you choose here will
not be effective.
Peer IP/VPN Client IP
Type the WAN IP address or VPN client IP address for
the remote client.
Peer ID
Type the ID name for the remote client.
Remote Network IP
Please type one LAN IP address (according to the real
location of the remote host) for building VPN
connection.
Remote Network Mask
Please type the network mask (according to the real
location of the remote host) for building VPN
connection.
Page 228 / 357
Vigor2830 Series User’s Guide
216
After finishing the configuration, please click
Next.
The confirmation page will be shown as
follows. If there is no problem, you can click one of the radio buttons listed on the page and
click
Finish
to execute the next action.
Go to the VPN Connection
Management
Click this radio button to access
VPN and Remote
Access>>Connection Management
for viewing VPN
Connection status.
Do another VPN Server
Wizard Setup
Click this radio button to set another profile of VPN Server
through VPN Server Wizard.
View more detailed
configuration
Click this radio button to access
VPN and Remote
Access>>LAN to LAN
for viewing detailed configuration.
4.10.3 Remote Access Control
Enable the necessary VPN service as you need. If you intend to run a VPN server inside your
LAN, you should disable the VPN service of Vigor Router to allow VPN tunnel pass through,
as well as the appropriate NAT settings, such as DMZ or open port.
Page 229 / 357
Vigor2830 Series User’s Guide
217
4.10.4 PPP General Setup
This submenu only applies to PPP-related VPN connections, such as PPTP, L2TP, L2TP over
IPSec.
Dial-In PPP
Authentication
PAP Only
- elect this option to force the router to
authenticate dial-in users with the PAP protocol.
PAP or CHAP
- Selecting this option means the router will
attempt to authenticate dial-in users with the CHAP protocol
first. If the dial-in user does not support this protocol, it will
fall back to use the PAP protocol for authentication.
Dial-In PPP Encryption
(MPPE)
Optional MPPE
- This option represents that the MPPE
encryption method will be optionally employed in the router
for the remote dial-in user. If the remote dial-in user does not
support the MPPE encryption algorithm, the router will
transmit “no MPPE encrypted packets”. Otherwise, the
MPPE encryption scheme will be used to encrypt the data.
Require MPPE (40/128bits) -
Selecting this option will
force the router to encrypt packets by using the MPPE
encryption algorithm. In addition, the remote dial-in user will
use 40-bit to perform encryption prior to using 128-bit for
encryption. In other words, if 128-bit MPPE encryption
method is not available, then 40-bit encryption scheme will
be applied to encrypt the data.
Maximum MPPE -
This option indicates that the router will
use the MPPE encryption scheme with maximum bits
(128-bit) to encrypt the data.
Mutual Authentication
(PAP)
The Mutual Authentication function is mainly used to
communicate with other routers or clients who need
bi-directional authentication in order to provide stronger
security, for example, Cisco routers. So you should enable
this function when your peer router requires mutual
authentication. You should further specify the
User Name
and
Password
of the mutual authentication peer.
Page 230 / 357
Vigor2830 Series User’s Guide
218
Assigned IP Range
Enter a start IP address for the dial-in PPP connection. You
should choose an IP address from the local private network.
For example, if the local private network is
192.168.1.0/255.255.255.0, you could choose 192.168.1.200
as the Start IP Address.
4.10.5 IPSec General Setup
In
IPSec General Setup,
there are two major parts of configuration.
There are two phases of IPSec.
¾
Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman
parameter values, and lifetime to protect the following IKE exchange, authentication of
both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that
starts the negotiation proposes all its policies to the remote peer and then remote peer
tries to find a highest-priority match with its policies. Eventually to set up a secure tunnel
for IKE Phase 2.
¾
Phase 2: negotiation IPSec security methods including Authentication Header (AH) or
Encapsulating Security Payload (ESP) for the following IKE exchange and mutual
examination of the secure tunnel establishment.
There are two encapsulation methods used in IPSec,
Transport
and
Tunnel
. The
Transport
mode will add the AH/ESP payload and use original IP header to encapsulate the data payload
only. It can just apply to local packet, e.g., L2TP over IPSec. The
Tunnel
mode will not only
add the AH/ESP payload but also use a new IP header (Tunneled IP header) to encapsulate the
whole original IP packet.
Authentication Header (AH) provides data authentication and integrity for IP packets passed
between VPN peers. This is achieved by a keyed one-way hash function to the packet to create
a message digest. This digest will be put in the AH and transmitted along with packets. On the
receiving side, the peer will perform the same one-way hash on the packet and compare the
value with the one in the AH it receives.
Encapsulating Security Payload (ESP) is a security protocol that provides data confidentiality
and protection with optional authentication and replay detection service.
IKE Authentication
Method
This usually applies to those are remote dial-in user or node
(LAN-to-LAN) which uses dynamic IP address and
IPSec-related VPN connections such as L2TP over IPSec and

Rate

4.7 / 5 based on 3 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top