Page 296 / 794 Scroll up to view Page 291 - 295
Vigor2860 Series User’s Guide
282
3.11.3 IPsec General Setup
In
IPsec General Setup,
there are two major parts of configuration.
There are two phases of IPsec.
Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman
parameter values, and lifetime to protect the following IKE exchange, authentication of
both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that
starts the negotiation proposes all its policies to the remote peer and then remote peer
tries to find a highest-priority match with its policies. Eventually to set up a secure tunnel
for IKE Phase 2.
Phase 2: negotiation IPsec security methods including Authentication Header (AH) or
Encapsulating Security Payload (ESP) for the following IKE exchange and mutual
examination of the secure tunnel establishment.
There are two encapsulation methods used in IPsec,
Transport
and
Tunnel
. The
Transport
mode will add the AH/ESP payload and use original IP header to encapsulate the data payload
only. It can just apply to local packet, e.g., L2TP over IPsec. The
Tunnel
mode will not only
add the AH/ESP payload but also use a new IP header (Tunneled IP header) to encapsulate the
whole original IP packet.
Authentication Header (AH) provides data authentication and integrity for IP packets passed
between VPN peers. This is achieved by a keyed one-way hash function to the packet to create
a message digest. This digest will be put in the AH and transmitted along with packets. On the
receiving side, the peer will perform the same one-way hash on the packet and compare the
value with the one in the AH it receives.
Encapsulating Security Payload (ESP) is a security protocol that provides data confidentiality
and protection with optional authentication and replay detection service.
Available settings are explained as follows:
Item
Description
IKE Authentication
Method
This usually applies to those are remote dial-in user or node
(LAN-to-LAN) which uses dynamic IP address and
IPsec-related VPN connections such as L2TP over IPsec
and IPsec tunnel. There are two methods offered by Vigor
router for you to authenticate the incoming data coming
from remote dial-in user,
Certificate (X.509)
and
Page 297 / 794
Vigor2860 Series User’s Guide
283
Pre-Shared Key
.
Certificate for Dial-in
–Choose one of the local certificates
from the drop down list.
Pre-Shared Key-
Specify a key for IKE authentication.
Confirm Pre-Shared Key-
Retype the characters to
confirm the pre-shared key.
Note
: Any packets from the remote dial-in user which does
not match the rule defined in
VPN and Remote
Access>>Remote Dial-In User
will be applied with the
method specified here.
IPsec Security Method
Medium
-
Authentication Header (AH) means data will be
authenticated, but not be encrypted. By default, this option
is active.
High (ESP)
-
Encapsulating Security Payload (ESP) means
payload (data) will be encrypted and authenticated. You
may select encryption algorithm from Data Encryption
Standard (DES), Triple DES (3DES), and AES.
After finishing all the settings here, please click
OK
to save the configuration.
3.11.4 IPsec Peer Identity
To use digital certificate for peer authentication in either LAN-to-LAN connection or Remote
User Dial-In connection, here you may edit a table of peer certificate for selection. As shown
below, the router provides
32
entries of digital certificates for peer dial-in users.
Available settings are explained as follows:
Item
Description
Set to Factory Default
Click it to clear all indexes.
Page 298 / 794
Vigor2860 Series User’s Guide
284
Index
Click the number below Index to access into the setting
page of IPsec Peer Identity.
Name
Display the profile name of that index.
Click each index to edit one peer digital certificate. There are three security levels of digital
signature authentication: Fill each necessary field to authenticate the remote peer. The
following explanation will guide you to fill all the necessary fields.
Available settings are explained as follows:
Item
Description
Profile Name
Type the name of the profile. The maximum length of the
name you can set is 32 characters.
Enable this account
Check it to enable such account profile.
Accept Any Peer ID
Click to accept any peer regardless of its identity.
Accept Subject
Alternative Name
Click to check one specific field of digital signature to
accept the peer with matching value. The field can be
IP
Address, Domain,
or
E-mail Address
. The box under the
Type will appear according to the type you select and ask
you to fill in corresponding setting.
Accept Subject Name
Click to check the specific fields of digital signature to
accept the peer with matching value. The field includes
Country (C), State (ST), Location (L), Organization (O),
Organization Unit (OU), Common Name (CN),
and
Email (E)
.
After finishing all the settings here, please click
OK
to save the configuration.
Page 299 / 794
Vigor2860 Series User’s Guide
285
3.11.5 Remote Dial-in User
You can manage remote access by maintaining a table of remote user profile, so that users can
be authenticated to dial-in via VPN connection. You may set parameters including specified
connection peer ID, connection type (VPN connection - including PPTP, IPsec Tunnel, and
L2TP by itself or over IPsec) and corresponding security methods, etc.
The router provides
32
access accounts for dial-in users. Besides, you can extend the user
accounts to the RADIUS server through the built-in RADIUS client function. The following
figure shows the summary table.
Available settings are explained as follows:
Item
Description
Set to Factory Default
Click to clear all indexes.
Index
Click the number below Index to access into the setting
page of Remote Dial-in User.
User
Display the username for the specific dial-in user of the
LAN-to-LAN profile. The symbol
???
represents that the
profile is empty.
Active
Check the box to activate such profile.
Status
Display the access state of the specific dial-in user.
The
symbol V and X represent the specific dial-in user to be
active and inactive, respectively.
Click each index to edit one remote user profile.
Each Dial-In Type requires you to fill the
different corresponding fields on the right.
If the fields gray out, it means you may leave it
untouched. The following explanation will guide you to fill all the necessary fields.
Page 300 / 794
Vigor2860 Series User’s Guide
286
Available settings are explained as follows:
Item
Description
User account and
Authentication
Enable this account
- Check the box to enable this
function.
Idle Timeout-
If the dial-in user is idle over the limitation
of the timer, the router will drop this connection. By
default, the Idle Timeout is set to 300 seconds.
Allowed Dial-In Type
PPTP
- Allow the remote dial-in user to make a PPTP VPN
connection through the Internet. You should set the User
Name and Password of remote dial-in user below.
IPsec Tunnel
- Allow the remote dial-in user to make an
IPsec VPN connection through Internet.
L2TP with IPsec Policy
- Allow the remote dial-in user to
make a L2TP VPN connection through the Internet. You
can select to use L2TP alone or with IPsec. Select from
below:
None -
Do not apply the IPsec policy. Accordingly,
the VPN connection employed the L2TP without
IPsec policy can be viewed as one pure L2TP
connection.
Nice to Have -
Apply the IPsec policy first, if it is
applicable during negotiation. Otherwise, the dial-in

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top