Page 306 / 794 Scroll up to view Page 301 - 305
Vigor2860 Series User’s Guide
292
Both
:-initiator/responder
Dial-Out
- initiator only
Dial-In-
responder only.
Always On-
Check to enable router always keep VPN
connection.
Idle Timeout:
The default value is 300 seconds. If the
connection has been idled over the value, the router will
drop the connection.
Enable PING to keep alive -
This function is to help the
router to determine the status of IPsec VPN connection,
especially useful in the case of abnormal VPN IPsec tunnel
disruption. For details, please refer to the note below.
Check to enable the transmission of PING packets to a
specified IP address.
Enable PING to keep alive
is used to handle abnormal
IPsec VPN connection disruption. It will help to provide the
state of a VPN connection for router’s judgment of redial.
Normally, if any one of VPN peers wants to disconnect the
connection, it should follow a serial of packet exchange
procedure to inform each other. However, if the remote peer
disconnects without notice, Vigor router will by no where
to know this situation. To resolve this dilemma, by
continuously sending PING packets to the remote host, the
Vigor router can know the true existence of this VPN
connection and react accordingly. This is independent of
DPD (dead peer detection).
PING to the IP -
Enter the IP address of the remote host
that located at the other-end of the VPN tunnel.
Dial-Out Settings
Type of Server I am calling - PPTP
- Build a PPTP VPN
connection to the server through the Internet. You should
set the identity like User Name and Password below for the
authentication of remote server.
IPsec Tunnel
- Build an IPsec VPN connection to the
server through Internet.
L2TP with IPsec Policy -
Build a L2TP VPN connection
through the Internet. You can select to use L2TP alone or
with IPsec. Select from below:
None:
Do not apply the IPsec policy. Accordingly, the
VPN connection employed the L2TP without IPsec
policy can be viewed as one pure L2TP connection.
Nice to Have:
Apply the IPsec policy first, if it is
applicable during negotiation. Otherwise, the dial-out
VPN connection becomes one pure L2TP connection.
Must:
Specify the IPsec policy to be definitely applied on
the L2TP connection.
User Name -
This field is applicable when you select,
PPTP or L2TP with or without IPsec policy above. The
length of the name is limited to 49 characters.
Password -
This field is applicable when you select PPTP
or L2TP with or without IPsec policy above. The length of
Page 307 / 794
Vigor2860 Series User’s Guide
293
the password is limited to 15 characters.
PPP Authentication -
This field is applicable when you
select, PPTP or L2TP with or without IPSec policy above.
PAP/CHAP/MS-CHAP/MS-CHAPv2 is the most common
selection due to compatibility.
VJ compression -
This field is applicable when you select
PPTP or L2TP with or without IPsec policy above. VJ
Compression is used for TCP/IP protocol header
compression. Normally set to
On
to improve bandwidth
utilization.
IKE Authentication Method -
This group of fields is
applicable for IPsec Tunnels and L2TP with IPsec Policy.
Pre-Shared Key
- Input 1-63 characters as pre-shared
key.
Digital Signature (X.509)
- Select one predefined
Profiles set in the
VPN and Remote Access >>IPsec
Peer Identity
.
Peer ID -
Select one of the predefined Profiles set in
VPN and
Remote Access >>IPsec Peer Identity.
Local ID –
Specify a local ID
(Alternative Subject
Name First
or
Subject Name First)
to be used for
Dial-in setting in the LAN-to-LAN Profile setup. This
item is optional and can be used only in IKE
aggressive mode.
Local Certificate –
Select one of the profiles set in
Certificate Management>>Local Certificate
.
IPsec Security Method -
This group of fields is a must for
IPsec Tunnels and L2TP with IPsec Policy.
Medium AH (Authentication Header)
means data
will be authenticated, but not be encrypted. By default,
this option is active.
High (ESP-Encapsulating Security Payload)-
means
payload (data) will be encrypted and authenticated.
Select from below:
DES without Authentication
-Use DES encryption
algorithm and not apply any authentication scheme.
DES with Authentication-
Use DES encryption
algorithm and apply MD5 or SHA-1 authentication
algorithm.
3DES without Authentication
-Use triple DES
encryption algorithm and not apply any authentication
scheme.
3DES with Authentication-
Use triple DES
encryption algorithm and apply MD5 or SHA-1
authentication algorithm.
AES without Authentication
-Use AES encryption
algorithm and not apply any authentication scheme.
AES with Authentication-
Use AES encryption
algorithm and apply MD5 or SHA-1 authentication
algorithm.
Page 308 / 794
Vigor2860 Series User’s Guide
294
Advanced -
Specify mode, proposal and key life of each
IKE phase, Gateway, etc.
The window of advance setup is shown as below:
IKE phase 1 mode -
Select from
Main
mode and
Aggressive
mode. The ultimate outcome is to exchange
security proposals to create a protected secure channel.
Main
mode is more secure than
Aggressive
mode since
more exchanges are done in a secure channel to set up the
IPsec session. However, the
Aggressive
mode is faster. The
default value in Vigor router is Main mode.
IKE phase 1 proposal-
To propose the local available
authentication schemes and encryption algorithms to
the VPN peers, and get its feedback to find a match.
Two combinations are available for Aggressive mode
and nine for
Main
mode. We suggest you select the
combination that covers the most schemes.
IKE phase 2 proposal-
To propose the local available
algorithms to the VPN peers, and get its feedback to
find a match. Three combinations are available for
both modes. We suggest you select the combination
that covers the most algorithms.
IKE phase 1 key lifetime-
For security reason, the
lifetime of key should be defined. The default value is
28800 seconds. You may specify a value in between
900 and 86400 seconds.
IKE phase 2 key lifetime-
For security reason, the
lifetime of key should be defined. The default value is
3600 seconds.
You may specify a value in between
600 and 86400 seconds.
Perfect Forward Secret (PFS)-
The IKE Phase 1 key
will be reused to avoid the computation complexity in
phase 2. The default value is inactive this function.
Local ID-
In
Aggressive
mode, Local ID is on behalf
of the IP address while identity authenticating with
remote VPN server. The length of the ID is limited to
47 characters.
Index(1-15) -
Set the wireless LAN to work at certain time
interval only. You may choose up to 4 schedules out of the
15 schedules pre-defined in
Applications >> Schedule
setup. The default setting of this field is blank and the
function will always work.
Page 309 / 794
Vigor2860 Series User’s Guide
295
Available settings are explained as follows:
Item
Description
Dial-In Settings
Allowed Dial-In Type -
Determine the dial-in connection
with different types.
PPTP -
Allow the remote dial-in user to make a PPTP
VPN connection through the Internet. You should set
the User Name and Password of remote dial-in user
below.
IPsec Tunnel-
Allow the remote dial-in user to trigger
an IPsec VPN connection through Internet.
L2TP with IPsec Policy -
Allow the remote dial-in
user to make a L2TP VPN connection through the
Internet. You can select to use L2TP alone or with
IPsec. Select from below:
None -
Do not apply the IPsec policy.
Accordingly, the VPN connection employed the
L2TP without IPsec policy can be viewed as one
pure L2TP connection.
Nice to Have
- Apply the IPsec policy first, if it
is applicable during negotiation. Otherwise, the
dial-in VPN connection becomes one pure L2TP
connection.
Must -
Specify the IPsec policy to be definitely
applied on the L2TP connection.
Page 310 / 794
Vigor2860 Series User’s Guide
296
Specify Remote VPN Gateway -
You can specify the IP
address of the remote dial-in user or peer ID (should be the
same with the ID setting in dial-in type) by checking the
box. Also, you should further specify the corresponding
security methods on the right side.
If you uncheck the checkbox
,
the connection type you
select above will apply the authentication methods and
security methods in the general settings.
User Name -
This field is applicable when you select PPTP
or L2TP with or without IPsec policy above. The length of
the name is limited to 11 characters.
Password -
This field is applicable when you select PPTP
or L2TP with or without IPsec policy above. The length of
the password is limited to 11 characters.
VJ Compression -
VJ Compression is used for TCP/IP
protocol header compression. This field is applicable when
you select PPTP or L2TP with or without IPsec policy
above.
IKE Authentication Method -
This group of fields is
applicable for IPsec Tunnels and L2TP with IPsec Policy
when you specify the IP address of the remote node. The
only exception is Digital Signature (X.509) can be set when
you select IPsec tunnel either with or without specify the IP
address of the remote node.
Pre-Shared Key -
Check the box of Pre-Shared Key
to invoke this function and type in the required
characters (1-63) as the pre-shared key.
Digital Signature (X.509) –
Check the box of Digital
Signature to invoke this function and select one
predefined Profiles set in the
VPN and Remote
Access >>IPsec Peer Identity
.
Local ID
– Specify which one will be inspected
first.
Alternative Subject Name First
– The
alternative subject name (configured in
Certificate Management>>Local Certificate
)
will be inspected first.
Subject Name First
– The subject name
(configured in
Certificate
Management>>Local Certificate
) will be
inspected first.
IPsec Security Method -
This group of fields is a must for
IPsec Tunnels and L2TP with IPsec Policy when you
specify the remote node.
Medium-
Authentication Header (AH) means data
will be authenticated, but not be encrypted. By default,
this option is active.
High-
Encapsulating Security Payload (ESP) means
payload (data) will be encrypted and authenticated.
You may select encryption algorithm from Data
Encryption Standard (DES), Triple DES (3DES), and

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top