Page 66 / 127 Scroll up to view Page 61 - 65
55
Chapter 6: Setting up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 16-Port VPN Router
Dynamic IP + Domain Name(FQDN) Authentication. If the Remote Security Gateway has a dynamic IP and you
want to use the Domain Name for authentication, then select this type. When the Remote Security Gateway
asks to create a tunnel with the Router, the Router will work as a responder. For authentication, complete the
Domain Name
field, and make sure it matches the Domain Name set on the Local Gateway of the remote VPN
device. (The Remote Security Gateway has a dynamic IP, so you do not need to enter an IP address.) The
Domain Name can be used for only one tunnel connection, so you can’t use the same Domain Name to create
another new tunnel connection.
Dynamic IP + E-mail Addr.(USER FQDN) Authentication. If the Remote Security Gateway has a dynamic IP and
you want to use the e-mail address for authentication, then select this type. When the Remote Security
Gateway asks to create a tunnel with the Router, the Router will work as a responder. For authentication,
enter the appropriate e-mail address in the
E-mail address
fields. (The Remote Security Gateway has a
dynamic IP, so you do not need to enter an IP address.)
Remote Security Group Type
Select the Remote Security Group behind the Remote Gateway that can use this VPN tunnel. Select one of these
three available types:
IP
,
Subnet
, or
IP Range
. The Remote Security Group Type you select should match the
Local Security Group Type selected on the VPN device at the other end of the tunnel.
After you have selected the Remote Security Group Type, the settings available on this screen may change,
depending on which selection you have made.
IP. If you select IP, then only the computer with a specific IP address will be able to access the tunnel. Enter
the appropriate IP address.
Subnet. If you select Subnet, which is the default, then all computers on the remote subnet will be able to
access the tunnel. Complete the
IP address
and
Subnet Mask
fields. The default Subnet Mask is
255.255.255.0
.
IP Range. If you select IP Range, then you can specify a range of IP addresses within the subnet that will be
able to access the tunnel. Complete the
IP range
fields.
IPSec Setup
In order for any encryption to occur, the two ends of a VPN tunnel must agree on the methods of encryption,
decryption, and authentication. This is done by sharing a key to the encryption code. For key management, there
are two modes available; select
IKE with Preshared Key
or
Manual
. Both ends of a VPN tunnel must use the
same mode of key management.
Figure 6-65: Remote Security Group Type - IP
Figure 6-66: Remote Security Group Type - Subnet
Figure 6-67: Remote Security Group Type - IP Range
Figure 6-63: Remote Security Gateway Type -
Dynamic IP + Domain Name (FQDN) Authentication
Figure 6-64: Remote Security Gateway Type -
Dynamic IP + E-mail Addr. (USER FQDN) Authentication
Downloaded from
www.Manualslib.com
manuals search engine
Page 67 / 127
56
Chapter 6: Setting up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 16-Port VPN Router
After you have selected the Keying Mode, the settings available on this screen may change, depending on the
selection you have made.
IKE with Preshared Key
IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses the
Preshared Key to authenticate the remote IKE peer.
Phase 1 DH Group. Phase 1 is used to create the SA. DH (Diffie-Hellman) is a key exchange protocol used
during Phase 1 of the authentication process to establish pre-shared keys. There are three groups of different
prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is
preferred, select
Group 1
. If network security is preferred, select
Group 5
.
Phase 1 Encryption. Select a method of encryption,
DES
or
3DES
. The encryption method determines the
length of the key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit
encryption. 3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the
same encryption method.
Phase 1 Authentication. Select a method of authentication,
MD5
or
SHA
. The authentication method
determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it
is more secure. Make sure both ends of the VPN tunnel use the same authentication method.
Phase 1 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 1. The default value is
28800
seconds.
Perfect Forward Secrecy. If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will
generate new key material for IP traffic encryption and authentication, so hackers using brute force to break
encryption keys will not be able to obtain future IPSec keys.
Phase 2 DH Group. If the Perfect Forward Secrecy feature is disabled, then no new keys will be generated, so
you do not need to set the Phase 2 DH Group (the key for Phase 2 will match the key in Phase 1).
There are three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5
is 1,536 bits. If network speed is preferred, select
Group 1
. If network security is preferred, select
Group 5
.
You do not have to use the same DH Group that you used for Phase 1.
Phase 2 Encryption. Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec
sessions. Select a method of encryption,
DES
or
3DES
. The encryption method determines the length of the
key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit encryption.
3DES is recommended because it is more secure. If you enable the AH Hash Algorithm on the
Advanced
Figure 6-68: IPSec Setup - IKE with Preshared Key
Downloaded from
www.Manualslib.com
manuals search engine
Page 68 / 127
57
Chapter 6: Setting up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 16-Port VPN Router
screen, then it is recommended to select
Null
to disable the encryption and decryption of ESP packets in
Phase 2 (make sure the remote VPN device also has the AH Hash Algorithm enabled). Both ends of the VPN
tunnel must use the same Phase 2 Encryption setting: DES, 3DES, or Null.
Phase 2 Authentication. Select a method of authentication,
MD5
or
SHA
. The authentication method
determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it
is more secure. If you enable the AH Hash Algorithm on the
Advanced
screen, then it is recommended to
select
Null
to disable the authentication of ESP packets in Phase 2 (make sure the remote VPN device also
has the AH Hash Algorithm enabled). Both ends of the VPN tunnel must use the same Phase 2 Authentication
setting: MD5, SHA, or Null.
Phase 2 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 2. The default value is
3600
seconds.
Preshared Key. This specifies the pre-shared key used to authenticate the remote IKE peer. Enter a key of
keyboard and hexadecimal characters, e.g., My_@123 or 4d795f40313233. This field allows a maximum of
30 characters and/or hexadecimal values. Both ends of the VPN tunnel must use the same Preshared Key. It is
strongly recommended that you change the Preshared Key periodically to maximize VPN security.
Click the
Save Settings
button to save your changes, or click the
Cancel Changes
button to undo the changes.
Manual
Basically, manual key management is used in small static environments or for troubleshooting purposes. If you
select Manual, you generate the key yourself, so no key negotiation is needed.
Incoming SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)
header and enables the receiver and sender to send the Security Association (SA), under which a packet
should be processed. Hexadecimal values are acceptable, and the valid range of hexadecimal values is from
100 to ffffffff. Each tunnel must have a unique Inbound SPI and Outbound SPI. The Incoming SPI of the Router
must match the Outgoing SPI set on the remote VPN device at the other end of the tunnel. For example, if the
Incoming SPI is 20123, then the Outgoing SPI would be 32102.
Outgoing SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)
header and enables the receiver and sender to send the SA, under which a packet should be processed.
Hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. Each
tunnel must have a unique Inbound SPI and Outbound SPI. The Outgoing SPI of the Router must match the
Incoming SPI set on the remote VPN device at the other end of the tunnel. For example, if the Outgoing SPI is
32102, then the Incoming SPI would be 20123.
Figure 6-69: IPSec Setup - Manual
Downloaded from
www.Manualslib.com
manuals search engine
Page 69 / 127
58
Chapter 6: Setting up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 16-Port VPN Router
Encryption. Select a method of encryption,
DES
or
3DES
. The encryption method determines the length of the
key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit encryption.
3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same
encryption method.
Authentication. Select a method of authentication,
MD5
or
SHA
. The authentication method determines how
the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a
one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure.
Make sure both ends of the VPN tunnel use the same authentication method.
Encryption Key. This field specifies a key used to encrypt and decrypt IP traffic. Enter a key of hexadecimal
values in the
Encryption Key
field. If you selected DES as the encryption method, then the Encryption Key
must be 16-bit, which requires 16 hexadecimal values. If you do not enter enough hexadecimal values, then
the rest of the Encryption Key will be automatically completed with zeroes, so the Encryption Key will be
16-bit. If you selected 3DES as the encryption method, then the Encryption Key must be 48-bit, which
requires 48 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the
Encryption Key will be automatically completed with zeroes, so the Encryption Key will be 48-bit. Make sure
both ends of the VPN tunnel use the same Encryption Key.
Authentication Key. This field specifies a key used to authenticate IP traffic. Enter a key of hexadecimal values
in the
Authentication Key
field. If you selected MD5 as the authentication method, then the Authentication Key
must be 32-bit, which requires 32 hexadecimal values. If you do not enter enough hexadecimal values, then
the rest of the Encryption Key will be automatically completed with zeroes, so the Authentication Key will be
32-bit. If you selected SHA1 as the authentication method, then the Authentication Key must be 40-bit, which
requires 40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the
Authentication Key will be automatically completed with zeroes, so the Authentication Key will be 40-bit.
Make sure both ends of the VPN tunnel use the same Authentication Key.
Click the
Save Settings
button to save your changes, or click the
Cancel Changes
button to undo the changes.
Advanced
For most users, the settings on the VPN page should suffice; however, the Router provides advanced IPSec
settings for advanced users. Click the
Advanced
button to view the Advanced settings, which are available only
for VPN tunnels using the IKE with Preshared Key mode.
Aggressive Mode. There are two types of Phase 1 exchanges, Main Mode and Aggressive Mode.
Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If
network security is preferred, leave the
Aggressive Mode
checkbox unchecked. If network speed is preferred,
Figure 6-70: IKE with Preshared Key - Advanced
Downloaded from
www.Manualslib.com
manuals search engine
Page 70 / 127
59
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
select
Aggressive Mode
. If you select one of the Dynamic IP types for the Remote Security Gateway Type
setting, then Main Mode will be unavailable, so Aggressive Mode will be used.
Compress (Support IP Payload compression Protocol (IP Comp)). The Router supports IP Payload Compression
Protocol, which is used to reduce the size of IP datagrams. If this feature is enabled, the Router will propose
compression when initiating a connection. If the responders reject this proposal, then the Router will not
implement compression. When the Router works as a responder, the Router will always accept compression
even when the Compress feature has not been enabled. Select
Compress
to support this protocol.
Keep-Alive. This feature helps maintain the connections of IPSec tunnels. Whenever a connection is dropped
and the drop is detected, then the connection will be re-established immediately. Select
Keep-Alive
to enable
this feature.
AH Hash Algorithm. The AH (Authentication Header) protocol describes the packet format and default
standards for packet structure. If AH is used as a security protocol, portions of the original IP header are used
to verify the integrity of the entire packet during the hashing process, so protection is extended forward into
the IP header. Select an algorithm,
MD5
or
SHA1
. MD5 produces a 128-bit digest to authenticate packet data,
and SHA1 produces a 160-bit digest to authenticate packet data. Both ends of the VPN tunnel should use the
same AH Hash Algorithm.
NetBIOS Broadcast. Click the checkbox if you want NetBIOS traffic to pass through the VPN tunnel. By default,
the Router blocks these broadcasts.
Click the
Save Settings
button to save your changes, or click the
Cancel Changes
button to undo the changes.
VPN Tab - Client to Gateway
Use this screen to create a new tunnel between a local VPN device and a mobile user.
Add a New Tunnel
You can select
Tunnel
to create a tunnel for a single mobile user, or select
Group VPN
to create tunnels for
multiple VPN clients. The Group VPN feature facilitates the setup of tunnels for multiple VPN clients, so you do not
need to individually configure multiple remote VPN clients. After you have selected Tunnel or Group VPN, the
settings available on this screen may change, depending on which selection you have made.
Tunnel No. A tunnel number between 1-50 will be automatically generated.
Tunnel Name. Enter a name for this VPN tunnel, such as Home Office or New York Branch. This allows you to
identify multiple tunnels and does not have to match the name used at the other end of the tunnel.
Figure 6-71: Client to Gateway
Downloaded from
www.Manualslib.com
manuals search engine

Rate

4.7 / 5 based on 3 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top