55

Chapter 6: Setting up and Configuring the Router

VPN Tab - Gateway to Gateway

10/100 16-Port VPN Router

Dynamic IP + Domain Name(FQDN) Authentication. If the Remote Security Gateway has a dynamic IP and you

want to use the Domain Name for authentication, then select this type. When the Remote Security Gateway

asks to create a tunnel with the Router, the Router will work as a responder. For authentication, complete the

Domain Name

field, and make sure it matches the Domain Name set on the Local Gateway of the remote VPN

device. (The Remote Security Gateway has a dynamic IP, so you do not need to enter an IP address.) The

Domain Name can be used for only one tunnel connection, so you can’t use the same Domain Name to create

another new tunnel connection.

Dynamic IP + E-mail Addr.(USER FQDN) Authentication. If the Remote Security Gateway has a dynamic IP and

you want to use the e-mail address for authentication, then select this type. When the Remote Security

Gateway asks to create a tunnel with the Router, the Router will work as a responder. For authentication,

enter the appropriate e-mail address in the

E-mail address

fields. (The Remote Security Gateway has a

dynamic IP, so you do not need to enter an IP address.)

Remote Security Group Type

Select the Remote Security Group behind the Remote Gateway that can use this VPN tunnel. Select one of these

three available types:

IP

,

Subnet

, or

IP Range

. The Remote Security Group Type you select should match the

Local Security Group Type selected on the VPN device at the other end of the tunnel.

After you have selected the Remote Security Group Type, the settings available on this screen may change,

depending on which selection you have made.

IP. If you select IP, then only the computer with a specific IP address will be able to access the tunnel. Enter

the appropriate IP address.

Subnet. If you select Subnet, which is the default, then all computers on the remote subnet will be able to

access the tunnel. Complete the

IP address

and

Subnet Mask

fields. The default Subnet Mask is

255.255.255.0

.

IP Range. If you select IP Range, then you can specify a range of IP addresses within the subnet that will be

able to access the tunnel. Complete the

IP range

fields.

IPSec Setup

In order for any encryption to occur, the two ends of a VPN tunnel must agree on the methods of encryption,

decryption, and authentication. This is done by sharing a key to the encryption code. For key management, there

are two modes available; select

IKE with Preshared Key

or

Manual

. Both ends of a VPN tunnel must use the

same mode of key management.

Figure 6-65: Remote Security Group Type - IP

Figure 6-66: Remote Security Group Type - Subnet

Figure 6-67: Remote Security Group Type - IP Range

Figure 6-63: Remote Security Gateway Type -

Dynamic IP + Domain Name (FQDN) Authentication

Figure 6-64: Remote Security Gateway Type -

Dynamic IP + E-mail Addr. (USER FQDN) Authentication

Downloaded from

www.Manualslib.com

manuals search engine

56

Chapter 6: Setting up and Configuring the Router

VPN Tab - Gateway to Gateway

10/100 16-Port VPN Router

After you have selected the Keying Mode, the settings available on this screen may change, depending on the

selection you have made.

IKE with Preshared Key

IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses the

Preshared Key to authenticate the remote IKE peer.

Phase 1 DH Group. Phase 1 is used to create the SA. DH (Diffie-Hellman) is a key exchange protocol used

during Phase 1 of the authentication process to establish pre-shared keys. There are three groups of different

prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is

preferred, select

Group 1

. If network security is preferred, select

Group 5

.

Phase 1 Encryption. Select a method of encryption,

DES

or

3DES

. The encryption method determines the

length of the key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit

encryption. 3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the

same encryption method.

Phase 1 Authentication. Select a method of authentication,

MD5

or

SHA

. The authentication method

determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit

digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it

is more secure. Make sure both ends of the VPN tunnel use the same authentication method.

Phase 1 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 1. The default value is

28800

seconds.

Perfect Forward Secrecy. If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will

generate new key material for IP traffic encryption and authentication, so hackers using brute force to break

encryption keys will not be able to obtain future IPSec keys.

Phase 2 DH Group. If the Perfect Forward Secrecy feature is disabled, then no new keys will be generated, so

you do not need to set the Phase 2 DH Group (the key for Phase 2 will match the key in Phase 1).

There are three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5

is 1,536 bits. If network speed is preferred, select

Group 1

. If network security is preferred, select

Group 5

.

You do not have to use the same DH Group that you used for Phase 1.

Phase 2 Encryption. Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec

sessions. Select a method of encryption,

DES

or

3DES

. The encryption method determines the length of the

key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit encryption.

3DES is recommended because it is more secure. If you enable the AH Hash Algorithm on the

Advanced

Figure 6-68: IPSec Setup - IKE with Preshared Key

Downloaded from

www.Manualslib.com

manuals search engine

57

Chapter 6: Setting up and Configuring the Router

VPN Tab - Gateway to Gateway

10/100 16-Port VPN Router

screen, then it is recommended to select

Null

to disable the encryption and decryption of ESP packets in

Phase 2 (make sure the remote VPN device also has the AH Hash Algorithm enabled). Both ends of the VPN

tunnel must use the same Phase 2 Encryption setting: DES, 3DES, or Null.

Phase 2 Authentication. Select a method of authentication,

MD5

or

SHA

. The authentication method

determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit

digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it

is more secure. If you enable the AH Hash Algorithm on the

Advanced

screen, then it is recommended to

select

Null

to disable the authentication of ESP packets in Phase 2 (make sure the remote VPN device also

has the AH Hash Algorithm enabled). Both ends of the VPN tunnel must use the same Phase 2 Authentication

setting: MD5, SHA, or Null.

Phase 2 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 2. The default value is

3600

seconds.

Preshared Key. This specifies the pre-shared key used to authenticate the remote IKE peer. Enter a key of

keyboard and hexadecimal characters, e.g., My_@123 or 4d795f40313233. This field allows a maximum of

30 characters and/or hexadecimal values. Both ends of the VPN tunnel must use the same Preshared Key. It is

strongly recommended that you change the Preshared Key periodically to maximize VPN security.

Click the

Save Settings

button to save your changes, or click the

Cancel Changes

button to undo the changes.

Manual

Basically, manual key management is used in small static environments or for troubleshooting purposes. If you

select Manual, you generate the key yourself, so no key negotiation is needed.

Incoming SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)

header and enables the receiver and sender to send the Security Association (SA), under which a packet

should be processed. Hexadecimal values are acceptable, and the valid range of hexadecimal values is from

100 to ffffffff. Each tunnel must have a unique Inbound SPI and Outbound SPI. The Incoming SPI of the Router

must match the Outgoing SPI set on the remote VPN device at the other end of the tunnel. For example, if the

Incoming SPI is 20123, then the Outgoing SPI would be 32102.

Outgoing SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)

header and enables the receiver and sender to send the SA, under which a packet should be processed.

Hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. Each

tunnel must have a unique Inbound SPI and Outbound SPI. The Outgoing SPI of the Router must match the

Incoming SPI set on the remote VPN device at the other end of the tunnel. For example, if the Outgoing SPI is

32102, then the Incoming SPI would be 20123.

Figure 6-69: IPSec Setup - Manual

Downloaded from

www.Manualslib.com

manuals search engine

58

Chapter 6: Setting up and Configuring the Router

VPN Tab - Gateway to Gateway

10/100 16-Port VPN Router

Encryption. Select a method of encryption,

DES

or

3DES

. The encryption method determines the length of the

key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit encryption.

3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same

encryption method.

Authentication. Select a method of authentication,

MD5

or

SHA

. The authentication method determines how

the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a

one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure.

Make sure both ends of the VPN tunnel use the same authentication method.

Encryption Key. This field specifies a key used to encrypt and decrypt IP traffic. Enter a key of hexadecimal

values in the

Encryption Key

field. If you selected DES as the encryption method, then the Encryption Key

must be 16-bit, which requires 16 hexadecimal values. If you do not enter enough hexadecimal values, then

the rest of the Encryption Key will be automatically completed with zeroes, so the Encryption Key will be

16-bit. If you selected 3DES as the encryption method, then the Encryption Key must be 48-bit, which

requires 48 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the

Encryption Key will be automatically completed with zeroes, so the Encryption Key will be 48-bit. Make sure

both ends of the VPN tunnel use the same Encryption Key.

Authentication Key. This field specifies a key used to authenticate IP traffic. Enter a key of hexadecimal values

in the

Authentication Key

field. If you selected MD5 as the authentication method, then the Authentication Key

must be 32-bit, which requires 32 hexadecimal values. If you do not enter enough hexadecimal values, then

the rest of the Encryption Key will be automatically completed with zeroes, so the Authentication Key will be

32-bit. If you selected SHA1 as the authentication method, then the Authentication Key must be 40-bit, which

requires 40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the

Authentication Key will be automatically completed with zeroes, so the Authentication Key will be 40-bit.

Make sure both ends of the VPN tunnel use the same Authentication Key.

Click the

Save Settings

button to save your changes, or click the

Cancel Changes

button to undo the changes.

Advanced

For most users, the settings on the VPN page should suffice; however, the Router provides advanced IPSec

settings for advanced users. Click the

Advanced

button to view the Advanced settings, which are available only

for VPN tunnels using the IKE with Preshared Key mode.

Aggressive Mode. There are two types of Phase 1 exchanges, Main Mode and Aggressive Mode.

Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If

network security is preferred, leave the

Aggressive Mode

checkbox unchecked. If network speed is preferred,

Figure 6-70: IKE with Preshared Key - Advanced

Downloaded from

www.Manualslib.com

manuals search engine

59

Chapter 6: Setting up and Configuring the Router

VPN Tab - Client to Gateway

10/100 16-Port VPN Router

select

Aggressive Mode

. If you select one of the Dynamic IP types for the Remote Security Gateway Type

setting, then Main Mode will be unavailable, so Aggressive Mode will be used.

Compress (Support IP Payload compression Protocol (IP Comp)). The Router supports IP Payload Compression

Protocol, which is used to reduce the size of IP datagrams. If this feature is enabled, the Router will propose

compression when initiating a connection. If the responders reject this proposal, then the Router will not

implement compression. When the Router works as a responder, the Router will always accept compression

even when the Compress feature has not been enabled. Select

Compress

to support this protocol.

Keep-Alive. This feature helps maintain the connections of IPSec tunnels. Whenever a connection is dropped

and the drop is detected, then the connection will be re-established immediately. Select

Keep-Alive

to enable

this feature.

AH Hash Algorithm. The AH (Authentication Header) protocol describes the packet format and default

standards for packet structure. If AH is used as a security protocol, portions of the original IP header are used

to verify the integrity of the entire packet during the hashing process, so protection is extended forward into

the IP header. Select an algorithm,

MD5

or

SHA1

. MD5 produces a 128-bit digest to authenticate packet data,

and SHA1 produces a 160-bit digest to authenticate packet data. Both ends of the VPN tunnel should use the

same AH Hash Algorithm.

NetBIOS Broadcast. Click the checkbox if you want NetBIOS traffic to pass through the VPN tunnel. By default,

the Router blocks these broadcasts.

Click the

Save Settings

button to save your changes, or click the

Cancel Changes

button to undo the changes.

VPN Tab - Client to Gateway

Use this screen to create a new tunnel between a local VPN device and a mobile user.

Add a New Tunnel

You can select

Tunnel

to create a tunnel for a single mobile user, or select

Group VPN

to create tunnels for

multiple VPN clients. The Group VPN feature facilitates the setup of tunnels for multiple VPN clients, so you do not

need to individually configure multiple remote VPN clients. After you have selected Tunnel or Group VPN, the

settings available on this screen may change, depending on which selection you have made.

Tunnel No. A tunnel number between 1-50 will be automatically generated.

Tunnel Name. Enter a name for this VPN tunnel, such as Home Office or New York Branch. This allows you to

identify multiple tunnels and does not have to match the name used at the other end of the tunnel.

Figure 6-71: Client to Gateway

Downloaded from

www.Manualslib.com

manuals search engine