Page 71 / 127 Scroll up to view Page 66 - 70
60
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
Interface. Select the appropriate Interface (WAN1, WAN2...) from the pull-down menu. If you designate more than
two WAN ports on the Network or Port Management page, then additional WAN ports will be available.
Enable. Check this box to enable this VPN tunnel.
Group VPN
The Group VPN settings will appear only if you are adding a new Group VPN. Up to two Group VPNs are supported
by the Router.
Group No. A group number will be automatically generated.
Group Name. Enter a name for this Group VPN, such as American Managers Group or West Coast Locations.
Interface. Select the appropriate Interface (WAN1, WAN2...) from the pull-down menu. If you designate more than
two WAN ports on the Network or Port Management page, then additional WAN ports will be available.
Enable. Check the box to enable this Group VPN.
Local Group Setup
Local Security Gateway Type (not applicable to Group VPNs)
Select one of these five available types:
IP Only
,
IP + Domain Name(FQDN) Authentication
,
IP + E-mail
Addr.(USER FQDN) Authentication
,
Dynamic IP + Domain Name(FQDN) Authentication
, or
Dynamic IP +
E-mail Addr.(USER FQDN) Authentication
.
(If you want to use a Fully Qualified Domain Name (FQDN) for authentication but you do not have one, visit
www.dyndns.org to set up a Dynamic Domain Name System (DDNS) account. Then enable and configure the
10/100 16-Port VPN Router’s DDNS settings on the
DDNS
screen.)
The Local Security Gateway Type you select should match the Remote Security Gateway Type selected on the
remote VPN client(s) at the other end of the tunnel(s).
After you have selected the Local Security Gateway Type, the settings available on this screen may change,
depending on which selection you have made.
IP Only. If you select IP Only, then only the computer with a specific IP address will be able to access the
tunnel. The WAN (or Internet) IP address of the Router will automatically appear in the
IP address
field.
Figure 6-72: Local Security Gateway Type - IP Only
Figure 6-73: Local Security Gateway Type -
IP + Domain Name (FQDN) Authentication
Downloaded from
www.Manualslib.com
manuals search engine
Page 72 / 127
61
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
IP + Domain Name(FQDN) Authentication. If you select this type, enter the FQDN (Fully Qualified Domain
Name) in the
Domain Name
field, and an IP address will automatically appear in the
IP address
field. The
FQDN is the host name and domain name for a specific computer on the Internet. An example of a FQDN is
vpn.myvpnserver.com. The FQDN and IP address must match the FQDN and IP address of the Remote Client at
the other end of the tunnel. The FQDN and IP can be used for only one tunnel connection.
IP + E-mail Addr.(USER FQDN) Authentication. If you select this type, enter the appropriate e-mail address in
the
E-mail address
fields, and an IP address will automatically appear in the
IP address
field.
Dynamic IP + Domain Name(FQDN) Authentication. If the Local Security Gateway has a dynamic IP and you
want to use the Domain Name for authentication, then select this type. When the Remote Client asks to create
a tunnel with the Router, the Router will work as a responder. For authentication, complete the
Domain Name
field, and make sure it matches the Domain Name set on the Remote Client. The Domain Name can be used
for only one tunnel connection, so you can’t use the same Domain Name to create another new tunnel
connection.
Dynamic IP + E-mail Addr.(USER FQDN) Authentication. If the Local Security Gateway has a dynamic IP and
you want to use the e-mail address for authentication, then select this type. When the Remote Client asks to
create a tunnel with the Router, the Router will work as a responder. For authentication, enter the appropriate
e-mail address in the
E-mail address
fields.
Local Security Group Type
Select the local LAN user(s) behind the Router that can use this VPN tunnel. Select one of these three available
types:
IP
,
Subnet
, or
IP Range
. The Local Security Group Type you select should match the Remote Security
Group Type selected on the remote VPN client(s) at the other end of the tunnel(s).
After you have selected the Local Security Group Type, the settings available on this screen may change,
depending on which selection you have made.
IP. If you select IP Only, then only the computer with a specific IP address will be able to access the tunnel.
Enter the appropriate IP address. The default IP is
192.168.1.0
.
Subnet. If you select Subnet, which is the default, then all computers on the local subnet will be able to
access the tunnel. Complete the
IP address
and
Subnet Mask
fields. The default IP is
192.168.1.0
, and the
default Subnet Mask is
255.255.255.0
.
IP Range. If you select IP Range, then you can specify a range of IP addresses within the subnet that will be
able to access the tunnel. Complete the
IP range
fields. The default IP Range is
192.168.1.0~254
.
Figure 6-77: Local Security Group Type - IP
Figure 6-78: Local Security Group Type - Subnet
Figure 6-79: Local Security Group Type - IP Range
Figure 6-75: Local Security Gateway Type -
Dynamic IP + Domain Name (FQDN) Authentication
Figure 6-74: Local Security Gateway Type -
IP + E-mail Addr. (USER FQDN) Authentication
Figure 6-76: Local Security Gateway Type -
Dynamic IP + E-mail Addr. (USER FQDN) Authentication
Downloaded from
www.Manualslib.com
manuals search engine
Page 73 / 127
62
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
Remote Client Setup for a VPN Tunnel
You will have different Remote Client Setup settings depending on whether you are adding a new tunnel or a new
Group VPN. If you are adding a new Group VPN, proceed to the “Remote Client Setup for a Group VPN” section.
Remote Client
Select one of these five available types:
IP Only
,
IP + Domain Name(FQDN) Authentication
,
IP + E-mail
Addr.(USER FQDN) Authentication
,
Dynamic IP + Domain Name(FQDN) Authentication
, or
Dynamic IP +
E-mail Addr.(USER FQDN) Authentication
.
(If you want the remote client to use a Fully Qualified Domain Name (FQDN) for authentication but the remote
client does not have one, visit www.dyndns.org to set up a Dynamic Domain Name System (DDNS) account.)
After you have selected the Remote Client, the settings available on this screen may change, depending on which
selection you have made.
IP Only. If you know the fixed IP address of the Remote Client, select IP Only. Only the computer with this
specific IP address will be able to access the tunnel. In the
IP address
field, enter the IP address of the
Remote Client at the other end of the tunnel. (The Remote Client can be a computer with VPN client software
that support IPSec.)
IP + Domain Name(FQDN) Authentication. If you select this type, enter the FQDN (Fully Qualified Domain
Name) and IP address of the Remote Client, which can be a computer with VPN client software that supports
IPSec. (Enter the FQDN in the
Domain Name
field, and enter the IP address in the
IP address
field.) The FQDN
is the host name and domain name for a specific computer on the Internet. An example of a FQDN is
vpn.remotevpnserver.com. The FQDN and IP address must match the FQDN and IP address of the Local
Security Gateway type selected on the Remote Client. The FQDN and IP can be used for only one tunnel
connection.
IP + E-mail Addr.(User FQDN) Authentication. If you select this type, enter the e-mail address and IP address
of the Remote Client at the other end of the tunnel. (The Remote Client can be a computer with VPN client
software that support IPSec.)
Dynamic IP + Domain Name(FQDN) Authentication. If the Remote Security Gateway has a dynamic IP and you
want to use the Domain Name for authentication, then select this type. When the Remote Security Gateway
asks to create a tunnel with the Router, the Router will work as a responder. For authentication, complete the
Domain Name
field, and make sure it matches the Domain Name set on the Local Gateway of the Remote
Client. The Domain Name can be used for only one tunnel connection, so you can’t use the same Domain
Name to create another new tunnel connection.
Figure 6-83: Remote Client for VPN Tunnel -
Dynamic IP + Domain Name (FQDN) Authentication
Figure 6-82: Remote Client for VPN Tunnel -
IP + E-mail Addr. (User FQDN) Authentication
Figure 6-80: Remote Client for VPN Tunnel - IP Only
Figure 6-81: Remote Client for VPN Tunnel -
IP + Domain Name (FQDN) Authentication
Downloaded from
www.Manualslib.com
manuals search engine
Page 74 / 127
63
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
Dynamic IP + E-mail Addr.(User FQDN) Authentication. If the Remote Security Gateway has a dynamic IP and
you want to use the e-mail address for authentication, then select this type. When the Remote Security
Gateway asks to create a tunnel with the Router, the Router will work as a responder. For authentication,
enter the appropriate e-mail address in the
E-mail address
fields.
Remote Client Setup for a Group VPN
Remote Client. There are three types of Remote Client: Domain Name (FQDN), E-mail Address (User FQDN), and
Microsoft XP/2000 VPN Client.
Remote Client
Select one of these three types:
Domain Name(FQDN)
,
E-mail Address(USER FQDN)
, or
Microsoft XP/2000
VPN Client
.
(If you want to use an FQDN (Fully Qualified Domain Name) but you have not set it up, visit www.dyndns.org to set
up a Dynamic Domain Name System (DDNS) account.)
After you have selected the Remote Client, the settings available on this screen may change, depending on which
selection you have made.
Domain Name(FQDN). If you select this type, enter the FQDN (Fully Qualified Domain Name) of the Remote
Client in the
Domain Name
field. The FQDN is the host name and domain name for a specific computer on the
Internet. An example of a FQDN is vpn.remotevpnserver.com. The FQDN must match the FQDN setting on the
Remote Client. When the Remote Client asks to create a tunnel with the Router, the Router will work as a
responder.
E-mail Address(USER FQDN). If you select this type, enter the e-mail address of the Remote Client at the other
end of the tunnel.
Microsoft XP/2000 VPN Client. If the Remote Client has a dynamic IP address and is a Microsoft VPN client,
select this type. The difference between Microsoft and other VPN clients is that the Microsoft VPN client does
not support Aggressive Mode and the two Remote Client options, Domain Name(FQDN) and E-mail
Address(USER FQDN).
IPSec Setup
In order for any encryption to occur, the two ends of a VPN tunnel must agree on the methods of encryption,
decryption, and authentication. This is done by sharing a key to the encryption code. For key management, there
are two modes available; select
Manual
or
IKE with Preshared Key
. Both ends of a VPN tunnel must use the
same mode of key management.
Figure 6-85: Remote Client for Group VPN -
Domain Name (FQDN)
Figure 6-86: Remote Client for Group VPN -
E-mail Address (USER FQDN)
Figure 6-84: Remote Client for VPN Tunnel -
Dynamic IP + E-mail Addr. (User FQDN) Authentication
Figure 6-87: Remote Client for Group VPN -
Microsoft XP/2000 VPN Client
Downloaded from
www.Manualslib.com
manuals search engine
Page 75 / 127
64
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
After you have selected the Keying Mode, the settings available on this screen may change, depending on which
selection you have made.
IKE with Preshared Key
IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses the
Preshared Key to authenticate the remote IKE peer.
Phase 1 DH Group. Phase 1 is used to create the SA. DH (Diffie-Hellman) is a key exchange protocol used
during Phase 1 of the authentication process to establish pre-shared keys. There are three groups of different
prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is
preferred, select
Group 1
. If network security is preferred, select
Group 5
.
Phase 1 Encryption. Select a method of encryption,
DES
or
3DES
. The encryption method determines the
length of the key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses168-bit
encryption. 3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the
same encryption method.
Phase 1 Authentication. Select a method of authentication,
MD5
or
SHA
. The authentication method
determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it
is more secure. Make sure both ends of the VPN tunnel use the same authentication method.
Phase 1 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 1. The default value is
28800
seconds.
Perfect Forward Secrecy. If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will
generate new key material for IP traffic encryption and authentication, so hackers using brute force to break
encryption keys will not be able to obtain future IPSec keys.
Phase 2 DH Group. If the Perfect Forward Secrecy feature is disabled, then no new keys will be generated, so
you do not need to set the Phase 2 DH Group (the key for Phase 2 will match the key in Phase 1). There are
three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536
bits. If network speed is preferred, select
Group 1
. If network security is preferred, select
Group 5
. You do not
have to use the same DH Group that you used for Phase 1.
Phase 2 Encryption. Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec
sessions. Select a method of encryption,
DES
or
3DES
. The encryption method determines the length of the
key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit encryption.
3DES is recommended because it is more secure. If you enable the AH Hash Algorithm on the
Advanced
screen, then it is recommended to select
Null
to disable the encryption and decryption of ESP packets in
Figure 6-88: IPSec Setup - IKE with
Preshared Key
Downloaded from
www.Manualslib.com
manuals search engine

Rate

4.7 / 5 based on 3 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top