Linksys RV016 Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Linksys

RV016

Page 71 / 127 Scroll up to view Page 66 - 70

Chapter 6: Setting up and Configuring the Router

VPN Tab - Client to Gateway

10/100 16-Port VPN Router

Interface. Select the appropriate Interface (WAN1, WAN2...) from the pull-down menu. If you designate more than

two WAN ports on the Network or Port Management page, then additional WAN ports will be available.

Enable. Check this box to enable this VPN tunnel.

Group VPN

The Group VPN settings will appear only if you are adding a new Group VPN. Up to two Group VPNs are supported

by the Router.

Group No. A group number will be automatically generated.

Group Name. Enter a name for this Group VPN, such as American Managers Group or West Coast Locations.

Interface. Select the appropriate Interface (WAN1, WAN2...) from the pull-down menu. If you designate more than

two WAN ports on the Network or Port Management page, then additional WAN ports will be available.

Enable. Check the box to enable this Group VPN.

Local Group Setup

Local Security Gateway Type (not applicable to Group VPNs)

Select one of these five available types:

IP Only

IP + Domain Name(FQDN) Authentication

IP + E-mail

Addr.(USER FQDN) Authentication

Dynamic IP + Domain Name(FQDN) Authentication

, or

Dynamic IP +

E-mail Addr.(USER FQDN) Authentication

(If you want to use a Fully Qualified Domain Name (FQDN) for authentication but you do not have one, visit

www.dyndns.org to set up a Dynamic Domain Name System (DDNS) account. Then enable and configure the

10/100 16-Port VPN Router’s DDNS settings on the

DDNS

screen.)

The Local Security Gateway Type you select should match the Remote Security Gateway Type selected on the

remote VPN client(s) at the other end of the tunnel(s).

After you have selected the Local Security Gateway Type, the settings available on this screen may change,

depending on which selection you have made.

IP Only. If you select IP Only, then only the computer with a specific IP address will be able to access the

tunnel. The WAN (or Internet) IP address of the Router will automatically appear in the

IP address

field.

Figure 6-72: Local Security Gateway Type - IP Only

Figure 6-73: Local Security Gateway Type -

IP + Domain Name (FQDN) Authentication

Downloaded from

www.Manualslib.com

manuals search engine

Page 72 / 127

Chapter 6: Setting up and Configuring the Router

VPN Tab - Client to Gateway

10/100 16-Port VPN Router

IP + Domain Name(FQDN) Authentication. If you select this type, enter the FQDN (Fully Qualified Domain

Name) in the

Domain Name

field, and an IP address will automatically appear in the

IP address

field. The

FQDN is the host name and domain name for a specific computer on the Internet. An example of a FQDN is

vpn.myvpnserver.com. The FQDN and IP address must match the FQDN and IP address of the Remote Client at

the other end of the tunnel. The FQDN and IP can be used for only one tunnel connection.

IP + E-mail Addr.(USER FQDN) Authentication. If you select this type, enter the appropriate e-mail address in

the

E-mail address

fields, and an IP address will automatically appear in the

IP address

field.

Dynamic IP + Domain Name(FQDN) Authentication. If the Local Security Gateway has a dynamic IP and you

want to use the Domain Name for authentication, then select this type. When the Remote Client asks to create

a tunnel with the Router, the Router will work as a responder. For authentication, complete the

Domain Name

field, and make sure it matches the Domain Name set on the Remote Client. The Domain Name can be used

for only one tunnel connection, so you can’t use the same Domain Name to create another new tunnel

connection.

Dynamic IP + E-mail Addr.(USER FQDN) Authentication. If the Local Security Gateway has a dynamic IP and

you want to use the e-mail address for authentication, then select this type. When the Remote Client asks to

create a tunnel with the Router, the Router will work as a responder. For authentication, enter the appropriate

e-mail address in the

E-mail address

fields.

Local Security Group Type

Select the local LAN user(s) behind the Router that can use this VPN tunnel. Select one of these three available

types:

Subnet

, or

IP Range

. The Local Security Group Type you select should match the Remote Security

Group Type selected on the remote VPN client(s) at the other end of the tunnel(s).

After you have selected the Local Security Group Type, the settings available on this screen may change,

depending on which selection you have made.

IP. If you select IP Only, then only the computer with a specific IP address will be able to access the tunnel.

Enter the appropriate IP address. The default IP is

192.168.1.0

Subnet. If you select Subnet, which is the default, then all computers on the local subnet will be able to

access the tunnel. Complete the

IP address

and

Subnet Mask

fields. The default IP is

192.168.1.0

, and the

default Subnet Mask is

255.255.255.0

IP Range. If you select IP Range, then you can specify a range of IP addresses within the subnet that will be

able to access the tunnel. Complete the

IP range

fields. The default IP Range is

192.168.1.0~254

Figure 6-77: Local Security Group Type - IP

Figure 6-78: Local Security Group Type - Subnet

Figure 6-79: Local Security Group Type - IP Range

Figure 6-75: Local Security Gateway Type -

Dynamic IP + Domain Name (FQDN) Authentication

Figure 6-74: Local Security Gateway Type -

IP + E-mail Addr. (USER FQDN) Authentication

Figure 6-76: Local Security Gateway Type -

Dynamic IP + E-mail Addr. (USER FQDN) Authentication

Downloaded from

www.Manualslib.com

manuals search engine

Page 73 / 127

Chapter 6: Setting up and Configuring the Router

VPN Tab - Client to Gateway

10/100 16-Port VPN Router

Remote Client Setup for a VPN Tunnel

You will have different Remote Client Setup settings depending on whether you are adding a new tunnel or a new

Group VPN. If you are adding a new Group VPN, proceed to the “Remote Client Setup for a Group VPN” section.

Remote Client

Select one of these five available types:

IP Only

IP + Domain Name(FQDN) Authentication

IP + E-mail

Addr.(USER FQDN) Authentication

Dynamic IP + Domain Name(FQDN) Authentication

, or

Dynamic IP +

E-mail Addr.(USER FQDN) Authentication

(If you want the remote client to use a Fully Qualified Domain Name (FQDN) for authentication but the remote

client does not have one, visit www.dyndns.org to set up a Dynamic Domain Name System (DDNS) account.)

After you have selected the Remote Client, the settings available on this screen may change, depending on which

selection you have made.

IP Only. If you know the fixed IP address of the Remote Client, select IP Only. Only the computer with this

specific IP address will be able to access the tunnel. In the

IP address

field, enter the IP address of the

Remote Client at the other end of the tunnel. (The Remote Client can be a computer with VPN client software

that support IPSec.)

IP + Domain Name(FQDN) Authentication. If you select this type, enter the FQDN (Fully Qualified Domain

Name) and IP address of the Remote Client, which can be a computer with VPN client software that supports

IPSec. (Enter the FQDN in the

Domain Name

field, and enter the IP address in the

IP address

field.) The FQDN

is the host name and domain name for a specific computer on the Internet. An example of a FQDN is

vpn.remotevpnserver.com. The FQDN and IP address must match the FQDN and IP address of the Local

Security Gateway type selected on the Remote Client. The FQDN and IP can be used for only one tunnel

connection.

IP + E-mail Addr.(User FQDN) Authentication. If you select this type, enter the e-mail address and IP address

of the Remote Client at the other end of the tunnel. (The Remote Client can be a computer with VPN client

software that support IPSec.)

Dynamic IP + Domain Name(FQDN) Authentication. If the Remote Security Gateway has a dynamic IP and you

want to use the Domain Name for authentication, then select this type. When the Remote Security Gateway

asks to create a tunnel with the Router, the Router will work as a responder. For authentication, complete the

Domain Name

field, and make sure it matches the Domain Name set on the Local Gateway of the Remote

Client. The Domain Name can be used for only one tunnel connection, so you can’t use the same Domain

Name to create another new tunnel connection.

Figure 6-83: Remote Client for VPN Tunnel -

Dynamic IP + Domain Name (FQDN) Authentication

Figure 6-82: Remote Client for VPN Tunnel -

IP + E-mail Addr. (User FQDN) Authentication

Figure 6-80: Remote Client for VPN Tunnel - IP Only

Figure 6-81: Remote Client for VPN Tunnel -

IP + Domain Name (FQDN) Authentication

Downloaded from

www.Manualslib.com

manuals search engine

Page 74 / 127

Chapter 6: Setting up and Configuring the Router

VPN Tab - Client to Gateway

10/100 16-Port VPN Router

Dynamic IP + E-mail Addr.(User FQDN) Authentication. If the Remote Security Gateway has a dynamic IP and

you want to use the e-mail address for authentication, then select this type. When the Remote Security

Gateway asks to create a tunnel with the Router, the Router will work as a responder. For authentication,

enter the appropriate e-mail address in the

E-mail address

fields.

Remote Client Setup for a Group VPN

Remote Client. There are three types of Remote Client: Domain Name (FQDN), E-mail Address (User FQDN), and

Microsoft XP/2000 VPN Client.

Remote Client

Select one of these three types:

Domain Name(FQDN)

E-mail Address(USER FQDN)

, or

Microsoft XP/2000

VPN Client

(If you want to use an FQDN (Fully Qualified Domain Name) but you have not set it up, visit www.dyndns.org to set

up a Dynamic Domain Name System (DDNS) account.)

After you have selected the Remote Client, the settings available on this screen may change, depending on which

selection you have made.

Domain Name(FQDN). If you select this type, enter the FQDN (Fully Qualified Domain Name) of the Remote

Client in the

Domain Name

field. The FQDN is the host name and domain name for a specific computer on the

Internet. An example of a FQDN is vpn.remotevpnserver.com. The FQDN must match the FQDN setting on the

Remote Client. When the Remote Client asks to create a tunnel with the Router, the Router will work as a

responder.

E-mail Address(USER FQDN). If you select this type, enter the e-mail address of the Remote Client at the other

end of the tunnel.

Microsoft XP/2000 VPN Client. If the Remote Client has a dynamic IP address and is a Microsoft VPN client,

select this type. The difference between Microsoft and other VPN clients is that the Microsoft VPN client does

not support Aggressive Mode and the two Remote Client options, Domain Name(FQDN) and E-mail

Address(USER FQDN).

IPSec Setup

In order for any encryption to occur, the two ends of a VPN tunnel must agree on the methods of encryption,

decryption, and authentication. This is done by sharing a key to the encryption code. For key management, there

are two modes available; select

Manual

IKE with Preshared Key

. Both ends of a VPN tunnel must use the

same mode of key management.

Figure 6-85: Remote Client for Group VPN -

Domain Name (FQDN)

Figure 6-86: Remote Client for Group VPN -

E-mail Address (USER FQDN)

Figure 6-84: Remote Client for VPN Tunnel -

Dynamic IP + E-mail Addr. (User FQDN) Authentication

Figure 6-87: Remote Client for Group VPN -

Microsoft XP/2000 VPN Client

Downloaded from

www.Manualslib.com

manuals search engine

Page 75 / 127

Chapter 6: Setting up and Configuring the Router

VPN Tab - Client to Gateway

10/100 16-Port VPN Router

After you have selected the Keying Mode, the settings available on this screen may change, depending on which

selection you have made.

IKE with Preshared Key

IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses the

Preshared Key to authenticate the remote IKE peer.

Phase 1 DH Group. Phase 1 is used to create the SA. DH (Diffie-Hellman) is a key exchange protocol used

during Phase 1 of the authentication process to establish pre-shared keys. There are three groups of different

prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is

preferred, select

Group 1

. If network security is preferred, select

Group 5

Phase 1 Encryption. Select a method of encryption,

DES

3DES

. The encryption method determines the

length of the key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses168-bit

encryption. 3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the

same encryption method.

Phase 1 Authentication. Select a method of authentication,

MD5

SHA

. The authentication method

determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit

digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it

is more secure. Make sure both ends of the VPN tunnel use the same authentication method.

Phase 1 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 1. The default value is

28800

seconds.

Perfect Forward Secrecy. If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will

generate new key material for IP traffic encryption and authentication, so hackers using brute force to break

encryption keys will not be able to obtain future IPSec keys.

Phase 2 DH Group. If the Perfect Forward Secrecy feature is disabled, then no new keys will be generated, so

you do not need to set the Phase 2 DH Group (the key for Phase 2 will match the key in Phase 1). There are

three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536

bits. If network speed is preferred, select

Group 1

. If network security is preferred, select

Group 5

. You do not

have to use the same DH Group that you used for Phase 1.

Phase 2 Encryption. Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec

sessions. Select a method of encryption,

DES

3DES

. The encryption method determines the length of the

key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit encryption.

3DES is recommended because it is more secure. If you enable the AH Hash Algorithm on the

Advanced

screen, then it is recommended to select

Null

to disable the encryption and decryption of ESP packets in

Figure 6-88: IPSec Setup - IKE with

Preshared Key

Downloaded from

www.Manualslib.com

manuals search engine

Rate

Popular Linksys Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share