Page 76 / 127 Scroll up to view Page 71 - 75
65
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
Phase 2 (make sure the remote VPN device also has the AH Hash Algorithm enabled). Both ends of the VPN
tunnel must use the same Phase 2 Encryption setting: DES, 3DES, or Null.
Phase 2 Authentication. Select a method of authentication,
MD5
or
SHA
. The authentication method
determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it
is more secure. If you enable the AH Hash Algorithm on the
Advanced
screen, then it is recommended to
select
Null
to disable the authentication of ESP packets in Phase 2 (make sure the remote VPN device also
has the AH Hash Algorithm enabled). Both ends of the VPN tunnel must use the same Phase 2 Authentication
setting: MD5, SHA, or Null.
Phase 2 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 2. The default value is
3600
seconds.
Preshared Key. This specifies the pre-shared key used to authenticate the remote IKE peer. Enter a key of
keyboard and hexadecimal characters, e.g., My_@123 or 4d795f40313233. This field allows a maximum of
30 characters and/or hexadecimal values. Both ends of the VPN tunnel must use the same Preshared Key. It is
strongly recommended that you change the Preshared Key periodically to maximize VPN security.
Click the
Save Settings
button to save your changes, or click the
Cancel Changes
button to undo the changes.
Manual (not applicable to Group VPNs)
Basically, manual key management is used in small static environments or for troubleshooting purposes. If you
select Manual, you generate the key yourself, so no key negotiation is needed.
Incoming SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)
header and enables the receiver and sender to send the Security Association (SA), under which a packet
should be processed. Hexadecimal values are acceptable, and the valid range of hexadecimal values is from
100 to ffffffff. Each tunnel must have a unique Inbound SPI and Outbound SPI. The Incoming SPI of the Router
must match the Outgoing SPI set on the remote VPN device at the other end of the tunnel. For example, if the
Incoming SPI is 20123, then the Outgoing SPI would be 32102.
Outgoing SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)
header and enables the receiver and sender to send the SA, under which a packet should be processed.
Hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. Each
tunnel must have a unique Inbound SPI and Outbound SPI. The Outgoing SPI of the Router must match the
Incoming SPI set on the remote VPN device at the other end of the tunnel. For example, if the Outgoing SPI is
32102, then the Incoming SPI would be 20123.
Figure 6-89: IPSec Setup - Manual
Downloaded from
www.Manualslib.com
manuals search engine
Page 77 / 127
66
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
Encryption. Select a method of encryption,
DES
or
3DES
. The encryption method determines the length of the
key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit encryption.
3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same
encryption method.
Authentication. Select a method of authentication,
MD5
or
SHA
. The authentication method determines how
the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a
one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure.
Make sure both ends of the VPN tunnel use the same authentication method.
Encryption Key. This field specifies a key used to encrypt and decrypt IP traffic. Enter a key of hexadecimal
values in the
Encryption Key
field. If you selected DES as the encryption method, then the Encryption Key
must be 16-bit, which requires 16 hexadecimal values. If you do not enter enough hexadecimal values, then
the rest of the Encryption Key will be automatically completed with zeroes, so the Encryption Key will be
16-bit. If you selected 3DES as the encryption method, then the Encryption Key must be 48-bit, which
requires 48 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the
Encryption Key will be automatically completed with zeroes, so the Encryption Key will be 48-bit. Make sure
both ends of the VPN tunnel use the same Encryption Key.
Authentication Key. This field specifies a key used to authenticate IP traffic. Enter a key of hexadecimal values
in the
Authentication Key
field. If you selected MD5 as the authentication method, then the Authentication Key
must be 32-bit, which requires 32 hexadecimal values. If you do not enter enough hexadecimal values, then
the rest of the Encryption Key will be automatically completed with zeroes, so the Authentication Key will be
32-bit. If you selected SHA1 as the authentication method, then the Authentication Key must be 40-bit, which
requires 40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the
Authentication Key will be automatically completed with zeroes, so the Authentication Key will be 40-bit.
Make sure both ends of the VPN tunnel use the same Authentication Key.
Click the
Save Settings
button to save your changes, or click the
Cancel Changes
button to undo the changes.
Advanced
For most users, the settings on the VPN page should suffice; however, the Router provides advanced IPSec
settings for advanced users. Click the
Advanced
button to view the Advanced settings, which are available only
for VPN tunnels using the IKE with Preshared Key mode.
Aggressive Mode. There are two types of Phase 1 exchanges, Main Mode and Aggressive Mode.
Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If
network security is preferred, leave the
Aggressive Mode
checkbox unchecked. If network speed is preferred,
select
Aggressive Mode
. If you select one of the Dynamic IP types for the Remote Security Gateway Type
Figure 6-90: IKE with Preshared Key - Advanced
Downloaded from
www.Manualslib.com
manuals search engine
Page 78 / 127
67
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
setting, then Main mode will be unavailable, so Aggressive Mode will be used—unless the Remote Client is
Microsoft XP/2000 VPN client. For Microsoft XP/2000 VPN clients, then Aggressive Mode will be unavailable,
so Main mode will be used.
Compress (Support IP Payload compression Protocol (IP Comp)). The Router supports IP Payload Compression
Protocol, which is used to reduce the size of IP datagrams. If this feature is enabled, the Router will propose
compression when initiating a connection. If the responders reject this proposal, then the Router will not
implement compression. When the Router works as a responder, the Router will always accept compression
even when the Compress feature has not been enabled. Select
Compress
to support this protocol.
Keep-Alive. This feature helps maintain the connections of IPSec tunnels. Whenever a connection is dropped
and the drop is detected, then the connection will be re-established immediately. Select
Keep-Alive
to enable
this feature.
AH Hash Algorithm. The AH (Authentication Header) protocol describes the packet format and default
standards for packet structure. If AH is used as a security protocol, portions of the original IP header are used
to verify the integrity of the entire packet during the hashing process, so protection is extended forward into
the IP header. Select an algorithm,
MD5
or
SHA1
. MD5 produces a 128-bit digest to authenticate packet data,
and SHA1 produces a 160-bit digest to authenticate packet data. Both ends of the VPN tunnel should use the
same AH Hash Algorithm.
NetBIOS Broadcast. Click the checkbox if you want NetBIOS traffic to pass through the VPN tunnel. By default,
the Router blocks these broadcasts.
Click the
Save Settings
button to save your changes, or click the
Cancel Changes
button to undo the changes.
Downloaded from
www.Manualslib.com
manuals search engine
Page 79 / 127
68
Chapter 6: Setting up and Configuring the Router
VPN Tab - VPN Pass Through
10/100 16-Port VPN Router
VPN Tab - VPN Pass Through
The
VPN Passthrough
screen allows you to enable or disable passthrough for a variety of VPN methods.
IPSec Pass Through
Internet Protocol Security (IPSec) is a suite of protocols used to implement secure exchange of packets at the IP
layer. IPSec Pass Through is enabled by default to allow IPSec tunnels to pass through the Router.
PPTP Pass Through
Point-to-Point Tunneling Protocol (PPTP) allows the Point-to-Point Protocol (PPP) to be tunneled through an IP
network. PPTP Pass Through is enabled by default.
L2TP Pass Through
Layer 2 Tunneling Protocol is the method used to enable Point-to-Point sessions via the Internet on the Layer 2
level. L2TP Pass Through is enabled by default.
Click the
Save Settings
button to save your changes, or click the
Cancel Changes
button to undo the changes.
Figure 6-91: VPN Pass Through
Downloaded from
www.Manualslib.com
manuals search engine
Page 80 / 127
69
Chapter 6: Setting up and Configuring the Router
Log Tab - System Log
10/100 16-Port VPN Router
Log Tab - System Log
On this screen you will be able to configure the Router’s log settings, so you can specify how you want its activity
logs handled.
Syslog
Syslog is a standard protocol used to capture information about network activity. The Router supports this
protocol and can send its activity logs to an external server.
Enable Syslog. If you check the box, the Router’s Syslog feature will be enabled.
Syslog Server. In addition to the standard event log, the Router can send a detailed log to an external Syslog
server. The Router’s Syslog captures all log activities and includes this information about all data transmissions:
every connection source and destination IP address, IP service, and number of bytes transferred. Enter the Syslog
server name or IP address in the
Syslog Server
field. Click the
Save Settings
button to save your changes, and
then restart the Router for the changes to take effect.
E-mail
You may want logs or alert messages to be e-mailed to you. If so, then configure the E-mail settings.
Enable E-Mail Alert. If you check the box, The Router’s E-Mail Alert feature will be enabled.
Mail Server. If you want any log or alert information e-mailed to you, then enter the name or numerical IP address
of your SMTP server. Your ISP can provide you with this information.
Send E-mail to. This is the e-mail address to which your log files will be sent. If you do not want copies of the log
information e-mailed to you, then leave this field blank.
Log Queue Length. You can designate the length of the log that will be e-mailed to you. The default is
50
entries,
so unless you change this setting, the Router will e-mail the log to you when there are more than 50 log entries.
Log Time Threshold. You can designate how often the log will be e-mailed to you. The default is
10
minutes, so
unless you change this setting, the Router will e-mail the log to you every 10 minutes.
The Router will e-mail the log every time the Log Queue Length or Log Time Threshold is reached.
E-mail Log Now. Click the
E-mail Log Now
button to immediately send the log to the address in the
Send E-mail
to
field.
Figure 6-92: System Log
Downloaded from
www.Manualslib.com
manuals search engine

Rate

4.7 / 5 based on 3 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top