65

Chapter 6: Setting up and Configuring the Router

VPN Tab - Client to Gateway

10/100 16-Port VPN Router

Phase 2 (make sure the remote VPN device also has the AH Hash Algorithm enabled). Both ends of the VPN

tunnel must use the same Phase 2 Encryption setting: DES, 3DES, or Null.

Phase 2 Authentication. Select a method of authentication,

MD5

or

SHA

. The authentication method

determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit

digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it

is more secure. If you enable the AH Hash Algorithm on the

Advanced

screen, then it is recommended to

select

Null

to disable the authentication of ESP packets in Phase 2 (make sure the remote VPN device also

has the AH Hash Algorithm enabled). Both ends of the VPN tunnel must use the same Phase 2 Authentication

setting: MD5, SHA, or Null.

Phase 2 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 2. The default value is

3600

seconds.

Preshared Key. This specifies the pre-shared key used to authenticate the remote IKE peer. Enter a key of

keyboard and hexadecimal characters, e.g., My_@123 or 4d795f40313233. This field allows a maximum of

30 characters and/or hexadecimal values. Both ends of the VPN tunnel must use the same Preshared Key. It is

strongly recommended that you change the Preshared Key periodically to maximize VPN security.

Click the

Save Settings

button to save your changes, or click the

Cancel Changes

button to undo the changes.

Manual (not applicable to Group VPNs)

Basically, manual key management is used in small static environments or for troubleshooting purposes. If you

select Manual, you generate the key yourself, so no key negotiation is needed.

Incoming SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)

header and enables the receiver and sender to send the Security Association (SA), under which a packet

should be processed. Hexadecimal values are acceptable, and the valid range of hexadecimal values is from

100 to ffffffff. Each tunnel must have a unique Inbound SPI and Outbound SPI. The Incoming SPI of the Router

must match the Outgoing SPI set on the remote VPN device at the other end of the tunnel. For example, if the

Incoming SPI is 20123, then the Outgoing SPI would be 32102.

Outgoing SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)

header and enables the receiver and sender to send the SA, under which a packet should be processed.

Hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. Each

tunnel must have a unique Inbound SPI and Outbound SPI. The Outgoing SPI of the Router must match the

Incoming SPI set on the remote VPN device at the other end of the tunnel. For example, if the Outgoing SPI is

32102, then the Incoming SPI would be 20123.

Figure 6-89: IPSec Setup - Manual

Downloaded from

www.Manualslib.com

manuals search engine

66

Chapter 6: Setting up and Configuring the Router

VPN Tab - Client to Gateway

10/100 16-Port VPN Router

Encryption. Select a method of encryption,

DES

or

3DES

. The encryption method determines the length of the

key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit encryption.

3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same

encryption method.

Authentication. Select a method of authentication,

MD5

or

SHA

. The authentication method determines how

the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a

one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure.

Make sure both ends of the VPN tunnel use the same authentication method.

Encryption Key. This field specifies a key used to encrypt and decrypt IP traffic. Enter a key of hexadecimal

values in the

Encryption Key

field. If you selected DES as the encryption method, then the Encryption Key

must be 16-bit, which requires 16 hexadecimal values. If you do not enter enough hexadecimal values, then

the rest of the Encryption Key will be automatically completed with zeroes, so the Encryption Key will be

16-bit. If you selected 3DES as the encryption method, then the Encryption Key must be 48-bit, which

requires 48 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the

Encryption Key will be automatically completed with zeroes, so the Encryption Key will be 48-bit. Make sure

both ends of the VPN tunnel use the same Encryption Key.

Authentication Key. This field specifies a key used to authenticate IP traffic. Enter a key of hexadecimal values

in the

Authentication Key

field. If you selected MD5 as the authentication method, then the Authentication Key

must be 32-bit, which requires 32 hexadecimal values. If you do not enter enough hexadecimal values, then

the rest of the Encryption Key will be automatically completed with zeroes, so the Authentication Key will be

32-bit. If you selected SHA1 as the authentication method, then the Authentication Key must be 40-bit, which

requires 40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the

Authentication Key will be automatically completed with zeroes, so the Authentication Key will be 40-bit.

Make sure both ends of the VPN tunnel use the same Authentication Key.

Click the

Save Settings

button to save your changes, or click the

Cancel Changes

button to undo the changes.

Advanced

For most users, the settings on the VPN page should suffice; however, the Router provides advanced IPSec

settings for advanced users. Click the

Advanced

button to view the Advanced settings, which are available only

for VPN tunnels using the IKE with Preshared Key mode.

Aggressive Mode. There are two types of Phase 1 exchanges, Main Mode and Aggressive Mode.

Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If

network security is preferred, leave the

Aggressive Mode

checkbox unchecked. If network speed is preferred,

select

Aggressive Mode

. If you select one of the Dynamic IP types for the Remote Security Gateway Type

Figure 6-90: IKE with Preshared Key - Advanced

Downloaded from

www.Manualslib.com

manuals search engine

67

Chapter 6: Setting up and Configuring the Router

VPN Tab - Client to Gateway

10/100 16-Port VPN Router

setting, then Main mode will be unavailable, so Aggressive Mode will be used—unless the Remote Client is

Microsoft XP/2000 VPN client. For Microsoft XP/2000 VPN clients, then Aggressive Mode will be unavailable,

so Main mode will be used.

Compress (Support IP Payload compression Protocol (IP Comp)). The Router supports IP Payload Compression

Protocol, which is used to reduce the size of IP datagrams. If this feature is enabled, the Router will propose

compression when initiating a connection. If the responders reject this proposal, then the Router will not

implement compression. When the Router works as a responder, the Router will always accept compression

even when the Compress feature has not been enabled. Select

Compress

to support this protocol.

Keep-Alive. This feature helps maintain the connections of IPSec tunnels. Whenever a connection is dropped

and the drop is detected, then the connection will be re-established immediately. Select

Keep-Alive

to enable

this feature.

AH Hash Algorithm. The AH (Authentication Header) protocol describes the packet format and default

standards for packet structure. If AH is used as a security protocol, portions of the original IP header are used

to verify the integrity of the entire packet during the hashing process, so protection is extended forward into

the IP header. Select an algorithm,

MD5

or

SHA1

. MD5 produces a 128-bit digest to authenticate packet data,

and SHA1 produces a 160-bit digest to authenticate packet data. Both ends of the VPN tunnel should use the

same AH Hash Algorithm.

NetBIOS Broadcast. Click the checkbox if you want NetBIOS traffic to pass through the VPN tunnel. By default,

the Router blocks these broadcasts.

Click the

Save Settings

button to save your changes, or click the

Cancel Changes

button to undo the changes.

Downloaded from

www.Manualslib.com

manuals search engine

68

Chapter 6: Setting up and Configuring the Router

VPN Tab - VPN Pass Through

10/100 16-Port VPN Router

VPN Tab - VPN Pass Through

The

VPN Passthrough

screen allows you to enable or disable passthrough for a variety of VPN methods.

IPSec Pass Through

Internet Protocol Security (IPSec) is a suite of protocols used to implement secure exchange of packets at the IP

layer. IPSec Pass Through is enabled by default to allow IPSec tunnels to pass through the Router.

PPTP Pass Through

Point-to-Point Tunneling Protocol (PPTP) allows the Point-to-Point Protocol (PPP) to be tunneled through an IP

network. PPTP Pass Through is enabled by default.

L2TP Pass Through

Layer 2 Tunneling Protocol is the method used to enable Point-to-Point sessions via the Internet on the Layer 2

level. L2TP Pass Through is enabled by default.

Click the

Save Settings

button to save your changes, or click the

Cancel Changes

button to undo the changes.

Figure 6-91: VPN Pass Through

Downloaded from

www.Manualslib.com

manuals search engine

69

Chapter 6: Setting up and Configuring the Router

Log Tab - System Log

10/100 16-Port VPN Router

Log Tab - System Log

On this screen you will be able to configure the Router’s log settings, so you can specify how you want its activity

logs handled.

Syslog

Syslog is a standard protocol used to capture information about network activity. The Router supports this

protocol and can send its activity logs to an external server.

Enable Syslog. If you check the box, the Router’s Syslog feature will be enabled.

Syslog Server. In addition to the standard event log, the Router can send a detailed log to an external Syslog

server. The Router’s Syslog captures all log activities and includes this information about all data transmissions:

every connection source and destination IP address, IP service, and number of bytes transferred. Enter the Syslog

server name or IP address in the

Syslog Server

field. Click the

Save Settings

button to save your changes, and

then restart the Router for the changes to take effect.

E-mail

You may want logs or alert messages to be e-mailed to you. If so, then configure the E-mail settings.

Enable E-Mail Alert. If you check the box, The Router’s E-Mail Alert feature will be enabled.

Mail Server. If you want any log or alert information e-mailed to you, then enter the name or numerical IP address

of your SMTP server. Your ISP can provide you with this information.

Send E-mail to. This is the e-mail address to which your log files will be sent. If you do not want copies of the log

information e-mailed to you, then leave this field blank.

Log Queue Length. You can designate the length of the log that will be e-mailed to you. The default is

50

entries,

so unless you change this setting, the Router will e-mail the log to you when there are more than 50 log entries.

Log Time Threshold. You can designate how often the log will be e-mailed to you. The default is

10

minutes, so

unless you change this setting, the Router will e-mail the log to you every 10 minutes.

The Router will e-mail the log every time the Log Queue Length or Log Time Threshold is reached.

E-mail Log Now. Click the

E-mail Log Now

button to immediately send the log to the address in the

Send E-mail

to

field.

Figure 6-92: System Log

Downloaded from

www.Manualslib.com

manuals search engine