65
Chapter 6: Setting up and Configuring the Router
VPN Tab - Client to Gateway
10/100 16-Port VPN Router
Phase 2 (make sure the remote VPN device also has the AH Hash Algorithm enabled). Both ends of the VPN
tunnel must use the same Phase 2 Encryption setting: DES, 3DES, or Null.
Phase 2 Authentication. Select a method of authentication,
MD5
or
SHA
. The authentication method
determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it
is more secure. If you enable the AH Hash Algorithm on the
Advanced
screen, then it is recommended to
select
Null
to disable the authentication of ESP packets in Phase 2 (make sure the remote VPN device also
has the AH Hash Algorithm enabled). Both ends of the VPN tunnel must use the same Phase 2 Authentication
setting: MD5, SHA, or Null.
Phase 2 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 2. The default value is
3600
seconds.
Preshared Key. This specifies the pre-shared key used to authenticate the remote IKE peer. Enter a key of
keyboard and hexadecimal characters, e.g., My_@123 or 4d795f40313233. This field allows a maximum of
30 characters and/or hexadecimal values. Both ends of the VPN tunnel must use the same Preshared Key. It is
strongly recommended that you change the Preshared Key periodically to maximize VPN security.
Click the
Save Settings
button to save your changes, or click the
Cancel Changes
button to undo the changes.
Manual (not applicable to Group VPNs)
Basically, manual key management is used in small static environments or for troubleshooting purposes. If you
select Manual, you generate the key yourself, so no key negotiation is needed.
Incoming SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)
header and enables the receiver and sender to send the Security Association (SA), under which a packet
should be processed. Hexadecimal values are acceptable, and the valid range of hexadecimal values is from
100 to ffffffff. Each tunnel must have a unique Inbound SPI and Outbound SPI. The Incoming SPI of the Router
must match the Outgoing SPI set on the remote VPN device at the other end of the tunnel. For example, if the
Incoming SPI is 20123, then the Outgoing SPI would be 32102.
Outgoing SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)
header and enables the receiver and sender to send the SA, under which a packet should be processed.
Hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. Each
tunnel must have a unique Inbound SPI and Outbound SPI. The Outgoing SPI of the Router must match the
Incoming SPI set on the remote VPN device at the other end of the tunnel. For example, if the Outgoing SPI is
32102, then the Incoming SPI would be 20123.
Figure 6-89: IPSec Setup - Manual
Downloaded from
www.Manualslib.com
manuals search engine