47

Chapter 6: Set Up and Configure the Router

VPN Tab - Client to Gateway

10/100 4-Port VPN Router

NetBIOS Broadcast. Click the checkbox if you want NetBIOS traffic to pass through the VPN tunnel. By default, the

Router blocks these broadcasts.

Click the

Save Settings

button when you finish the settings or click the

Cancel Changes

button to undo the

changes.

VPN Tab - Client to Gateway

By setting this page, you can create a new tunnel between a Local VPN device and a mobile user.

You can select

Tunnel

to create a tunnel for a single mobile user, or select

Group VPN

to create tunnels for

multiple VPN clients. Group VPN feature facilitates the setup and is not necessary to individually configure remote

VPN clients.

Tunnel

Tunnel No.: The tunnel no. will be generated automatically from 1~30. See Figure 6-45.

Tunnel Name: Once the tunnel is enabled, enter the Tunnel Name field, such as Sales Name. This is to allow you

to identify multiple tunnels and does not have to match the name used at the other end of the tunnel.

Interface: Select the Interface from the pull-down menu. When dual WAN is enable, there will be two options:

WAN1 and WAN2.

Enable: Check the box to enable VPN.

Group VPN

Group No.: The group no. will be generated automatically from 1~2. Two GroupVPNs are supported by RV042.

Group ID Name: Enter the Group ID Name. Such as, American Sales Group.

Interface: Select the Interface from the drop-down menu. When dual WAN is enable, there are two options.

(WAN1/WAN2).

Enable: Check the box to enable GroupVPN.

Local Group Setup

Local Security Gateway Type: There are five types. They are IP Only, IP + Domain Name (FQDN) Authentication, IP

+ E-mail Addr. (USER FQDN) Authentication, Dynamic IP + Domain Name (FQDN) Authentication, Dynamic IP +

Figure 6-45: Client to Gateway

Downloaded from

www.Manualslib.com

manuals search engine

48

Chapter 6: Set Up and Configure the Router

VPN Tab - Client to Gateway

10/100 4-Port VPN Router

E-mail Addr. (USER FQDN) Authentication. The type of Local Security Gateway Type should match the Remote

Security Gateway Type of VPN devices in the other end of tunnel.

IP Only: If you select IP Only, only the specific IP Address will be able to access the tunnel. The WAN IP of the

Router will automatically appear in this field.

IP + Domain Name (FQDN) Authentication: If you select this type, enter the FQDN (Fully Qualified Domain Name),

and an IP address will appear automatically. The FQDN is the host name and domain name for a specific

computer on the Internet, for example, vpn.myvpnserver.com. The IP and FQDN must be same as the Remote

Security Gateway type of the remote VPN device, and the same IP and FQDN can be used only for one tunnel

connection.

IP + E-mail Addr. (USER FQDN) Authentication: If you select this type, enter the E-mail address, and the IP

address will appear automatically.

Dynamic IP + Domain Name (FQDN) Authentication: If the Local Security Gateway has a dynamic IP, select this

type. When the Remote Security Gateway requests to create a tunnel with the Router, the Router will work as a

responder. If you select this type, just enter the Domain Name for Authentication; the Domain Name must be

same as the Remote Security Gateway of the remote VPN device. The same Domain Name can be used only for

one tunnel connection, and users can’t use the same Domain Name to create a new tunnel connection.

Dynamic IP + E-mail Addr.(USER FQDN) Authentication: If the Local Security Gateway has a dynamic IP, select

this type. When the Remote Security Gateway requests to create a tunnel with the Router, the RV042 will work as

a responder. If you select this type, just enter the E-mail address for Authentication.

Local Security Group Type

Select the local LAN user(s) behind the router that can use this VPN tunnel. Local Security Group Type may be a

single IP address, a Subnet or an IP range. The Local Secure Group must match the Remote VPN Client’s Remote

Secure Group.

IP Address: If you select IP Address, only the computer with the specific IP Address that you enter will be able to

access the tunnel. The default IP is 192.168.1.0.

Subnet: If you select Subnet (which is the default), this will allow all computers on the local subnet to access the

tunnel. Enter the IP Address and the Subnet Mask. The default IP is 192.168.1.0, and default Subnet Mask is

255.255.255.192.

IP Range: If you select IP Range, it will be a combination of Subnet and IP Address. You can specify a range of IP

Addresses within the Subnet which will have access to the tunnel. The default IP Range is 192.168.1.0~254.

Downloaded from

www.Manualslib.com

manuals search engine

49

Chapter 6: Set Up and Configure the Router

VPN Tab - Client to Gateway

10/100 4-Port VPN Router

Remote Client Setup

With Tunnel enabled:

Remote Client: There are five types of Remote Client: IP, IP + Domain Name (FQDN)Authentication, IP + E-mail

Addr. (User FQDN) Authentication, Dynamic IP + Domain Name (FQDN) Authentication, Dynamic IP + E-mail Addr.

(User FQDN) Authentication.

IP Only: If you know the fixed IP of the remote client, you can select IP and enter the IP Address. Only the specific

IP Address that you enter will be able to access the tunnel. This IP Address can be a computer with VPN client

software that supports IPSec.

IP + Domain Name(FQDN) Authentication: If you select this type, enter the FQDN (Fully Qualified Domain Name)

and IP address of the client user with VPN client software that supports IPSec at the other end of the tunnel. The

FQDN is the host name and domain name for a specific computer on the Internet, for example,

vpn.myvpnserver.com. The IP and FQDN must be the same as the Local Gateway of the remote client, and the

same IP and FQDN can be used only for one tunnel connection.

IP + E-mail Addr.(User FQDN) Authentication: If you select this type, enter the e-mail address and IP address of

the client user with VPN software that supports IPSec at the other end of the tunnel.

Dynamic IP + Domain Name(FQDN) Authentication: If you select this type, the Remote Security Gateway will be a

dynamic IP, so you don’t need to enter the IP address. When the Remote Security Gateway requests to create a

tunnel with the RV042, the RV042 will work as a responder. If you select this type, just enter the Domain Name for

Authentication, and the Domain Name must be the same as the Local Gateway of the remote client. The same

Domain Name can be used only for one tunnel connection, and users can’t use the same Domain Name to create

a new tunnel connection.

Dynamic IP + E-mail Addr.(User FQDN) Authentication: If you select this type, the Remote Security Gateway will

be a dynamic IP, so you don’t need to enter the IP address. When the Remote Security Gateway requests to create

a tunnel with the RV042, the RV042 will work as a responder. If you select this type, just enter the E-mail address

for Authentication.

With Group VPN enabled:

Remote Client: There are two types of Remote Client: Domain Name (FQDN) or E-mail Address (User FQDN).

Domain Name (FQDN) (Fully Qualified Domain Name): If you select FQDN, enter the FQDN of the Remote Client.

When the Remote Client requests to create a tunnel with the RV042, the RV042 will work as a responder. The

Domain Name must match the local settings of the Remote Client.

Downloaded from

www.Manualslib.com

manuals search engine

50

Chapter 6: Set Up and Configure the Router

VPN Tab - Client to Gateway

10/100 4-Port VPN Router

E-mail Address (User FQDN): Enter the E-mail address of User FQDN.

IPSec Setup

In order for any encryption to occur, the two ends of the tunnel must agree on the type of encryption and the way

the data will be decrypted. This is done by sharing a “key” to the encryption code. There are two Keying Modes of

key management, Manual and IKE with Preshared Key (automatic). If GroupVPN is enabled, the key management

will be IKE with Preshared Key only.

Manual

If you select

Manual

, you generate the key yourself, and no key negotiation is needed. Basically, manual key

management is used in small static environments or for troubleshooting purposes. Both sides must use the same

Key Management method.

Incoming & Outgoing SPI (Security Parameter Index): SPI is carried in the ESP (Encapsulating Security Payload

Protocol) header and enables the receiver and sender to select the SA, under which a packet should be

processed. The hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a

unique Inbound SPI and Outbound SPI. No two tunnels share the same SPI. The Incoming SPI here must match

the Outgoing SPI value at the other end of the tunnel, and vice versa

Encryption: There are two methods of encryption, DES and 3DES. The Encryption method determines the length

of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is

recommended because it is more secure, and both sides must use the same Encryption method.

Authentication: There are two methods of authentication, MD5 and SHA. The Authentication method determines a

method to authenticate the ESP packets. MD5 is a one-way hashing algorithm that produces a 128-bit digest.

SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more

secure, and both sides must use the same Authentication method.

Encryption Key: This field specifies a key used to encrypt and decrypt IP traffic, and the Encryption Key is

generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same Encryption

Key. If DES is selected, the Encryption Key is 16-bit. If users do not fill up to 16-bit, this field will be filled up to

16-bit automatically by 0. If 3DES is selected, the Encryption Key is 48-bit. If users do not fill up to 48-bit, this

field will be filled up to 48-bit automatically by 0.

Authentication Key: This field specifies a key used to authenticate IP traffic and the Authentication Key is

generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same

Authentication key. If MD5 is selected, the Authentication Key is 32-bit. If users do not fill up to 32-bit, this field

will be filled up to 32-bit automatically by 0. If SHA1 is selected, the Authentication Key is 40-bit. If users do not

fill up to 40-bit, this field will be filled up to 40-bit automatically by 0.

Downloaded from

www.Manualslib.com

manuals search engine

51

Chapter 6: Set Up and Configure the Router

VPN Tab - Client to Gateway

10/100 4-Port VPN Router

IKE with Preshared Key (automatic)

IKE is an Internet Key Exchange protocol that is used to negotiate key material for SA (Security Association). IKE

uses the Pre-shared Key field to authenticate the remote IKE peer.

Phase 1 DH Group: Phase 1 is used to create a security association (SA). DH (Diffie-Hellman) is a key exchange

protocol that is used during phase 1 of the authentication process to establish pre-shared keys. There are three

groups of different prime key lengths. Group 1 is 768 bits, Group 2 is 1,024 bits and Group 5 is 1,536 bits. If

network speed is preferred, select Group 1. If network security is preferred, select Group 5.

Phase 1 Encryption: There are two methods of encryption, DES and 3DES. The Encryption method determines the

length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption.

Both sides must use the same Encryption method. 3DES is recommended because it is more secure.

Phase 1 Authentication: There are two methods of authentication, MD5 and SHA. The Authentication method

determines a method to authenticate the ESP packets. Both sides must use the same Authentication method.

MD5 is a one-way hashing algorithm that produces a 128-bit digest.

SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more

secure, and both sides must use the same Authentication method.

Phase 1 SA Life Time: This field allows you to configure the length of time a VPN tunnel is active in Phase 1. The

default value is

28,800

seconds.

Perfect Forward Secrecy: If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic

encryption and authentication. If PFS is enabled, a hacker using brute force to break encryption keys is not able

to obtain other or future IPSec keys.

Phase 2 DH Group: There are three groups of different prime key lengths. Group1 is 768 bits, Group2 is 1,024 bits

and Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select

Group 5. You can choose the different Group with the Phase 1 DH Group you chose. If Perfect Forward Secrecy is

disabled, there is no need to setup the Phase 2 DH Group since no new key generated, and the key of Phase 2 will

be the same with the key in Phase 1.

Phase 2 Encryption: Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions.

There are two methods of encryption, DES and 3DES. The Encryption method determines the length of the key

used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. Both sides must

use the same Encryption method. If users enable the AH Hash Algorithm in Advanced, then it is recommended to

select

Null

to disable encrypting/decrypting ESP packets in Phase 2, but both sides of the tunnel must use the

same setting.

Downloaded from

www.Manualslib.com

manuals search engine