47

Chapter 5: Setting Up and Configuring the Router

VPN Tab - Client to Gateway

10/100 8-Port VPN Router

Aggressive Mode

: There are two types of Phase 1 exchanges: Main mode and Aggressive mode.

Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If

network security is preferred, select Main mode. When users select the Dynamic IP in Remote Security Gateway

Type, it will be limited as Aggressive Mode.

Compress (Support IP Payload compression Protocol (IP Comp)

The Router supports IP Payload Compression Protocol. IP Payload Compression is a protocol to reduce the size of

IP datagrams. If Compress is enabled, the Router will propose compression when initiating a connection. If the

responders reject this propose, the Router will not implement the compression. When the Router works as a

responder, the Router will always accept compression even without enabling compression.

Keep-Alive

: This mechanism helps to keep up the connection of IPSec tunnels. Whenever a connection is

dropped and detected, it will be re-established immediately.

AH Hash Algorithm

: AH (Authentication Header) protocol describe the packet format and the default standards

for packet structure. With the use of AH as the security protocol, protected is extended forward into IP header to

verify the integrity of the entire packet by use of portions of the original IP header in the hashing process. There

are two algorithms, MD5 and SHA1. MD5 produces a 128-bit digest to authenticate packet data and SHA1

produces a 160-bit digest to authenticate packet data. Both sides of the tunnel should use the same algorithm.

NetBIOS broadcast:

Check the box to enable NetBIOS traffic to pass through the VPN tunnel. By default, RV082

blocks these broadcasts.

Dead Peer Detection (DPD):

When DPD is enabled, the RV082 will send the periodic HELLO/ACK messages to

prove the tunnel liveliness when both peers of VPN tunnel provide DPD mechanism. Once a dead peer has

detected, the RV082 will disconnect the tunnel so the connection can be re-established.

Click the

Save Settings

button when you finish the settings or click the

Cancel Changes

button to undo the

changes.

VPN Tab - Client to Gateway

With Tunnel Enabled

This screen allows you to create VPN tunnels from remote PCs (with Linksys VPN Client Software) to VPN routers.

You can reach this page by clicking the Client to Gateway tab or from the Mode Choose screen (figure 5-44).

Tunnel No.

: This shows the number assigned to this tunnel, from 1~5, depending on how many tunnels you have

already set up.

48

Chapter 5: Setting Up and Configuring the Router

VPN Tab - Client to Gateway

10/100 8-Port VPN Router

Tunnel Name

: Enter the Tunnel Name, such as LA Office, Branch Site, Corporate Site, etc. This is to allow you to

identify multiple tunnels, and does not have to match the name used at the other end of the tunnel.

Interface

: All VPN tunnels go out through one of the Router’s WAN ports. When Dual-WAN is enabled, you will

have the option of two ports: WAN1 or WAN2.

Enable

: Checking this box enables the VPN tunnel you’re creating.

Local Group Setup

The Local Group Setup section configures the local settings for the VPN tunnel you are creating. Remember, all

settings for the Local Group must be exactly the same as those for the Remote Group.

Local Security Gateway Type

: There are five types. They are

IP Only

,

IP + Domain Name (FQDN)

Authentication

,

IP + E-mail Addr. (USER FQDN) Authentication

,

Dynamic IP + Domain Name (FQDN)

Authentication

,

Dynamic IP + E-mail Addr. (USER FQDN) Authentication

. The type of Local Security Gateway

Type must match the Remote Security Gateway Type of VPN devices in the other end of tunnel. The first three

options are easier to use because the IP Addresses are static and do not change.

IP Only: If you select IP Only, only the specific IP Address set will be able to access the tunnel. The Router’s

WAN IP address (set above) will automatically appear in this field.

IP + Domain Name (FQDN) Authentication: This selection affords a greater amount of security because each

side of the tunnel must use the same IP Address as well as the same domain name. Only one domain name

can be used for one tunnel and may not be applied to another tunnel.These settings must match the Remote

Group Setup on the other end of the tunnel.

IP + E-mail Addr. (USER FQDN) Authentication: This selection affords a greater amount of security because

each side of the tunnel must use the same IP Address as well as the same email. Only one email address can

be used for one tunnel and may not be applied to another tunnel.These settings must match the Remote

Group Setup on the other end of the tunnel.

Dynamic IP + Domain Name (FQDN) Authentication: This setting uses a dynamic IP address, which is

constantly changing. In addition, the tunnel is confirmed through use of a domain name. Only one domain

name can be used for one tunnel and may not be applied to another tunnel.These settings must match the

Remote Group Setup on the other end of the tunnel.

Dynamic IP + E-mail Addr.(USER FQDN) Authentication: This setting uses a dynamic IP address, which is

constantly changing. In addition, the tunnel is confirmed through use of an email address. Only one email

address can be used for one tunnel and may not be applied to another tunnel.These settings must match the

Remote Group Setup on the other end of the tunnel.

Figure 5-50: VPN tab - Client to Gateway

Local Group Setup

Figure 5-49: VPN tab - Client to Gateway

49

Chapter 5: Setting Up and Configuring the Router

VPN Tab - Client to Gateway

10/100 8-Port VPN Router

Local Security Group Type

. Select the local LAN user(s) that can use this VPN tunnel. Local Security Group Type

may be a single IP address, a Subnet or an IP address range. The Local Secure Group must match the Remote

Secure Group on the other end of the tunnel. Selecting

IP Address

allows only one computer, with the specific IP

Address, access to the tunnel. (The default IP is 192.168.1.0.) If you select

Subnet

, all computers on the local

subnet can access the tunnel. The default IP is 192.168.1.0, and default Subnet Mask is 255.255.255.192. If you

select

IP Range

, you can specify a range of IP Addresses to access the tunnel. The default IP Range is

192.168.1.0~254.

Remote Group Setup:

The Remote Group Setup section configures the remote settings for the VPN tunnel you are creating. Remember,

all settings for the Remote Group must be exactly the same as those for the Local Group.

Remote Security Gateway Type

: There are five types. They are

IP Only

,

IP + Domain Name (FQDN)

Authentication

,

IP + E-mail Addr. (USER FQDN) Authentication

,

Dynamic IP + Domain Name (FQDN)

Authentication

,

Dynamic IP + E-mail Addr. (USER FQDN) Authentication

. The type of Remote Security

Gateway Type must match the Local Security Gateway Type of VPN devices in the other end of tunnel. The first

three options are easier to use because the IP Addresses are static and do not change.

IP Only: If you select IP Only, only the specific IP Address that you enter will be able to access the tunnel. It's

the IP Address of the remote VPN Router or device which you wish to communicate. The remote VPN device

can be another VPN Router or a VPN Server. If you know the static IP address of remote VPN device, select IP

address from drop-down menu. If you don't know the static IP address of remote VPN device, but the domain

name of remote VPN device is known, you can select IP by DNS Resolved, and enter the real domain name on

the Internet. RV082 will get the IP address of remote VPN device by DNS Resolved, and IP address of remote

VPN device will be displayed on VPN Status of Summary page.

IP + Domain Name (FQDN) Authentication: This selection affords a greater amount of security because each

side of the tunnel must use the same IP Address as well as the same domain name. Only one domain name

can be used for one tunnel and may not be applied to another tunnel.These settings must match the Remote

Group Setup on the other end of the tunnel.

IP + E-mail Addr. (USER FQDN) Authentication: This selection affords a greater amount of security because

each side of the tunnel must use the same IP Address as well as the same email. Only one email address can

be used for one tunnel and may not be applied to another tunnel.These settings must match the Remote

Group Setup on the other end of the tunnel.

Dynamic IP + Domain Name (FQDN) Authentication: This setting uses a dynamic IP address, which is

constantly changing. In addition, the tunnel is confirmed through use of a domain name. Only one domain

name can be used for one tunnel and may not be applied to another tunnel.These settings must match the

Remote Group Setup on the other end of the tunnel.

Figure 5-51: VPN tab - Client to Gateway

Remote Group Setup

50

Chapter 5: Setting Up and Configuring the Router

VPN Tab - Client to Gateway

10/100 8-Port VPN Router

Dynamic IP + E-mail Addr.(USER FQDN) Authentication: This setting uses a dynamic IP address, which is

constantly changing. In addition, the tunnel is confirmed through use of an email address. Only one email

address can be used for one tunnel and may not be applied to another tunnel.These settings must match the

Remote Group Setup on the other end of the tunnel.

Remote Security Group Type

. Select the local LAN user(s) that can use this VPN tunnel. Remote Security Group

Type may be a single IP address, a Subnet or an IP address range. The Remote Secure Group must match the

Local Secure Group on the other end of the tunnel. Selecting

IP Address

allows only one computer, with the

specific IP Address, access to the tunnel. (The default IP is 192.168.1.0.) If you select

Subnet

, all computers on

the local subnet can access the tunnel. The default IP is 192.168.1.0, and default Subnet Mask is

255.255.255.192. If you select

IP Range

, you can specify a range of IP Addresses to access the tunnel. The

default IP Range is 192.168.1.0~254.

With Group VPN enabled:

Further Remote Client Setup options become available when you select GroupVPN. There are three types of

Remote Client:

Domain Name (FQDN)

,

E-mail Address (User FQDN)

, and

Microsoft XP/2000 VPN Client

.

Domain Name (FQDN) (Fully Qualified Domain Name)

: Enter the Domain Name of the Remote Client. When the

Remote Client requests to create a tunnel with the Router, the Router will act as a responder. The Domain Name

must match the local settings of the Remote Client.

E-mail Address (User FQDN)

: Enter the Email Address of the Remote Client. When the Remote Client requests to

create a tunnel with the Router, the Router will act as a responder. The Email Address must match the local

settings of the Remote Client.

Microsoft XP/2000 VPN Client:

This option is used for Dynamic IP users (e.g. PPPoE or DHCP) which using

Microsoft VPN client. The difference between Microsoft and other VPN client is that Microsoft client does not

support Aggressive mode and FQDN/USER FQDN ID options.

IPSec Setup

In order for any encryption to occur, the two ends of the tunnel must agree on the type of encryption and the way

the data will be decrypted. This is done by sharing a “key” to the encryption code. There are two Keying Modes of

key management, Manual and IKE with Preshared Key (automatic). If GroupVPN is enabled, the key management

will be IKE with Preshared Key only.

51

Chapter 5: Setting Up and Configuring the Router

VPN Tab - Client to Gateway

10/100 8-Port VPN Router

Manual

If you select

Manual

, you generate the key yourself, and no key negotiation is needed. Basically, manual key

management is used in small static environments or for troubleshooting purposes. Both sides must use the same

Key Management method.

Incoming & Outgoing SPI

(Security Parameter Index): SPI is carried in the ESP (Encapsulating Security Payload

Protocol) header and enables the receiver and sender to select the SA, under which a packet should be

processed. The hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a

unique Inbound SPI and Outbound SPI. No two tunnels share the same SPI. The Incoming SPI here must match the

Outgoing SPI value at the other end of the tunnel, and vice versa

Encryption

: There are two methods of encryption, DES and 3DES. The Encryption method determines the length

of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is

recommended because it is more secure, and both sides must use the same Encryption method.

Authentication

: There are two methods of authentication, MD5 and SHA. The Authentication method determines

a method to authenticate the ESP packets. MD5 is a one-way hashing algorithm that produces a 128-bit digest.

SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more

secure, and both sides must use the same Authentication method.

Encryption Key

: This field specifies a key used to encrypt and decrypt IP traffic, and the Encryption Key is

generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same Encryption

Key. If DES is selected, the Encryption Key is 16-bit. If users do not fill up to 16-bit, this field will be filled up to

16-bit automatically by 0. If 3DES is selected, the Encryption Key is 48-bit. If users do not fill up to 48-bit, this

field will be filled up to 48-bit automatically by 0.

Authentication Key

: This field specifies a key used to authenticate IP traffic and the Authentication Key is

generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same

Authentication key. If MD5 is selected, the Authentication Key is 32-bit. If users do not fill up to 32-bit, this field

will be filled up to 32-bit automatically by 0. If SHA1 is selected, the Authentication Key is 40-bit. If users do not

fill up to 40-bit, this field will be filled up to 40-bit automatically by 0.

IKE with Preshared Key (automatic)

IKE is an Internet Key Exchange protocol that is used to negotiate key material for SA (Security Association). IKE

uses the Pre-shared Key field to authenticate the remote IKE peer.

Phase 1 DH Group

: Phase 1 is used to create a security association (SA). DH (Diffie-Hellman) is a key exchange

protocol that is used during phase 1 of the authentication process to establish pre-shared keys. There are three

Figure 5-52: VPN tab - Client to Gateway

IPSec Setup