Page 51 / 105 Scroll up to view Page 46 - 50
42
Chapter 5: Setting Up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 8-Port VPN Router
VPN Tab - Gateway to Gateway
This screen allows you to create VPN tunnels between VPN routers. You can reach this page by clicking the
Gateway to Gateway tab or from the Mode Choose screen (figure 5-44).
Tunnel No.
: This shows the number assigned to this tunnel, from 1~50, depending on how many tunnels you
have already set up.
Tunnel Name
: Enter the Tunnel Name, such as LA Office, Branch Site, Corporate Site, etc. This is to allow you to
identify multiple tunnels, and does not have to match the name used at the other end of the tunnel.
Interface
: All VPN tunnels go out through one of the Router’s WAN ports. When Dual-WAN is enabled, you will
have the option of two ports: WAN1 or WAN2.
Enable
: Checking this box enables the VPN tunnel you’re creating.
Local Group Setup
The Local Group Setup section configures the local settings for the VPN tunnel you are creating. Remember, all
settings for the Local Group must be exactly the same as those for the Remote Group.
Local Security Gateway Type
: There are five types. They are
IP Only
,
IP + Domain Name (FQDN)
Authentication
,
IP + E-mail Addr. (USER FQDN) Authentication
,
Dynamic IP + Domain Name (FQDN)
Authentication
,
Dynamic IP + E-mail Addr. (USER FQDN) Authentication
. The type of Local Security Gateway
Type must match the Remote Security Gateway Type of VPN devices in the other end of tunnel. The first three
options are easier to use because the IP Addresses are static and do not change.
IP Only: If you select IP Only, only the specific IP Address set will be able to access the tunnel. The Router’s
WAN IP address (set above) will automatically appear in this field.
IP + Domain Name (FQDN) Authentication: This selection affords a greater amount of security because each
side of the tunnel must use the same IP Address as well as the same domain name. Only one domain name
can be used for one tunnel and may not be applied to another tunnel.These settings must match the Remote
Group Setup on the other end of the tunnel.
IP + E-mail Addr. (USER FQDN) Authentication: This selection affords a greater amount of security because
each side of the tunnel must use the same IP Address as well as the same email. Only one email address can
be used for one tunnel and may not be applied to another tunnel.These settings must match the Remote
Group Setup on the other end of the tunnel.
Figure 5-45: VPN tab - Gateway to Gateway
Figure 5-46: VPN tab - Gateway to Gateway
Local Group Setup
Page 52 / 105
43
Chapter 5: Setting Up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 8-Port VPN Router
Dynamic IP + Domain Name (FQDN) Authentication: This setting uses a dynamic IP address, which is
constantly changing. In addition, the tunnel is confirmed through use of a domain name. Only one domain
name can be used for one tunnel and may not be applied to another tunnel.These settings must match the
Remote Group Setup on the other end of the tunnel.
Dynamic IP + E-mail Addr.(USER FQDN) Authentication: This setting uses a dynamic IP address, which is
constantly changing. In addition, the tunnel is confirmed through use of an email address. Only one email
address can be used for one tunnel and may not be applied to another tunnel.These settings must match the
Remote Group Setup on the other end of the tunnel.
Local Security Group Type
. Select the local LAN user(s) that can use this VPN tunnel. Local Security Group Type
may be a single IP address, a Subnet or an IP address range. The Local Secure Group must match the Remote
Secure Group on the other end of the tunnel. Selecting
IP Address
allows only one computer, with the specific IP
Address, access to the tunnel. (The default IP is 192.168.1.0.) If you select
Subnet
, all computers on the local
subnet can access the tunnel. The default IP is 192.168.1.0, and default Subnet Mask is 255.255.255.192. If you
select
IP Range
, you can specify a range of IP Addresses to access the tunnel. The default IP Range is
192.168.1.0~254.
Remote Group Setup:
The Remote Group Setup section configures the remote settings for the VPN tunnel you are creating. Remember,
all settings for the Remote Group must be exactly the same as those for the Local Group.
Remote Security Gateway Type
: There are five types. They are
IP Only
,
IP + Domain Name (FQDN)
Authentication
,
IP + E-mail Addr. (USER FQDN) Authentication
,
Dynamic IP + Domain Name (FQDN)
Authentication
,
Dynamic IP + E-mail Addr. (USER FQDN) Authentication
. The type of Remote Security
Gateway Type must match the Local Security Gateway Type of VPN devices in the other end of tunnel. The first
three options are easier to use because the IP Addresses are static and do not change.
IP Only: If you select IP Only, only the specific IP Address that you enter will be able to access the tunnel. It's
the IP Address of the remote VPN Router or device which you wish to communicate. The remote VPN device
can be another VPN Router or a VPN Server. If you know the static IP address of remote VPN device, select IP
address from drop-down menu. If you don't know the static IP address of remote VPN device, but the domain
name of remote VPN device is known, you can select IP by DNS Resolved, and enter the real domain name on
the Internet. RV082 will get the IP address of remote VPN device by DNS Resolved, and IP address of remote
VPN device will be displayed on VPN Status of Summary page.
IP + Domain Name (FQDN) Authentication: This selection affords a greater amount of security because each
side of the tunnel must use the same IP Address as well as the same domain name. Only one domain name
can be used for one tunnel and may not be applied to another tunnel.These settings must match the Remote
Group Setup on the other end of the tunnel.
Figure 5-47: VPN tab - Gateway to Gateway
Remote Group Setup
Page 53 / 105
44
Chapter 5: Setting Up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 8-Port VPN Router
IP + E-mail Addr. (USER FQDN) Authentication: This selection affords a greater amount of security because
each side of the tunnel must use the same IP Address as well as the same email. Only one email address can
be used for one tunnel and may not be applied to another tunnel.These settings must match the Remote
Group Setup on the other end of the tunnel.
Dynamic IP + Domain Name (FQDN) Authentication: This setting uses a dynamic IP address, which is
constantly changing. In addition, the tunnel is confirmed through use of a domain name. Only one domain
name can be used for one tunnel and may not be applied to another tunnel.These settings must match the
Remote Group Setup on the other end of the tunnel.
Dynamic IP + E-mail Addr.(USER FQDN) Authentication: This setting uses a dynamic IP address, which is
constantly changing. In addition, the tunnel is confirmed through use of an email address. Only one email
address can be used for one tunnel and may not be applied to another tunnel.These settings must match the
Remote Group Setup on the other end of the tunnel.
Remote Security Group Type
. Select the local LAN user(s) that can use this VPN tunnel. Remote Security Group
Type may be a single IP address, a Subnet or an IP address range. The Remote Secure Group must match the
Local Secure Group on the other end of the tunnel. Selecting
IP Address
allows only one computer, with the spe-
cific IP Address, access to the tunnel. (The default IP is 192.168.1.0.) If you select
Subnet
, all computers on the
local subnet can access the tunnel. The default IP is 192.168.1.0, and default Subnet Mask is 255.255.255.192. If
you select
IP Range
, you can specify a range of IP Addresses to access the tunnel. The default IP Range is
192.168.1.0~254.
IPSec Setup
In order for any encryption to occur, the two ends of the tunnel must agree on the type of encryption and the way
the data will be decrypted. This is done by sharing a “key” to the encryption code. There are two Keying Modes
of key management, Manual and IKE with Preshared Key (automatic).
Manual
If you select
Manual
, you generate the key yourself, and no key negotiation is needed. Basically, manual key
management is used in small static environments or for troubleshooting purposes. Both sides must use the same
Key Management method.
Incoming & Outgoing SPI (Security Parameter Index)
: SPI is carried in the ESP (Encapsulating Security
Payload Protocol) header and enables the receiver and sender to select the SA, under which a packet should be
processed. The hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a
unique Inbound SPI and Outbound SPI. No two tunnels share the same SPI. The Incoming SPI here must match the
Outgoing SPI value at the other end of the tunnel, and vice versa
Figure 5-48: VPN tab - Gateway to Gateway
IPSec Setup
Bit:
a binary digit
Page 54 / 105
45
Chapter 5: Setting Up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 8-Port VPN Router
Encryption
: There are two methods of encryption, DES and 3DES. The Encryption method determines the length
of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is
recommended because it is more secure, and both sides must use the same Encryption method.
Authentication
: There are two methods of authentication, MD5 and SHA. The Authentication method determines
a method to authenticate the ESP packets. MD5 is a one-way hashing algorithm that produces a 128-bit digest.
SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more
secure, and both sides must use the same Authentication method.
Encryption Key
: This field specifies a key used to encrypt and decrypt IP traffic, and the Encryption Key is
generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same Encryption
Key. If DES is selected, the Encryption Key is 16-bit. If users do not fill up to 16-bit, this field will be filled up to
16-bit automatically by 0. If 3DES is selected, the Encryption Key is 48-bit. If users do not fill up to 48-bit, this
field will be filled up to 48-bit automatically by 0.
Authentication Key
: This field specifies a key used to authenticate IP traffic and the Authentication Key is
generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same
Authentication key. If MD5 is selected, the Authentication Key is 32-bit. If users do not fill up to 32-bit, this field
will be filled up to 32-bit automatically by 0. If SHA1 is selected, the Authentication Key is 40-bit. If users do not
fill up to 40-bit, this field will be filled up to 40-bit automatically by 0.
IKE with Preshared Key (automatic)
IKE is an Internet Key Exchange protocol that used to negotiate key material for SA (Security Association). IKE
uses the Pre-shared Key field to authenticate the remote IKE peer.
Phase 1 DH Group
: Phase 1 is used to create a security association (SA). DH (Diffie-Hellman) is a key exchange
protocol that used during phase 1 of the authentication process to establish pre-shared keys.
There are three
groups of different prime key lengths. Group 1 is 768 bits, Group 2 is 1,024 bits and Group 5 is 1,536 bits. If
network speed is preferred, select Group 1. If network security is preferred, select Group 5.
Phase 1 Encryption
: There are two methods of encryption, DES and 3DES. The Encryption method determines
the length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit
encryption. Both sides must use the same Encryption method. 3DES is recommended because it is more secure.
Phase 1 Authentication
: There are two methods of authentication, MD5 and SHA. The Authentication method
determines a method to authenticate the ESP packets. Both sides must use the same Authentication method.
MD5 is a one-way hashing algorithm that produces a 128-bit digest.
SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more
secure, and both sides must use the same Authentication method.
Page 55 / 105
46
Chapter 5: Setting Up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 8-Port VPN Router
Phase 1 SA Life Time
: This field allows you to configure the length of time a VPN tunnel is active in Phase 1. The
default value is
28,800
seconds.
Perfect Forward Secrecy
: If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP
traffic encryption and authentication. If PFS is enabled, a hacker using brute force to break encryption keys is not
able to obtain other or future IPSec keys.
Phase 2 DH Group
: There are three groups of different prime key lengths. Group1 is 768 bits, Group2 is 1,024
bits and Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred,
select Group 5. You can choose the different Group with the Phase 1 DH Group you chose. If Perfect Forward
Secrecy is disabled, there is no need to setup the Phase 2 DH Group since no new key generated, and the key of
Phase 2 will be same with the key in Phase 1.
Phase 2 Encryption
: Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec
sessions. There are two methods of encryption, DES and 3DES. The Encryption method determines the length of
the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. Both sides
must use the same Encryption method. If users enable the AH Hash Algorithm in Advanced, then it is
recommended to select
Null
to disable encrypting/decrypting ESP packets in Phase 2, but both sides of the
tunnel must use the same setting.
Phase 2 Authentication
: There are two methods of authentication, MD5 and SHA. The Authentication method
determines a method to authenticate the ESP packets. Both sides must use the same Authentication method.
MD5 is a one-way hashing algorithm that produces a 128-bit digest. If users enable the AH Hash Algorithm in
Advanced, then it is recommended to select
Null
to disable authenticating ESP packets in Phase 2, but both sides
of the tunnel must use the same setting.
Phase 2 SA Life Time
: This field allows you to configure the length of time a VPN tunnel is active. The default
value is 3,600 seconds.
Preshared Key
: Use character and hexadecimal values in this field, e.g. “My_@123” or “4d795f40313233.” The
max entry of this field is 30-digit. Both sides must use the same Pre-shared Key. It’s recommended to change
Preshared keys regularly to maximize VPN security.
Click the
Save Settings
button to save the settings or click the
Cancel Changes
button to undo the changes.
Advanced
For most users, the settings on the VPN page should be satisfactory. This device provides an advanced IPSec
setting page for some special users such as reviewers. Click the
Advanced
button to link you to that page.
Advanced settings are only for IKE with Preshared Key mode of IPSec.

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top