52
Chapter 5: Setting Up and Configuring the Router
VPN Tab - Client to Gateway
10/100 8-Port VPN Router
groups of different prime key lengths. Group 1 is 768 bits, Group 2 is 1,024 bits and Group 5 is 1,536 bits. If
network speed is preferred, select Group 1. If network security is preferred, select Group 5.
Phase 1 Encryption
: There are two methods of encryption, DES and 3DES. The Encryption method determines
the length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit
encryption. Both sides must use the same Encryption method. 3DES is recommended because it is more secure.
Phase 1 Authentication
: There are two methods of authentication, MD5 and SHA. The Authentication method
determines a method to authenticate the ESP packets. Both sides must use the same Authentication method.
MD5 is a one-way hashing algorithm that produces a 128-bit digest.
SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more
secure, and both sides must use the same Authentication method.
Phase 1 SA Life Time
: This field allows you to configure the length of time a VPN tunnel is active in Phase 1. The
default value is
28,800
seconds.
Perfect Forward Secrecy
: If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP
traffic encryption and authentication. If PFS is enabled, a hacker using brute force to break encryption keys is not
able to obtain other or future IPSec keys.
Phase 2 DH Group
: There are three groups of different prime key lengths. Group1 is 768 bits, Group2 is 1,024
bits and Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred,
select Group 5. You can choose the different Group with the Phase 1 DH Group you chose. If Perfect Forward
Secrecy is disabled, there is no need to setup the Phase 2 DH Group since no new key generated, and the key of
Phase 2 will be the same with the key in Phase 1.
Phase 2 Encryptio
n: Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec
sessions. There are two methods of encryption, DES and 3DES. The Encryption method determines the length of
the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. Both sides
must use the same Encryption method. If users enable the AH Hash Algorithm in Advanced, then it is
recommended to select
Null
to disable encrypting/decrypting ESP packets in Phase 2, but both sides of the
tunnel must use the same setting.
Phase 2 Authentication
: There are two methods of authentication, MD5 and SHA. The Authentication method
determines a method to authenticate the ESP packets. Both sides must use the same Authentication method.
MD5 is a one-way hashing algorithm that produces a 128-bit digest. If users enable the AH Hash Algorithm in
Advanced, then it is recommended to select
Null
to disable authenticating ESP packets in Phase 2, but both sides
of the tunnel must use the same setting.