31

Chapter 6: Configuring the Wireless-G VPN Broadband Router

The Security Tab - VPN

Wireless-G VPN Broadband Router

The Security Tab - VPN

Virtual Private Networking (VPN) is a security measure that basically creates a secure connection between two

remote locations.

This connection is very specific as far as its settings are concerned; this is what creates the

security.

The VPN screen allows you to configure your VPN settings to make your network more secure.

VPN PassThrough

IPSec Passthrough

. IPSec (Internet Protocol Security) is a suite of protocols used to implement secure exchange

of packets at the IP layer. To allow IPSec Passthrough, click the

Enabled

button. To disable IPSec Passthrough,

click the

Disabled

button.

PPTP Pass Through

. PPTP (Point-to-Point Tunneling Protocol) Passthrough allows the Point-to-Point (PPP) to be

tunneled through an IP network. To allow PPTP Passthrough, click the

Enabled

button. To disable PPTP

Passthrough, click the

Disabled

button.

L2TP Passthrough

. Layer 2 Tunneling Protocol Passthrough is the method used to enable Point-to-Point

sessions via the Internet on the Layer 2 level. To allow L2TP Passthrough, click the

Enabled

button. To disable

L2TP Passthrough, click the

Disabled

button.

VPN Tunnel

The VPN Broadband Router creates a tunnel or channel between two endpoints, so that the data or information

between these endpoints is secure.

Select Tunnel Entry

. To establish this tunnel, select the tunnel you wish to create from the drop-down box.

It is

possible to create up to 100 simultaneous tunnels.

VPN Tunnel

. Click

Enabled

to enable the selected VPN Tunnel.

VPN Gateway

. If you want to route all the traffic through the tunnel, and not just the ones destined for the remote

secure group, click

Enabled

.

Tunnel Name

. Once the tunnel is enabled, enter the name of the tunnel.

This allows you to identify multiple

tunnels and does not have to match the name used at the other end of the tunnel.

Local Secure Group

The Local Secure Group is the computer(s) on your LAN that can access the tunnel. From the drop-down menu,

select

Subnet

, to include the entire network for the tunnel; select

IP Address

if you want a specific computer;

IP

Range

, if you want to include a range of IP addresses; or select

Host

, which is used with Port Forwarding to

Figure 6-21: Security Tab - VPN

Figure 6-22: Local Secure Group - Subnet

and Remote Secure Group - Subnet

32

Chapter 6: Configuring the Wireless-G VPN Broadband Router

The Security Tab - VPN

Wireless-G VPN Broadband Router

direct the traffic to the correct computer. The screen will change depending on the selected option. The options

are described below.

Subnet

. Enter the

IP Address

and

Mask

of the local VPN Broadband Router in the fields provided. To allow

access to the entire IP subnet, enter

0

for the last set of IP Addresses. (e.g. 192.168.1.0).

IP Address

. Enter the IP Address of the local VPN Broadband Router. The Mask will be displayed.

IP Range

. Enter the starting and ending numbers for the IP address range.

Host

. The VPN tunnel will terminate at the router with this setting. Use Port Range Forwarding to direct traffic to

the correct computer. Refer to the Port Range Forwarding tab of the Applications and Gaming tab.

Remote Secure Group

The Remote Secure Group is the computer(s) on the remote end of the tunnel that can access the tunnel. From

the drop-down menu, select

Subnet

, to include the entire network for the tunnel; select

IP address

if you want a

specific computer; IP Range, if you want to include a range of IP addresses; select

Host

, if the VPN will terminate

at the Router, instead of the PC; or

Any

, to allow any computer to access the tunnel. The screen will change

depending on the selected option. The options are described below.

Subnet

. Enter the IP Address and Mask of the remote VPN router in the fields provided. To allow access to the

entire IP subnet, enter

0

for the last set of IP Addresses. (e.g. 192.168.1.0).

IP Address

. Enter the IP Address of the remote VPN router. The Mask will be displayed.

IP Range

. Enter the starting and ending numbers for the IP Address range.

Remote Secure Gateway

The Remote Secure Gateway is the VPN device, such as a second VPN router, on the remote end of the VPN

tunnel. Enter the IP Address of the VPN device at the other end of the tunnel. The remote VPN device can be

another VPN router, a VPN server, or a computer with VPN client software that supports IPSec. The IP address may

either be static (permanent) or dynamic, depending on the settings of the remote VPN device.

If the IP Address is static, select

IP Addr.

and enter the IP address. Make sure that you have entered the IP

address correctly, or the connection cannot be made. Remember, this is NOT the IP address of the local VPN

Broadband Router; it is the IP address of the remote VPN router or device with which you wish to communicate. If

the IP address is dynamic, select

FQDN

for DDNS or

Any

. If FQDN is selected, enter the domain name of the

remote router, so the Router can locate a current IP address using DDNS. If Any is selected, then the Router will

accept requests from any IP address.

Figure 6-23: Local Secure Group - IP Address

and Remote Secure Group - IP Address

Figure 6-24: Local Secure Group - IP Range

and Remote Secure Group - IP Range

Figure 6-25: Local Secure Group - Host

and Remote Secure Group - Host

Figure 6-26: Local Secure Group - Subnet

and Remote Secure Group - Any

33

Chapter 6: Configuring the Wireless-G VPN Broadband Router

The Security Tab - VPN

Wireless-G VPN Broadband Router

Encryption

. Using encryption also helps make your connection more secure. There are two different types of

encryption: DES or 3DES (3DES is recommended because it is more secure). You may choose either of these, but

it must be the same type of encryption that is being used by the VPN device at the other end of the tunnel. Or, you

may choose to disable this feature.

Authentication

. Authentication acts as another level of security. There are two types of authentication: MD5 and

SHA (SHA is recommended because it is more secure). As with encryption, either of these may be selected,

provided that the VPN device at the other end of the tunnel is using the same type of authentication. Or, both ends

of the tunnel may choose to disable authentication.

Key Management

Key Exchange Method

. Select

Auto (IKE)

or

Manual

for the Key Exchange Method. Both ends of a VPN tunnel

must use the same mode of key management. The two methods are described below. After you have selected the

method, the settings available on this screen may change, depending on the selection you have made.

Auto (IKE)

IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses

the Pre-shared Key to authenticate the remote IDE peer.

PFS

. PFS (Perfect Forward Secrecy) ensures that the initial key exchange and IKE proposals are secure. To

use PFS, click the

Enabled

radio button.

Pre-shared Key

. You can choose to use a Pre-shared Key or RSA Signature. To use the Pre-shared Key, click

its radio button. enter a series of numbers or letters in the

Pre-shared Key

field. Based on this word, which

MUST be entered at both ends of the tunnel, a key is generated to scramble (encrypt) the data being

transmitted over the tunnel, where it is unscrambled (decrypted). You may use any combination of up to 24

numbers or letters in this field. No special characters or spaces are allowed.

RSA Signature

. You can choose to use a Pre-shared Key or RSA Signature. To use the RSA Signature, click its

radio button. Enter the RSA Signature in the field provided. (This is similar to a Pre-shared Key. Make sure it

matches the RSA Signature entered at the remote end of the tunnel.s

Key Lifetime

. You may optionally select to have the key expire at the end of a time period of your choosing.

Enter the number of seconds you’d like the key to be useful, or leave it blank for the key to last indefinitely.

Manual

If you select Manual, you generate the key yourself, and no key negotiation is needed. Basically, manual key

management is used in small static environments or for troubleshooting purposes.

Figure 6-27: Remote Secure Group - Any

and Remote Secure Gateway - FQDN

Figure 6-28: Remote Security Group - Any

and Remote Secure Gateway - Any

Figure 6-29: Key Exchange Method - Auto(IKE)

34

Chapter 6: Configuring the Wireless-G VPN Broadband Router

The Security Tab - VPN

Wireless-G VPN Broadband Router

Encryption Algorithm

. Select a method of encryption,

DES

or

3DES

. This determines the length of the key

used to encrypt or decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is

recommended because it is more secure. Make sure both ends of the VPN tunnel use the same encryption

method.

Encryption Key

. This field specifies a key used to encrypt and decrypt IP traffic. Enter a key of hexadecimal

values. If DES is selected, the Encryption Key is 16-bit, which requires 16 hexadecimal values. If you do not

enter enough hexadecimal values, then the rest of the Encryption Key will be automatically completed with

zeroes, so the Encryption Key will be 16-bit. If 3DES is selected, the Encryption Key is 48-bit, which requires

40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the Encryption Key

will be automatically completed with zeroes, so the Encryption Key will be 48-bit. Make sure both ends of the

VPN tunnel use the same Encryption Key.

Authentication Algorithm

. Select a method of authentication,

MD5

or

SHA1

. The Authentication method

determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit

digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is recommended because it

is more secure. Make sure both ends of the VPN tunnel use the same authentication method.

Authentication Key

. This field specifies a key used to authenticate IP traffic. Enter a key of hexadecimal

values. If MD5 is selected, the Authentication Key is 32-bit, which requires 32 hexadecimal values. If you do

not enter enough hexadecimal values, then the rest of the Authentication Key will be automatically completed

with zeroes until it has 32 hexadecimal values. If SHA is selected, the Authentication Key is 40-bit, which

requires 40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the

Authentication Key will be automatically completed with zeroes until it has 40 hexadecimal values. Make sure

both ends of the VPN tunnel use the same Authentication Key.

Inbound & Outbound SPI

(Security Parameter Index). SPI is carried in the ESP (Encapsulating Security

Payload Protocol) header and enables the receiver and sender to select the SA, under which a packet should

be processed. Hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a

unique Inbound SPI and Outbound SPI. No two tunnels share the same SPI. The Incoming SPI here must match

the Outgoing SPI value at the other end of the tunnel, and vice versa.

Status

The status information for the Router’s VPN tunnels is displayed here. Click the

Disconnect

button to terminate

the VPN connection.

When you have finished making changes to the screen, click the

Save Settings

button to save the changes, or

click the

Cancel Changes

button to undo your changes. For help information, click

More

.

Figure 6-30: Key Exchange Method - Manual

35

Chapter 6: Configuring the Wireless-G VPN Broadband Router

The Security Tab - VPN

Wireless-G VPN Broadband Router

Advanced VPN Tunnel Setup

Click the

Advanced VPN Tunnel Setup

button, and the

Advanced VPN Tunnel Setup

screen will appear.

These advanced IPSec settings are for advanced users.

Phase 1

Phase 1 is used to create a security association (SA), often called the IKE SA. After Phase 1 is completed, Phase 2

is used to create one or more IPSec SAs, which are then used to key IPSec sessions.

Operation Mode

. There are two modes: Main and Aggressive, and they exchange the same IKE payloads in

different sequences. Main mode is more common; however, some people prefer Aggressive mode because it is

faster. Main mode is for normal usage and includes more authentication requirements than Aggressive mode.

Main mode is recommended because it is more secure. No matter which mode is selected, the VPN Router will

accept both Main and Aggressive requests from the remote VPN device.

Encryption

. Select the length of the key used to encrypt or decrypt ESP packets. There are two choices: DES and

3DES. 3DES is recommended because it is more secure.

Authentication

. Select the method used to authenticate ESP packets. There are two choices: MD5 and SHA1.

SHA1 is recommended because it is more secure.

Group

. There are three Diffie-Hellman Groups to choose from: 768-bit, 1024-bit, and 1536-bit. Diffie-Hellman

refers to a cryptographic technique that uses public and private keys for encryption and decryption.

Key Life Time

. In the

Key Lifetime

field, you may optionally select to have the key expire at the end of a time

period of your choosing. Enter the number of seconds you’d like the key to be used until a re-key negotiation

between each endpoint is completed.

Phase 2

Encryption

. The encryption method selected in Phase 1 will be displayed.

Authentication

. The authentication method selected in Phase 1 will be displayed.

PFS

. The status of the PFS (Perfect Forward Secrecy) feature will be displayed.

Group

. There are three Diffie-Hellman Groups to choose from: 768-bit, 1024-bit, and 1536-bit. Diffie-Hellman

refers to a cryptographic technique that uses public and private keys for encryption and decryption.

Figure 6-31: Advanced VPN Tunnel Setup