Page 41 / 145 Scroll up to view Page 36 - 40
31
Chapter 6: Configuring the Wireless-G VPN Broadband Router
The Security Tab - VPN
Wireless-G VPN Broadband Router
The Security Tab - VPN
Virtual Private Networking (VPN) is a security measure that basically creates a secure connection between two
remote locations.
This connection is very specific as far as its settings are concerned; this is what creates the
security.
The VPN screen allows you to configure your VPN settings to make your network more secure.
VPN PassThrough
IPSec Passthrough
. IPSec (Internet Protocol Security) is a suite of protocols used to implement secure exchange
of packets at the IP layer. To allow IPSec Passthrough, click the
Enabled
button. To disable IPSec Passthrough,
click the
Disabled
button.
PPTP Pass Through
. PPTP (Point-to-Point Tunneling Protocol) Passthrough allows the Point-to-Point (PPP) to be
tunneled through an IP network. To allow PPTP Passthrough, click the
Enabled
button. To disable PPTP
Passthrough, click the
Disabled
button.
L2TP Passthrough
. Layer 2 Tunneling Protocol Passthrough is the method used to enable Point-to-Point
sessions via the Internet on the Layer 2 level. To allow L2TP Passthrough, click the
Enabled
button. To disable
L2TP Passthrough, click the
Disabled
button.
VPN Tunnel
The VPN Broadband Router creates a tunnel or channel between two endpoints, so that the data or information
between these endpoints is secure.
Select Tunnel Entry
. To establish this tunnel, select the tunnel you wish to create from the drop-down box.
It is
possible to create up to 100 simultaneous tunnels.
VPN Tunnel
. Click
Enabled
to enable the selected VPN Tunnel.
VPN Gateway
. If you want to route all the traffic through the tunnel, and not just the ones destined for the remote
secure group, click
Enabled
.
Tunnel Name
. Once the tunnel is enabled, enter the name of the tunnel.
This allows you to identify multiple
tunnels and does not have to match the name used at the other end of the tunnel.
Local Secure Group
The Local Secure Group is the computer(s) on your LAN that can access the tunnel. From the drop-down menu,
select
Subnet
, to include the entire network for the tunnel; select
IP Address
if you want a specific computer;
IP
Range
, if you want to include a range of IP addresses; or select
Host
, which is used with Port Forwarding to
Figure 6-21: Security Tab - VPN
Figure 6-22: Local Secure Group - Subnet
and Remote Secure Group - Subnet
Page 42 / 145
32
Chapter 6: Configuring the Wireless-G VPN Broadband Router
The Security Tab - VPN
Wireless-G VPN Broadband Router
direct the traffic to the correct computer. The screen will change depending on the selected option. The options
are described below.
Subnet
. Enter the
IP Address
and
Mask
of the local VPN Broadband Router in the fields provided. To allow
access to the entire IP subnet, enter
0
for the last set of IP Addresses. (e.g. 192.168.1.0).
IP Address
. Enter the IP Address of the local VPN Broadband Router. The Mask will be displayed.
IP Range
. Enter the starting and ending numbers for the IP address range.
Host
. The VPN tunnel will terminate at the router with this setting. Use Port Range Forwarding to direct traffic to
the correct computer. Refer to the Port Range Forwarding tab of the Applications and Gaming tab.
Remote Secure Group
The Remote Secure Group is the computer(s) on the remote end of the tunnel that can access the tunnel. From
the drop-down menu, select
Subnet
, to include the entire network for the tunnel; select
IP address
if you want a
specific computer; IP Range, if you want to include a range of IP addresses; select
Host
, if the VPN will terminate
at the Router, instead of the PC; or
Any
, to allow any computer to access the tunnel. The screen will change
depending on the selected option. The options are described below.
Subnet
. Enter the IP Address and Mask of the remote VPN router in the fields provided. To allow access to the
entire IP subnet, enter
0
for the last set of IP Addresses. (e.g. 192.168.1.0).
IP Address
. Enter the IP Address of the remote VPN router. The Mask will be displayed.
IP Range
. Enter the starting and ending numbers for the IP Address range.
Remote Secure Gateway
The Remote Secure Gateway is the VPN device, such as a second VPN router, on the remote end of the VPN
tunnel. Enter the IP Address of the VPN device at the other end of the tunnel. The remote VPN device can be
another VPN router, a VPN server, or a computer with VPN client software that supports IPSec. The IP address may
either be static (permanent) or dynamic, depending on the settings of the remote VPN device.
If the IP Address is static, select
IP Addr.
and enter the IP address. Make sure that you have entered the IP
address correctly, or the connection cannot be made. Remember, this is NOT the IP address of the local VPN
Broadband Router; it is the IP address of the remote VPN router or device with which you wish to communicate. If
the IP address is dynamic, select
FQDN
for DDNS or
Any
. If FQDN is selected, enter the domain name of the
remote router, so the Router can locate a current IP address using DDNS. If Any is selected, then the Router will
accept requests from any IP address.
Figure 6-23: Local Secure Group - IP Address
and Remote Secure Group - IP Address
Figure 6-24: Local Secure Group - IP Range
and Remote Secure Group - IP Range
Figure 6-25: Local Secure Group - Host
and Remote Secure Group - Host
Figure 6-26: Local Secure Group - Subnet
and Remote Secure Group - Any
Page 43 / 145
33
Chapter 6: Configuring the Wireless-G VPN Broadband Router
The Security Tab - VPN
Wireless-G VPN Broadband Router
Encryption
. Using encryption also helps make your connection more secure. There are two different types of
encryption: DES or 3DES (3DES is recommended because it is more secure). You may choose either of these, but
it must be the same type of encryption that is being used by the VPN device at the other end of the tunnel. Or, you
may choose to disable this feature.
Authentication
. Authentication acts as another level of security. There are two types of authentication: MD5 and
SHA (SHA is recommended because it is more secure). As with encryption, either of these may be selected,
provided that the VPN device at the other end of the tunnel is using the same type of authentication. Or, both ends
of the tunnel may choose to disable authentication.
Key Management
Key Exchange Method
. Select
Auto (IKE)
or
Manual
for the Key Exchange Method. Both ends of a VPN tunnel
must use the same mode of key management. The two methods are described below. After you have selected the
method, the settings available on this screen may change, depending on the selection you have made.
Auto (IKE)
IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses
the Pre-shared Key to authenticate the remote IDE peer.
PFS
. PFS (Perfect Forward Secrecy) ensures that the initial key exchange and IKE proposals are secure. To
use PFS, click the
Enabled
radio button.
Pre-shared Key
. You can choose to use a Pre-shared Key or RSA Signature. To use the Pre-shared Key, click
its radio button. enter a series of numbers or letters in the
Pre-shared Key
field. Based on this word, which
MUST be entered at both ends of the tunnel, a key is generated to scramble (encrypt) the data being
transmitted over the tunnel, where it is unscrambled (decrypted). You may use any combination of up to 24
numbers or letters in this field. No special characters or spaces are allowed.
RSA Signature
. You can choose to use a Pre-shared Key or RSA Signature. To use the RSA Signature, click its
radio button. Enter the RSA Signature in the field provided. (This is similar to a Pre-shared Key. Make sure it
matches the RSA Signature entered at the remote end of the tunnel.s
Key Lifetime
. You may optionally select to have the key expire at the end of a time period of your choosing.
Enter the number of seconds you’d like the key to be useful, or leave it blank for the key to last indefinitely.
Manual
If you select Manual, you generate the key yourself, and no key negotiation is needed. Basically, manual key
management is used in small static environments or for troubleshooting purposes.
Figure 6-27: Remote Secure Group - Any
and Remote Secure Gateway - FQDN
Figure 6-28: Remote Security Group - Any
and Remote Secure Gateway - Any
Figure 6-29: Key Exchange Method - Auto(IKE)
Page 44 / 145
34
Chapter 6: Configuring the Wireless-G VPN Broadband Router
The Security Tab - VPN
Wireless-G VPN Broadband Router
Encryption Algorithm
. Select a method of encryption,
DES
or
3DES
. This determines the length of the key
used to encrypt or decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is
recommended because it is more secure. Make sure both ends of the VPN tunnel use the same encryption
method.
Encryption Key
. This field specifies a key used to encrypt and decrypt IP traffic. Enter a key of hexadecimal
values. If DES is selected, the Encryption Key is 16-bit, which requires 16 hexadecimal values. If you do not
enter enough hexadecimal values, then the rest of the Encryption Key will be automatically completed with
zeroes, so the Encryption Key will be 16-bit. If 3DES is selected, the Encryption Key is 48-bit, which requires
40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the Encryption Key
will be automatically completed with zeroes, so the Encryption Key will be 48-bit. Make sure both ends of the
VPN tunnel use the same Encryption Key.
Authentication Algorithm
. Select a method of authentication,
MD5
or
SHA1
. The Authentication method
determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is recommended because it
is more secure. Make sure both ends of the VPN tunnel use the same authentication method.
Authentication Key
. This field specifies a key used to authenticate IP traffic. Enter a key of hexadecimal
values. If MD5 is selected, the Authentication Key is 32-bit, which requires 32 hexadecimal values. If you do
not enter enough hexadecimal values, then the rest of the Authentication Key will be automatically completed
with zeroes until it has 32 hexadecimal values. If SHA is selected, the Authentication Key is 40-bit, which
requires 40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the
Authentication Key will be automatically completed with zeroes until it has 40 hexadecimal values. Make sure
both ends of the VPN tunnel use the same Authentication Key.
Inbound & Outbound SPI
(Security Parameter Index). SPI is carried in the ESP (Encapsulating Security
Payload Protocol) header and enables the receiver and sender to select the SA, under which a packet should
be processed. Hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a
unique Inbound SPI and Outbound SPI. No two tunnels share the same SPI. The Incoming SPI here must match
the Outgoing SPI value at the other end of the tunnel, and vice versa.
Status
The status information for the Router’s VPN tunnels is displayed here. Click the
Disconnect
button to terminate
the VPN connection.
When you have finished making changes to the screen, click the
Save Settings
button to save the changes, or
click the
Cancel Changes
button to undo your changes. For help information, click
More
.
Figure 6-30: Key Exchange Method - Manual
Page 45 / 145
35
Chapter 6: Configuring the Wireless-G VPN Broadband Router
The Security Tab - VPN
Wireless-G VPN Broadband Router
Advanced VPN Tunnel Setup
Click the
Advanced VPN Tunnel Setup
button, and the
Advanced VPN Tunnel Setup
screen will appear.
These advanced IPSec settings are for advanced users.
Phase 1
Phase 1 is used to create a security association (SA), often called the IKE SA. After Phase 1 is completed, Phase 2
is used to create one or more IPSec SAs, which are then used to key IPSec sessions.
Operation Mode
. There are two modes: Main and Aggressive, and they exchange the same IKE payloads in
different sequences. Main mode is more common; however, some people prefer Aggressive mode because it is
faster. Main mode is for normal usage and includes more authentication requirements than Aggressive mode.
Main mode is recommended because it is more secure. No matter which mode is selected, the VPN Router will
accept both Main and Aggressive requests from the remote VPN device.
Encryption
. Select the length of the key used to encrypt or decrypt ESP packets. There are two choices: DES and
3DES. 3DES is recommended because it is more secure.
Authentication
. Select the method used to authenticate ESP packets. There are two choices: MD5 and SHA1.
SHA1 is recommended because it is more secure.
Group
. There are three Diffie-Hellman Groups to choose from: 768-bit, 1024-bit, and 1536-bit. Diffie-Hellman
refers to a cryptographic technique that uses public and private keys for encryption and decryption.
Key Life Time
. In the
Key Lifetime
field, you may optionally select to have the key expire at the end of a time
period of your choosing. Enter the number of seconds you’d like the key to be used until a re-key negotiation
between each endpoint is completed.
Phase 2
Encryption
. The encryption method selected in Phase 1 will be displayed.
Authentication
. The authentication method selected in Phase 1 will be displayed.
PFS
. The status of the PFS (Perfect Forward Secrecy) feature will be displayed.
Group
. There are three Diffie-Hellman Groups to choose from: 768-bit, 1024-bit, and 1536-bit. Diffie-Hellman
refers to a cryptographic technique that uses public and private keys for encryption and decryption.
Figure 6-31: Advanced VPN Tunnel Setup

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top