Page 146 / 268 Scroll up to view Page 141 - 145
Reference Manual for the Model Wireless ADSL Firewall Router DG834G
8-40
Virtual Private Networking (Advanced Feature)
202-10006-05, June 2005
Local Identity Data
—enter the data for the selection above. (If "WAN IP Address" is selected, no
input is required.)
Remote Identity Type
—select the desired option to match the "Local Identity Type" setting on
the remote VPN endpoint.
IP Address
the Internet IP address of the remote VPN endpoint.
Fully Qualified Domain Nam
e
the Domain name of the remote VPN endpoint.
Fully Qualified User Name
the name, E-mail address, or other ID of the remote VPN
endpoint.
Remote Identity Data
—enter the data for the selection above. (If "IP Address" is selected, no
input is required.)
Parameters
Encryption Algorithm
—encryption Algorithm used for both IKE and IPSec. This setting must
match the setting used on the remote VPN Gateway. DES and 3DES are supported.
DES—the Data Encryption Standard (DES) processes input data that is 64 bits wide,
encrypting these values using a 56 bit key. Faster but less secure than 3DES.
3DES—(Triple DES) achieves a higher level of security by encrypting the data three times
using DES with three different, unrelated keys.
Authentication Algorithm
—authentication Algorithm used for both IKE and IPSec. This setting
must match the setting used on the remote VPN Gateway. Auto, MD5, and SHA-1 are supported.
Auto negotiates with the remote VPN endpoint and is not available in responder-only mode.
MD5—128 bits, faster but less secure.
SHA-1 (default)—160 bits, slower but more secure.
Pre-shared Key
—the key must be entered both here and on the remote VPN Gateway.
SA Life Time
—this determines the time interval before the SA (Security Association) expires. (It
will automatically be re-established as required.) While using a short time period (or data amount)
increases security, it also degrades performance. It is common to use periods over an hour (3600
seconds) for the SA Life Time. This setting applies to both IKE and IPSec SAs.
IPSec PFS (Perfect Forward Secrecy)
—if enabled, security is enhanced by ensuring that the key
is changed at regular intervals. Also, even if one key is broken, subsequent keys are no easier to
break. (Each key has no relationship to the previous key.)
Page 147 / 268
Reference Manual for the Model Wireless ADSL Firewall Router DG834G
Virtual Private Networking (Advanced Feature)
8-41
202-10006-05, June 2005
This setting applies to both IKE and IPSec SAs. When configuring the remote endpoint to match
this setting, you may have to specify the "Key Group" used. For this device, the "Key Group" is
the same as the "DH Group" setting in the IKE section.
Example of Using Auto Policy
Figure 8-42:
Gateway-to-Gateway VPN Tunnel
1.
Set the LAN IPs on each DG834G to different subnets and configure each properly for the
Internet. The following settings are assumed for this example:
A
B
VPN Tunnel
DG834G VPN
Firewall
DG834G VPN Firewall
PCs
PCs
192.168.0.1
192.168.3.1
14.15.16.17
22.23.24.25
Page 148 / 268
Reference Manual for the Model Wireless ADSL Firewall Router DG834G
8-42
Virtual Private Networking (Advanced Feature)
202-10006-05, June 2005
Table 8-1.
VPN Tunnel Configuration Worksheet
Connection Name:
GtoG
Pre-Shared Key:
12345678
Secure Association -- Main Mode or Manual Keys:
Main
Perfect Forward Secrecy -- Enabled or Disabled:
Disabled
NETBIOS -- Enabled or Disabled:
Enabled
Encryption Protocol -- DES or 3DES:
3DES
Authentication Protocol -- MD5 or SHA-1:
SHA-1
Diffie-Hellman (DH) Group -- Group 1 or Group 2:
Group 2
Key Life in seconds:
28800
(8 hours)
IKE Life Time in seconds:
3600
(1 hour)
VPN Endpoint
Local IPSec ID
LAN IP Address
Subnet Mask
FQDN or Gateway IP
(WAN IP Address)
DG834G A
LAN_A
192.168.0.1
255.255.255.0
14.15.16.17
DG834G B
LAN_B
192.168.3.1
255.255.255.0
22.23.24.25
Page 149 / 268
Reference Manual for the Model Wireless ADSL Firewall Router DG834G
Virtual Private Networking (Advanced Feature)
8-43
202-10006-05, June 2005
2.
Open the DG834G on LAN A management interface and click on VPN Policies.
Figure 8-43:
VPN Policies Screen
3.
Click Add Auto Policy.
4.
Enter policy settings (see
Figure 8-44
).
General
Policy Name = GtoG
Remote VPN Endpoint Address Type = Fixed IP Address
Remote VPN Endpoint Address Data = 22.23.24.25
Local LAN – use default setting
Remote LAN
IP Address = select Subnet address from the pulldown menu.
Start IP address = 192.168.3.1
Subnet Mask = 255.255.255.0
IKE
Direction = Initiator and Responder
Exchange Mode = Main Mode
Diffie-Hellman (DH) Group = Group 2 (1024 Bit)
Local Identity Type = use default setting
Page 150 / 268
Reference Manual for the Model Wireless ADSL Firewall Router DG834G
8-44
Virtual Private Networking (Advanced Feature)
202-10006-05, June 2005
Remote Identity Type = use default setting
Parameters
Encryption Algorithm = 3DES
Authentication Algorithm = MD5
Pre-shared Key = 12345678

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top