SmartRG™ Residential Gateways
P a g e
| 56
C o n f i d e n t i a l
S m a r t R G © 2 0 1 2
header by encapsulating it in an additional IP header. The outer IP header remains
unprotected.
5.
Enter the IP address of the tunnel’s remote IPSec gateway.
6.
Select either a single IP address or a subnet of IP addresses for the local end of the IPSec
tunnel.
7.
Enter either the single local IP address or the local subnet definition.
8.
Select either a single IP address or a subnet of IP addresses for the remote end of the
IPSec tunnel.
9.
Enter either the single remote IP address or the remote subnet definition.
10.
Select the Key Exchange Method. Keys can be exchanged manually (set identically on both
ends) or
automatically using “Internet Key Exchange” (IKE).
This example assumes the
selection of IKE.
11.
Select the Authentication Method. A
uthentication can be performed either with a “Pre
-
Shared Key” or a certificate.
This example assumes the selection of a Pre-Shared Key.
12.
Enter the Pre-Shared Key value. Both character and hexadecimal values are acceptable
(e.g. 0x123abc456def789 or VPN@tunnel_123)
13.
Enable/Disable Perfect Forward Secrecy. PFS ensures the same key will not be generated
again forcing a new Diffie-Hellman key exchange. This prohibits hackers from snooping a
present transmission to decipher a key and then use that key to observe future data
transmissions.
14.
Set the Phase 1 Advanced IKE Settings (establish a secure, authenticated channel):
a.
Select the Mode: “Main” mode is more secure but adds delay. “Aggressive” mode is
faster but less secure.
b.
Select the Encryption Algorithm: AES-256 is the most secure.
c.
Select the Integrity Algorithm: MD5 is a one way hash with a 128 bit digest. SHA1 is
a one way hash with a 160 bit digest.
d.
Select the Diffie-Hellman Group for Key Exchange. Diffie-Hellman is a cryptography
protocol enabling two devices to establish a shared secret via unsecured channels.
More bits provide greater security but come with increased time for key
computation.
e.
Specify the Key Life Time. Keys will be renewed after this interval.
15.
Set the Phase 2 Advanced IKE Settings (generate keys and negotiate the IPSec Security
Association):
a.
Repeat steps 14b-14e.
16.
Click
Apply/Save.