SnapGear SG565 Router Manual PDF (Setup & Configuration Guide)

Page 161 / 249 Scroll up to view Page 156 - 160

Virtual Private Networking

156

Warning

It may be necessary to reduce the MTU of the IPSec interface if large packets of data are

not being transmitted.

Configure a tunnel to connect to the headquarters office

To create an IPSec tunnel, click the

IPSec

link on the left side of the

Web Management

Console

web administration pages and then click the

Add New Tunnel

tab at the top of

the window.

A window similar to the following will be displayed.

Figure 9-14

Tunnel settings page

Fill in the

Tunnel name

field with an apt description for the tunnel.

The name must not

contain spaces or start with a number.

In this example, enter

Headquarters

.

Leave the

Enable this tunnel

checkbox checked.

Page 162 / 249

Virtual Private Networking

157

Select the Internet port the IPSec tunnel is to go out on.

The options will depend on what

is currently configured on the CyberGuard SG appliance.

For the vast majority of setups,

this will be the

default gateway interface

to the Internet.

In this example, select the

default gateway interface

option.

Note

You may want to select an interface other than the default gateway when you have

configured aliased Internet interfaces and require the IPSec tunnel to run on an interface

other than the default gateway.

Select the type of keying the tunnel will use.

The CyberGuard SG appliance supports the

following types of keying:

•

Main mode with Automatic Keying (IKE)

automatically exchanges encryption

and authentication keys and protects the identities of the parties attempting to

establish the tunnel.

•

Aggressive mode with Automatic Keying (IKE)

automatically exchanges

encryption and authentication keys and uses less messages in the exchange

when compared to Main mode.

Aggressive mode is typically used to allow parties

that are configured with a dynamic IP address and a preshared secret to connect

or if the CyberGuard SG appliance or the remote party is behind a NAT device.

•

Manual Keying

requires the encryption and authentication keys to be specified.

In this example, select the

Aggressive mode with Automatic Keying

option.

Select the type of IPSec endpoint the remote party has.

The remote endpoint can have a

static IP address

,

dynamic IP address

or a

DNS hostname address

.

In this example,

select the

static IP address

option.

Select the type of authentication the tunnel will use.

The CyberGuard SG appliance

supports the following types of authentication:

•

Preshared Secret

is a common secret (passphrase) that is shared between the

CyberGuard SG appliance and the remote party.

•

RSA Digital Signatures

uses a public/private RSA key pair for authentication.

The CyberGuard SG appliance can generate these key pairs.

The public keys

need to be exchanged between the CyberGuard SG appliance and the remote

party in order to configure the tunnel.

Page 163 / 249

Virtual Private Networking

158

•

x.509 Certificates

are used to authenticate the remote party against a Certificate

Authority's (CA) certificate.

The CA certificate must have signed the local

certificates that are used for tunnel authentication.

Certificates need to be

uploaded to the CyberGuard SG appliance before a tunnel can be configured to

use them (see

Certificate Management

).

•

Manual Keys

establishes the tunnel using predetermined encryption and

authentication keys.

In this example, select the

Preshared Secret

option.

Select the type of private network that is behind the CyberGuard SG appliance.

The

following types of networks are supported:

•

Single network

is selected when a single subnet resides behind the CyberGuard

SG appliance that the remote party will have access to.

•

Multiple networks

is selected when multiple subnets reside behind the

CyberGuard SG appliance that the remote party will have access to.

•

Masqueraded network

is selected when all traffic behind the CyberGuard SG

appliance is seen as originating from its Internet IP address by the remote party.

The remote party will not have any access to the network behind the CyberGuard

SG appliance.

In this example, select the

single network behind this appliance

option.

Select whether the remote party is a

single host

or whether it is a gateway that has a

single network

or has

multiple networks

behind it.

In this example, select the

single

network behind a gateway

option.

Select in which way the tunnel should be utilized to route traffic.

The CyberGuard SG

appliance can support following types of routing:

•

Be a route to the remote party

is selected when the tunnel sets up a route to the

remote party's subnet(s).

•

Be this appliance's default gateway for all traffic

is selected when the tunnel

will be the default gateway for all traffic to the remote party.

•

Be the remote party's default gateway for all traffic

is selected when the

tunnel will be the default gateway for all traffic from the remote party.

Page 164 / 249

Virtual Private Networking

159

In this example, select the

be a route to the remote party

option.

Click the

Continue

button to configure the

Local Endpoint Settings

.

Local endpoint settings

Figure 9-15

Leave the

Initiate the tunnel from this end

checkbox checked.

Page 165 / 249

Virtual Private Networking

160

Note

This option will not be available when the CyberGuard SG appliance has a static IP

address and the remote party has a dynamic IP address.

Enter the

Required Endpoint ID

of the CyberGuard SG appliance.

This ID is used to

authenticate the CyberGuard SG appliance to the remote party.

It is required because

the CyberGuard SG appliance in this example has a dynamic IP address. This field will

also be required if RSA Digital Signatures are used for authentication.

It becomes optional if the CyberGuard SG appliance has a static IP address and is using

Preshared Secrets for authentication. If it is optional and the field is left blank, the

Endpoint ID

defaults to the static IP address.

If the remote party is a CyberGuard SG

appliance, the ID must have the form

abcd@efgh

.

If the remote party is not a

CyberGuard SG appliance, refer the interoperability documents on the CyberGuard SG

Knowledge Base (

http://www.cyberguard.com/snapgear/knowledgebase.html

) to

determine what form it must take. In this example, enter:

branch@office

Leave the

Enable IP Payload Compression

checkbox unchecked.

If compression is

selected,

IPComp

compression is applied before encryption.

Check the

Enable Dead Peer Detection

checkbox.

This allows the tunnel to be

restarted if the remote party stops responding.

This option is only used if the remote

party supports Dead Peer Detection.

It operates by sending notifications and waiting for

acknowledgements.

Enter the

Delay

and

Timeout

values for Dead Peer Detection.

The default times for the

delay and timeout options are 9 and 30 seconds respectively.

This means that a Dead

Peer Detection notification will be sent every 9 seconds (

Delay

) and if no response is

received in 30 seconds (

Timeout

) then the CyberGuard SG appliance will attempt to

restart the tunnel.

In this example, leave the delay and timeout as their default values.

Leave the

Enable Phase 1 & 2 rekeying to be initiated from my end

checkbox

checked.

This enables automatic renegotiation of the tunnel when the keys are about to

expire.

Click the

Continue

button to configure the

Remote Endpoint Settings

.

Rate

Popular SnapGear Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share