SnapGear SG565 Router Manual PDF (Setup & Configuration Guide)

Page 166 / 249 Scroll up to view Page 161 - 165

Virtual Private Networking

161

Other options

The following options will become available on this page depending on what has been

configured previously:

•

The next IP address on the interface the tunnel is to go on

field is the next

gateway IP address or

nexthop

along the previously selected IPSec interface.

This

field will become available if an interface other than the default gateway was selected

for the tunnel to go out on.

•

SPI Number

field is the

Security Parameters Index

.

It is a hexadecimal value and

must be unique.

It is used to establish and uniquely identify the tunnel.

The SPI is

used to determine which key is used to encrypt and decrypt the packets.

It must be

of the form 0x

hex

, where

hex

is one or more hexadecimal digits and be in the range

of

0x100-0xfff

.

This field appears when

Manual Keying

has been selected.

•

Authentication Key

field is the

ESP Authentication Key

.

It must be of the form

0x

hex

, where

hex

is one or more hexadecimal digits.

The

hex

part must be exactly

32 characters long when using MD5 or 40 characters long when using SHA1

(excluding any underscore characters).

This field appears when

Manual Keying

has

been selected.

•

Encryption Key

field is the

ESP Encryption Key

.

It must be of the form 0x

hex

, where

hex

is one or more hexadecimal digits.

The

hex

part must be exactly 16 characters

long when using DES or 48 characters long when using 3DES (excluding any

underscore characters).

This field appears when

Manual Keying

has been selected.

•

Cipher and Hash

pull down menu contains the ESP encryption/authentication

algorithms that can be used for the tunnel.

The option selected must correspond to

the encryption and authentication keys used.

This pull down menu appears when

Manual Keying

has been selected.

The options include the following:

o

3des-md5-96

uses the encryption transform following the Triple-DES standard in

Cipher-Block-Chaining mode with authentication provided by HMAC and MD5

(96-bit authenticator).

It uses a 192-bit 3DES encryption key and a 128-bit

HMAC-MD5 authentication key.

o

3des-sha1-96

uses the encryption transform following the Triple-DES standard in

Cipher-Block-Chaining mode with authentication provided by HMAC and SHA1

(96-bit authenticator).

It uses a 192-bit 3DES

encryption key and a 160-bit

HMAC-SHA1 authentication key.

Page 167 / 249

Virtual Private Networking

162

o

des-md5-96

uses the encryption transform following the DES standard in Cipher-

Block-Chaining mode with authentication provided by HMAC and MD5 (96-bit

authenticator).

It uses a 56-bit 3DES encryption key and a 128-bit HMAC-MD5

authentication key.

o

des-sha1-96

uses the encryption transform following the DES standard in Cipher-

Block-Chaining mode with authentication provided by HMAC and SHA1 (96-bit

authenticator).

It uses a 56-bit DES encryption key and a 160-bit HMAC-SHA1

authentication key.

•

Local Network

field is the network behind the local CyberGuard SG appliance.

This

field appears when

Manual Keying

has been selected.

Figure 9-16

Enter the Internet IP address of the remote party in

The remote party's IP address

field.

In this example, enter:

209.0.0.1

The

Endpoint ID

is used to authenticate the remote party to the CyberGuard SG

appliance.

The remote party's ID is optional if it has a static IP address and uses

Preshared Secrets for authentication.

It becomes a required field if the remote party has

a dynamic IP or DNS hostname address or if RSA Digital Key Signatures are used for

authentication.

It is optional in this example, because the remote party has a static IP

address.

If the remote party is a CyberGuard SG appliance, it must have the form

abcd@efgh

.

If the remote party is not a CyberGuard SG appliance, refer the

interoperability documents on the CyberGuard SG Knowledge Base

(

http://www.cyberguard.com/snapgear/knowledgebase.html

) to determine what form it

must take.

In this example leave the field blank.

Click the

Continue

button to configure the

Phase 1 Settings

.

Page 168 / 249

Virtual Private Networking

163

Other options

The following options will become available on this page depending on what has been

configured previously:

•

The remote party's DNS hostname address

field is the DNS hostname address

of the Internet interface of the remote party.

This option will become available if

the remote party has been configured to have a DNS hostname address.

•

Distinguished Name

field is the list of attribute/value pairs contained in the

certificate.

The list of attributes supported are as follows:

C

Country

ST

State or province

L

Locality or town

O

Organization

OU

Organizational Unit

CN

Common Name

N

Name

G

Given name

S

Surname

I

Initials

T

Personal title

E

E-mail

Email

E-mail

SN

Serial number

D

Description

Page 169 / 249

Virtual Private Networking

164

TCGID

[Siemens] Trust Center Global ID

The attribute/value pairs must be of the form

attribute=value

and be separated by

commas.

For example : C=US, ST=Illinois, L=Chicago, O=CyberGuard,

OU=Sales, CN=SG550.

It must match exactly the

Distinguished Name

of the

remote party's local certificate to successfully authenticate the tunnel.

This field

appears when

x.509 Certificates

has been selected.

•

Generate an RSA key of

pull down menu allows the length of the CyberGuard

SG appliance generated RSA public/private key pair to be specified.

The options

include 512, 1024, 1536 and 2048 bits.

The greater the key pair length, the

longer the time required to generate the keys.

It may take up to 20 minutes for a

2048 bit RSA key to be generated.

This option appears when RSA Digital Key

Signatures has been selected.

•

SPI Number

field is the

Security Parameters Index

.

However, this applies to the

remote party.

It is a hexadecimal value and must be unique.

It is used to

establish and uniquely identify the tunnel.

It must be of the form 0x

hex

, where

hex

is one or more hexadecimal digits and be in the range of

0x100-0xfff

.

This

field appears when

Manual Keying

has been selected.

•

Authentication Key

field is the ESP Authentication Key.

However, this applies to

the remote party.

It must be of the form 0x

hex

, where

hex

is one or more

hexadecimal digits.

The

hex

part must be exactly 32 characters long when using

MD5 or 40 characters long when using SHA1 (excluding any underscore

characters).

It must use the same hash as the CyberGuard SG appliance's

authentication key.

This field appears when

Manual Keying

has been selected.

•

Encryption Key

field is the ESP Encryption Key.

However, this applies to the

remote party.

It must be of the form 0x

hex

, where

hex

is one or more

hexadecimal digits.

The

hex

part must be exactly 16 characters long when using

DES or 48 characters long when using 3DES (excluding any underscore

characters).

It must use the same cipher as the CyberGuard SG appliance's

encryption key.

This field appears when

Manual Keying

has been selected.

•

Remote Network

is the network behind the remote party.

This field appears

when

Manual Keying

has been selected.

Page 170 / 249

Virtual Private Networking

165

Phase 1 settings

Figure 9-17

Set the length of time before Phase 1 is renegotiated in the

Key lifetime (m)

field.

The

length may vary between 1 and 1440 minutes.

Shorter values offer higher security at the

expense of the computational overhead required to calculate new keys.

For most

applications 60 minutes is recommended.

In this example, leave the

Key Lifetime

as the

default value of 60 minutes.

A new Phase 1 key can be renegotiated before the current one expires. The time for

when this new key is negotiated before the current key expires can be set in the

Rekeymargin

field. In this example, leave the

Rekeymargin

as the default value of 10

minutes.

The

Rekeyfuzz

value refers to the maximum percentage by which the

Rekeymargin

should be randomly increased to randomize rekeying intervals. The

Key lifetimes

for

both Phase 1 and Phase 2 are dependent on these values and must be greater that the

value of “

Rekeymargin x (100 + Rekeyfuzz) / 100

.” In this example, leave the

Rekeyfuzz

as the default value of 100%.

Enter a secret in the

Preshared Secret

field.

Keep a record of this secret as it will be

used to configure the remote party's secret.

In this example, enter:

This secret must be

kept confidential.

Rate

Popular SnapGear Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share