SnapGear SG565 Router Manual PDF (Setup & Configuration Guide)

Page 171 / 249 Scroll up to view Page 166 - 170

Virtual Private Networking

166

Warning

The secret must be entered identically at each end of the tunnel.

The tunnel will fail to

connect if the secret is not identical at both ends.

The secret is a highly sensitive piece of

information.

It is essential to keep this information confidential.

Communications over

the IPSec tunnel may be compromised if this information is divulged.

Select a

Phase 1 Proposal

.

Any combination of the ciphers, hashes and Diffie Hellman

groups that the CyberGuard SG appliance supports can be selected.

The supported

ciphers are

DES

(56 bits),

3DES

(168 bits) and

AES

(128, 196 and 256 bits).

The

supported hashes are

MD5

and

SHA

and the supported Diffie Hellman groups are

1

(768

bit),

2

(1024 bit) and

5

(1536 bits).

The CyberGuard SG appliance also supports

extensions to the Diffie Hellman groups to include 2048, 3072 and 4096 bit Oakley

groups.

In this example, select the

3DES-SHA-Diffie Hellman Group 2 (1024 bit)

option.

Click the

Continue

button to configure the

Phase 2 Settings

.

Other options

The following options will become available on this page depending on what has been

configured previously:

•

Local Public Key

field is the public part of the RSA key generated for RSA Digital

Signatures authentication.

These fields are automatically populated and do not

need to be modified unless a different RSA key is to be used.

This key must be

entered in the Remote Public Key field of the remote party's tunnel configuration.

This field appears when

RSA Digital Signatures

has been selected.

•

Remote Public Key

field is the public part of the remote party's RSA Key

generated for RSA Digital Key authentication.

This field must be populated with

the remote party's public RSA key.

This field appears when

RSA Digital

Signatures

has been selected.

•

Modulus

,

Public Exponent

,

Private Exponent

,

Prime1

,

Prime2

,

Exponent1

,

Exponent2

and

Coefficient

fields constitute the private part of the RSA key.

These fields are automatically populated and do not need to be modified unless a

different RSA key is to be used.

This field appears when

RSA Digital Signatures

has been selected.

•

Local Certificate

pull down menu contains a list of the local certificates that have

been uploaded for x.509 authentication.

Select the required certificate to be used

to negotiate the tunnel.

This field appears when

x.509 Certificates

has been

selected.

Page 172 / 249

Virtual Private Networking

167

Phase 2 settings page

Figure 9-18

Set the length of time before Phase 2 is renegotiated in the

Key lifetime (m)

field.

The

length may vary between 1 and 1440 minutes.

For most applications 60 minutes is

recommended.

In this example, leave the

Key Lifetime

as the default value of 60

minutes.

Select a

Phase 2 Proposal

.

Any combination of the ciphers, hashes and Diffie Hellman

groups that the CyberGuard SG appliance supports can be selected.

The supported

ciphers are

DES

,

3DES

and

AES

(128, 196 and 256 bits).

The supported hashes are

MD5

and

SHA

and the supported Diffie Hellman group are

1

(768 bit),

2

(1024 bit) and

5

(1536 bits).

The CyberGuard SG appliance also supports extensions to the Diffie

Hellman groups to include 2048, 3072 and 4096 bit Oakley groups.

Perfect Forward

Secrecy

is enabled if a Diffie-Hellman group or an extension is chosen.

Phase 2 can also

have the option to not select a Diffie Hellman Group, in this case

Perfect Forward

Secrecy

is not enabled.

Perfect Forward Secrecy

of keys provides greater security and is

the recommended setting.

In this example, select the

3DES-SHA-Diffie Hellman Group

2

(1024 bit) option.

Define the

Local Network

behind the CyberGuard SG appliance that is to have access

through the tunnel.

In this example, enter

192.168.2.0 / 255.255.255.0

in the field.

Define the

Remote Network

behind the remote party that is to have access through the

tunnel.

In this example, enter

192.168.1.0 / 255.255.255.0

in the field.

Click the

Apply

button to save the tunnel configuration.

Page 173 / 249

Virtual Private Networking

168

Other options

The following options will become available on this page depending on what has been

configured previously:

A separate section may appear to enter multiple

Local Networks

or

Remote Networks

or both.

In the case where both local and remote parties have been configured to have

multiple subnets behind them, a window similar to the following will be displayed.

Figure 9-19

In the

Subnet Settings

section, a local and remote network combination can be added

one at a time by entering subnets into the

Add Local Network

and

Add Remote

Network

fields and then clicking

Apply

.

Configured local and remote network

combinations can be deleted by clicking the

Delete

checkbox for the appropriate

combination and then clicking

Apply

.

Once the required networks have been added,

configure the

Phase 2 Settings

section.

Configuring the Headquarters

Enabling IPSec

Click the

IPSec

link on the left side of the

Web Management Console

web administration

pages.

Page 174 / 249

Virtual Private Networking

169

Check the

Enable IPSec

checkbox.

Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet

interface.

In this example, select

static IP address

.

Leave the

Set the IPSec MTU to be

checkbox unchecked.

Click the

Apply

button to save the changes.

Configuring a tunnel to accept connections from the branch office

To create an IPSec tunnel, click the

IPSec

link on the left side of the

Web Management

Console

web administration pages, then click the

Add New Tunnel

tab at the top of the

window.

Many of the settings such as the

Preshared Secret

,

Phase 1

and

2 Proposals

and

Key Lifetimes

will be the same as the branch office.

Tunnel settings page

Fill in the

Tunnel name

field with an apt description of the tunnel.

The name must not

contain spaces or start with a number.

In this example, enter:

Branch_Office

Leave checked the

Enable this tunnel

checkbox.

Select the Internet interface the IPSec tunnel is to go out on.

In this example, select

default gateway interface

option.

Select the type of keying the tunnel will use.

In this example, select the

Aggressive

mode with Automatic Keying (IKE)

option.

Select the type of IPSec endpoint the remote party has.

In this example, select the

dynamic IP address

option.

Select the type of authentication the tunnel will use.

In this example, select the

Preshared Secret

option.

Select the type of private network that is behind the CyberGuard SG appliance.

In this

example the Headquarters has a single network, so select the

single network behind

this appliance

option.

Select whether the remote party is a single host or whether it is a gateway that has a

single or has multiple networks behind it.

In this example the Branch Office has single

network, so select the

single network behind a gateway

option.

Page 175 / 249

Virtual Private Networking

170

Select the type of routing the tunnel will be used as.

In this example, select the

be a

route to the remote party

option.

Click the

Continue

button to configure the

Local Endpoint Settings

.

Local endpoint settings page

Leave the

Optional Endpoint ID

field blank in this example.

It is optional because the

CyberGuard SG appliance has a static IP address.

If the remote party is a CyberGuard

SG appliance and an Endpoint ID is used, it must have the form

abcd@efgh

.

If the

remote party is not a CyberGuard SG appliance refer the interoperability documents on

the CyberGuard SG Knowledge Base to determine what form it must take

(

http://www.cyberguard.com/snapgear/knowledgebase.html).

Leave the

Enable IP Payload Compression

checkbox unchecked.

Leave the

Enable Phase 1 & 2 rekeying to be initiated from my end

checkbox

checked.

Click the

Continue

button to configure the

Remote Endpoint Settings

.

Remote endpoint settings page

Enter the

Required Endpoint ID

of the remote party.

In this example, enter the

Local

Endpoint ID

at the Branch Office which was:

branch@office

Click the

Continue

button to configure the

Phase 1 Settings

.

Phase 1 settings page

Set the length of time before Phase 1 is renegotiated in the

Key lifetime (m)

field.

In this

example, leave the

Key Lifetime

as the default value of 60 minutes.

Set the time for when the new key is negotiated before the current key expires in the

Rekeymargin

field. In this example, leave the

Rekeymargin

as the default value of 10

minutes.

Set the maximum percentage by which the

Rekeymargin

should be randomly increased

to randomize rekeying intervals in the

Rekeyfuzz

field. The

Key lifetimes

for both Phase

1 and Phase 2 are dependent on these values and must be greater that the value of

“

Rekeymargin x (100 + Rekeyfuzz) / 100

.” In this example, leave the

Rekeyfuzz

as the

default value of 100%.

Rate

Popular SnapGear Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share