Page 81 / 123 Scroll up to view Page 76 - 80
TW100-BRV304 User Guide
78
IKE Phase 1
If you selected
IKE
, the following screen is displayed after the
Traffic Selector
screen.
Figure 52: VPN Wizard - IKE Phase 1
Direction
Select the desired option:
Initiator
- Only outgoing connections will be created. Incoming
connection attempts will be rejected.
Responder
- Only incoming connections will be accepted.
Outgoing traffic which would otherwise result in a connection
will be ignored.
Both Directions
- Both incoming and outgoing connections are
allowed.
Local Identity
This setting must match the "Remote Identity" on the remote VPN.
IP address
is the more common method.
Remote Identity
This setting must match the "Local Identity" on the remote VPN.
IP address
is the more common method.
Authentication
RSA Signature
requires that both VPN endpoints have valid
Certificates issued by a CA (Certification Authority).
For
Pre-shared key
, enter the same key value in both endpoints.
The key should be at least 8 characters (maximum is 128 charac-
ters). Note that this key is used for the IKE SA only. The keys
used for the IPsec SA are automatically generated.
Encryption
Select the desired method, and ensure the remote VPN endpoint uses
the same method.
The "3DES" algorithm provides greater security
than "DES", but is slower.
IKE Exchange
Mode
Select the desired option, and ensure the remote VPN endpoint uses
the same mode. Main Mode provides identity protection for the hosts
initiating the IPSec session, but takes slightly longer to complete.
Aggressive Mode provides no identity protection, but is quicker.
Page 82 / 123
VPN
79
IKE SA Life Time
This setting does not have to match the remote VPN endpoint; the
shorter time will be used. Although measured in seconds, it is com-
mon to use time periods of several hours, such 28,800 seconds.
DH Group
Select the desired method, and ensure the remote VPN endpoint uses
the same method. The smaller bit size is slightly faster.
IKE PFS
If enabled, PFS (Perfect Forward Security) enhances security by
changing the IPsec key at regular intervals, and ensuring that each
key has no relationship to the previous key. Thus, breaking 1 key
will not assist in breaking the next key.
This setting should match the remote endpoint.
Click
Next
to see the following IKE Phase 2 screen.
Figure 53: VPN Wizard - IKE Phase 2
IPsec SA Life Time
This setting does not have to match the remote VPN endpoint; the
shorter time will be used. Although measured in seconds, it is
common to use time periods of several hours, such 28,800 seconds.
IPSec PFS
If enabled, PFS (Perfect Forward Security) enhances security by
changing the IPsec key at regular intervals, and ensuring that each
key has no relationship to the previous key. Thus, breaking 1 key
will not assist in breaking the next key.
AH Authentication
AH (Authentication Header) specifies the authentication protocol
for the VPN header, if used.
AH is often NOT used. If you do enable it, ensure the algorithm
selected matches the other VPN endpoint.
Page 83 / 123
TW100-BRV304 User Guide
80
ESP Encryption
ESP (Encapsulating Security Payload) provides security for the
payload (data) sent through the VPN tunnel. Generally, you will
want to enable both ESP Encryption and ESP Authentication.
Select the desired method, and ensure the remote VPN endpoint
uses the same method. The "3DES" algorithm provides greater
security than "DES", but is slower.
ESP Authentication
Generally, you should enable ESP Authentication. There is little
difference between the available algorithms. Just ensure each
endpoint use the same setting.
For IKE, configuration is now complete.
Click "Next" to view the final screen.
On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard.
Page 84 / 123
VPN
81
Examples
This section describes some examples of using the TW100-BRV304 in common VPN situa-
tions.
Example 1: Connecting 2 TW100-BRV304s
In this example, 2 LANs are connected via VPN.
Figure 54: Connecting 2 TW100-BRV304s
Note
The LANs MUST use different IP address ranges.
Both endpoints have fixed WAN (Internet) IP addresses.
Configuration Settings
Name
Policy 1
Policy 1
Name does not affect
operation. Select a mean-
ingful name.
Remote Endpoint
205.17.11.43
202.11.13.211
Other endpoint's WAN
(Internet) IP address.
Local
IP addresses
Any
Any
Use a more restrictive
definition if possible.
Remote
IP addresses
192.168.1.1 to
192.168.1.254
192.168.0.1 to
192.168.0.254
Address range on other
endpoint.
Use a more restrictive
definition if possible.
Key Exchange
IKE
IKE
Must match
IKE Direction
Both ways
Both ways
Does not have to match.
Either endpoint can block
1 direction.
Local Identity
IP address
IP address
IP address is the most
common ID method
Remote Identity
IP address
IP address
IP address is the most
common ID method
IKE Authentication
Pre-shared Key
Pre-shared Key
Certificates are not widely
Page 85 / 123
TW100-BRV304 User Guide
82
method
used.
Pre-shared Key
Xxxxxxxxxx
Xxxxxxxxxx
Must match
IKE Authentication
algorithm
MD5
MD5
Must match
IKE Encryption
DES
DES
Must match
IKE Exchange
mode
Main Mode
Main Mode
Must match
DH Group
Group 1 (768 bit)
Group 1 (768 bit)
Must match
IKE SA Life time
28800
28800
Does not have to match.
Shorter period will be
used.
IKE PFS
Disable
Disable
Must match
IPSec SA Life time
28800
28800
Does not have to match.
Shorter period will be
used.
IPSec PFS
Disabled
Disabled
Must match
AH authentication
Disabled
Disabled
AH is rarely used
ESP authentication
Enable/MD5
Enable/MD5
Must match
ESP encryption
Enable/DES
Enable/DES
Must match

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top