Zoom 4402 Router Manual PDF (Setup & Configuration Guide)

Page 91 / 108 Scroll up to view Page 86 - 90

Table 32. IPSec Menu Option

Option

Description

Tunnel

This is a pull-down list of VPN Names defined below. Select the specific

VPN tunnel to configure.

Name

Enter a VPN name and click

Add New Tunnel

.

Local Endpoint

Settings

Configure the local network located at your cable modem/router’s AN

side.

Address Group Type

Define the local address type. Select IP Subnet to protect the whole

subnet; select Single IP address to protect a single PC or device; select IP

address range to protect several PCs, or devices.

Subnet

Enter the subnet scale for address group.

Mask

Enter the subnet mask for address group.

Identity Type

Select the type to identify the cable modem/router. The choices

are:WAN IP address, LAN IP address, FQDN (Fully Qualified Domain

Name) or Email address.

Identity

Enter the value corresponding to the selected identity type.

Remote Endpoint

Settings

Record the parameters of the network on which the peer VPN is located.

Address Group Type

Define the local address type. Select IP Subnet to protect the whole

subnet; select Single IP address to protect a single PC; select IP address

range to protect several PCs.

Subnet

Enter the subnet for address group.

Mask

Enter the subnet mask for address group.

Identity Type

Select the type to identify the cable modem/router. The choices are

WAN IP address, IP address, FQDN or Email address.

Identity

Enter the value corresponding to the selected identity type.

Network Address Type

Enter the IP address or domain name of the peer VPN cable

modem/router. You can select IP address, which is typically suitable for

static public IP addresses or FQDN, which is typically suitable for

dynamic public IP address.

Remote Address

Enter IP address according to the

Network Address Type

.

IPSec Settings

Configure the IPSec protocol related parameters.

Pre-Shared Key

Enter a key (Pre-Shared key) for authentication.

91

Page 92 / 108

Phase 1DH Group

Select the Diffie-Hellman key group (DHx) you want to use for

encryption keys.

DH1: uses a 768-bit random number

DH2: uses a 1024-bit random number

DH5: uses a 1536-bit random number.

Phase 1 Encryption

Select the key size and encryption algorithm to use for data

communications.

DES: a 56-bit key with the DES encryption algorithm

3DES: a 168-bit key with the DES encryption algorithm. Both the cable

modem/router and the remote IPSec router must use the same

algorithms and key, which can be used to encrypt and decrypt the

message or to generate and verify a message authentication code. Longer

keys require more processing power, resulting in increased latency and

decreased throughput.

AES: AES (Advanced Encryption Standard) is a newer method of data

encryption that also uses a secret key. This implementation of AES

applies a 128-bit key to 128-bit blocks of data. AES is faster than 3DES.

Here you have the choice of AES-128, AES-192 and AES-256.

Phase 1 Authentication

Select the hash algorithm used to authenticate packet data in the IKE SA.

SHA1: generally considered stronger than MD5, but it is also slower.

MD5 (Message Digest 5): produces a 128-bit digest to authenticate

packet data.

SHA1 (Secure Hash Algorithm): produces a 160-bit digest to

authenticate packet data.

Phase 1 SA Lifetime

In this field define the length of time before an IKE SA automatically

renegotiates. This value may range from 120 to 86400 seconds. A short

SA lifetime increases security by forcing the two VPN cable

modem/router’s to update the encryption and authentication keys.

However, every time the VPN tunnel renegotiates, all users accessing

remote resources are temporarily disconnected.

92

Page 93 / 108

Phase 2 Encryption

Select the key size and encryption algorithm to use for data

communications.

Null: No data encryption in IPSec SA. Not recommended.

DES: a 56-bit key with the DES encryption algorithm

3DES: a 168-bit key with the DES encryption algorithm. Both the cable

modem/router and the remote IPSec router must use the same

algorithms and key , which can be used to encrypt and decrypt the

message or to generate and verify a message authentication code. Longer

keys require more processing power, resulting in increased latency and

decreased throughput.

AES: Advanced Encryption Standard is a newer method of data

encryption that also uses a secret key. This implementation of AES

applies a 128-bit key to 128-bit blocks of data. AES is faster than 3DES.

Here you have the choice of AES-128, AES-192 and AES-256.

Phase 2 Authentication

Select the hash algorithm used to authenticate packet data in the IKE SA.

SHA1 is generally considered stronger than MD5, but it is also slower.

Phase 2 SA Lifetime

In this field define the length of time before an IPSec SA automatically

renegotiates. This value may range from 120 to 86400 seconds.

Key Management

Select to use IKE (ISAKMP) or manual key configuration in order to set

up a VPN.

IKE Negotiation Mode

Select how Security Association (SA) will be established for each

connection through IKE negotiations.

Main Mode: ensures the highest level of security when the

communicating parties are negotiating authentication (phase 1).

Aggressive Mode: quicker than Main Mode because it eliminates several

steps when the communicating parties are negotiating authentication

(phase 1).

Perfect Forward

Secrecy (PFS)

Perfect Forward Secret (PFS) is disabled by default in phase 2 IPSec SA

setup. This allows faster IPSec setup, but is not as secure. You can select

DH1, DH2 or DH5 to enable PFS.

Phase 2 DH Group

Select DHx after enabling PFS.

Replay Detection

Select Enable to enable replay detection. As VPN setup is processing

intensive, the system is vulnerable to Denial of Service (DOS) attacks.

The IPSec receiver can detect and reject old or duplicate packets to

protect against replay attacks.

93

Page 94 / 108

NetBIOS Broadcast

Forwarding

Select Enable to send NetBIOS (Network Basic Input/Output System)

packets through the VPN connection. NetBIOS packets are TCP or

UDP packets that enable a computer to find other computers. It may

sometimes be necessary to allow NetBIOS packets to pass through VPN

tunnels in order to allow local computers to find computers on the

remote network and vice versa.

Dead Peer Detection

Select Enable to force the cable modem/router to periodically detect if

the remote IPSec cable modem/router is available or not.

Manual Encryption

Key

If Manual mode is selected in the Key Management field, enter a 16

hexadecimal digits manual encryption key for encryption.

Manual Authentication

Key

Enter a 32 hexadecimal digit unique authentication key to be used by

IPSec.

Inbound SPI

Enter a unique SPI (Security Parameter Index) for inbound SPI.

Outbound SPI

Enter a unique SPI (Security Parameter Index) for outbound SPI.

L2TP/PPTP

The L2TP/PPTP page allows you to configure server and security settings. The L2TP (Layer 2

Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol) both allow PPP frames to be

tunneled through the network. PPTP is a Microsoft proprietary protocol, which is very similar to

L2TP.

To access the

L2TP/PPTP

page:

1

Click

VPN

in the menu bar.

2

Then click the

L2TP/PPTP

submenu.

Figure 43 shows an example of the menu and Table 33 describes the items you can select.

94

Page 95 / 108

Figure 43. Example of L2TP/PPTP Page

95

Rate

Popular Zoom Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share