1. Home
  2. /
  3. Manuals
  4. /
  5. Zoom
  6. /
  7. 5354
  8. /
  9. 24
Page 116 / 143 Scroll up to view Page 111 - 115
116
Figure 38. Example of Basic Page
Table 33. Basic Menu Option
Option
Description
L2TP Server
Select Enable to enable L2TP (Layer 2 Tunneling Protocol) server.
PPTP Server
Select Enable to enable PPTP (Point-to-Point Tunneling Protocol)
server.
Configure
Select
Configure
to set up L2TP or PPTP.
IPSec Endpoint
Select Enable to enable IPSec endpoint.
IPSec
The IPSec page allows you to configure IPSec tunnel and endpoint settings. A VPN
tunnel is usually established in two phases. Each phase establishes a security
association (SA), a contract indicating what security parameters Cable Modem/Router
and the remote IPSec Cable Modem/Router will use.
The
first phase
establishes an Internet Key Exchange (IKE) SA between the
Cable Modem/Router and the remote IPSec Cable Modem/Router.
The
second phase
uses the IKE SA to securely establish an IPSec SA through
which the Cable Modem/Router and remote IPSec Cable Modem/Router can
send data between computers on the local network and remote network.
Before IPSec VPN configuration, try to familiarize yourself with terms like IPSec
Algorithms, Authentication Header and ESP protocol.
Page 117 / 143
117
IPSec Algorithms
The ESP and AH protocols are necessary to create a Security Association (SA), the
foundation of an IPSec VPN. An SA is built from the authentication provided by the AH
and ESP protocols. The primary function of key management is to establish and maintain
the SA between systems. Once the SA is established, the transport of data may
commence.
AH (Authentication Header) Protocol
The AH protocol (RFC 2402) was designed for integrity, authentication, sequence
integrity (replay resistance), and non-repudiation but not for confidentiality, for which the
ESP was designed.
In applications where confidentiality is not required or not sanctioned by government
encryption restrictions, an AH can be employed to ensure integrity. This type of
implementation does not protect the information from dissemination but will allow for
verification of the integrity of the information and authentication of the originator.
ESP (Encapsulating Security Payload) Protocol
The ESP protocol (RFC 2406) provides encryption as well as the services offered by AH.
ESP authenticating properties are limited compared to the AH due to the non-inclusion of
the IP header information during the authentication process. However, ESP is sufficient if
only the upper layer protocols need to be authenticated. An added feature of the ESP is
payload padding, which further protects communications by concealing the size of the
packet being transmitted.
To access the
IPSec
page:
1
Click
VPN
in the menu bar.
2
Then click the
IPSec
submenu.
Figure 39 shows an example of the menu and Table 31 describes the items you can
select.
Page 118 / 143
118
Figure 39. Example of IPSec Page
Page 119 / 143
119
Table 34. IPSec Menu Option
Option
Description
Tunnel
This is a pull-down list of VPN Names defined below. Select the
specific VPN tunnel to configure.
Name
Enter a VPN name and click
Add New Tunnel
.
Local Endpoint
Settings
Configure the local network located at your Cable
Modem/Router’s AN side.
Address Group Type
Define the local address type. Select IP Subnet to protect the
whole subnet; select Single IP address to protect a single PC or
device; select IP address range to protect several PCs, or
devices.
Subnet
Enter the subnet scale for address group.
Mask
Enter the subnet mask for address group.
Identity Type
Select the type to identify the Cable Modem/Router. The
choices are:WAN IP address, LAN IP address, FQDN (Fully
Qualified Domain Name) or Email address.
Identity
Enter the value corresponding to the selected identity type.
Remote Endpoint
Settings
Record the parameters of the network on which the peer VPN is
located.
Address Group Type
Define the local address type. Select IP Subnet to protect the
whole subnet; select Single IP address to protect a single PC;
select IP address range to protect several PCs.
Subnet
Enter the subnet for address group.
Mask
Enter the subnet mask for address group.
Identity Type
Select the type to identify the Cable Modem/Router. The
choices are WAN IP address, IP address, FQDN or Email
address.
Identity
Enter the value corresponding to the selected identity type.
Network Address
Type
Enter the IP address or domain name of the peer VPN Cable
Modem/Router. You can select IP address, which is typically
suitable for static public IP addresses or FQDN, which is
typically suitable for dynamic public IP address.
Remote Address
Enter IP address according to the
Network Address Type
.
Page 120 / 143
120
IPSec Settings
Configure the IPSec protocol related parameters.
Pre-Shared Key
Enter a key (Pre-Shared key) for authentication.
Phase 1DH Group
Select the Diffie-Hellman key group (DHx) you want to use for
encryption keys.
DH1: uses a 768-bit random number
DH2: uses a 1024-bit random number
DH5: uses a 1536-bit random number.
Phase 1 Encryption
Select the key size and encryption algorithm to use for data
communications.
DES: a 56-bit key with the DES encryption algorithm
3DES: a 168-bit key with the DES encryption algorithm. Both
the Cable Modem/Router and the remote IPSec router must use
the same algorithms and key, which can be used to encrypt and
decrypt the message or to generate and verify a message
authentication code. Longer keys require more processing
power, resulting in increased latency and decreased
throughput.
AES: AES (Advanced Encryption Standard) is a newer method
of data encryption that also uses a secret key. This
implementation of AES applies a 128-bit key to 128-bit blocks of
data. AES is faster than 3DES. Here you have the choice of
AES-128, AES-192 and AES-256.
Phase 1
Authentication
Select the hash algorithm used to authenticate packet data in
the IKE SA.
SHA1: generally considered stronger than MD5, but it is also
slower.
MD5 (Message Digest 5): produces a 128-bit digest to
authenticate packet data.
SHA1 (Secure Hash Algorithm): produces a 160-bit digest to
authenticate packet data.
Phase 1 SA Lifetime
In this field define the length of time before an IKE SA
automatically renegotiates. This value may range from 120 to
86400 seconds. A short SA lifetime increases security by
forcing the two VPN Cable Modem/Router’s to update the
encryption and authentication keys. However, every time the

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top