Zoom 5363 Router Manual PDF (Setup & Configuration Guide)

Page 116 / 142 Scroll up to view Page 111 - 115

Table 32. IPSec Menu Option

Option

Description

This is a pull-down list of VPN Names defined below. Select the

specific VPN tunnel to configure.

Tunnel

Enter a VPN name and click

Add New Tunnel

.

Name

Configure the local network located at your Cable

Modem/Router’s LAN side.

Local Endpoint

Settings

Define the local address type. Select IP Subnet to protect the

whole subnet; select Single IP address to protect a single PC or

device; select IP address range to protect several PCs, or

devices.

Address Group Type

Enter the subnet scale for address group.

Subnet

Enter the subnet mask for address group.

Mask

Select the type to identify the Cable Modem/Router. The

choices are:WAN IP address, LAN IP address, FQDN (Fully

Qualified Domain Name) or Email address.

Identity Type

Enter the value corresponding to the selected identity type.

Identity

Record the parameters of the network on which the peer VPN is

located.

Remote Endpoint

Settings

Define the local address type. Select IP Subnet to protect the

whole subnet; select Single IP address to protect a single PC;

select IP address range to protect several PCs.

Address Group Type

Enter the subnet for address group.

Subnet

Enter the subnet mask for address group.

Mask

Select the type to identify the Cable Modem/Router. The

choices are WAN IP address, IP address, FQDN or Email

address.

Identity Type

Enter the value corresponding to the selected identity type.

Identity

Network Address

Type

Enter the IP address or domain name of the peer VPN Cable

Modem/Router. You can select IP address, which is typically

suitable for static public IP addresses or FQDN, which is

typically suitable for dynamic public IP address.

116

Page 117 / 142

Enter IP address according to the

Network Address Type

.

Remote Address

Configure the IPSec protocol related parameters.

IPSec Settings

Pre-Shared Key

Enter a key (Pre-Shared key) for authentication.

Phase 1DH Group

Select the Diffie-Hellman key group (DHx) you want to use for

encryption keys.

DH1: uses a 768-bit random number

DH2: uses a 1024-bit random number

DH5: uses a 1536-bit random number.

Phase 1 Encryption

Select the key size and encryption algorithm to use for data

communications.

DES: a 56-bit key with the DES encryption algorithm

3DES: a 168-bit key with the DES encryption algorithm. Both

the Cable Modem/Router and the remote IPSec router must use

the same algorithms and key, which can be used to encrypt and

decrypt the message or to generate and verify a message

authentication code. Longer keys require more processing

power, resulting in increased latency and decreased

throughput.

AES: AES (Advanced Encryption Standard) is a newer method

of data encryption that also uses a secret key. This

implementation of AES applies a 128-bit key to 128-bit blocks of

data. AES is faster than 3DES. Here you have the choice of

AES-128, AES-192 and AES-256.

Phase 1

Authentication

Select the hash algorithm used to authenticate packet data in

the IKE SA.

SHA1: generally considered stronger than MD5, but it is also

slower.

MD5 (Message Digest 5): produces a 128-bit digest to

authenticate packet data.

SHA1 (Secure Hash Algorithm): produces a 160-bit digest to

authenticate packet data.

Phase 1 SA Lifetime

In this field define the length of time before an IKE SA

automatically renegotiates. This value may range from 120 to

86400 seconds. A short SA lifetime increases security by

forcing the two VPN Cable Modem/Router’s to update the

encryption and authentication keys. However, every time the

VPN tunnel renegotiates, all users accessing remote resources

117

Page 118 / 142

are temporarily disconnected.

Phase 2 Encryption

Select the key size and encryption algorithm to use for data

communications.

Null: No data encryption in IPSec SA. Not recommended.

DES: a 56-bit key with the DES encryption algorithm

3DES: a 168-bit key with the DES encryption algorithm. Both

the Cable Modem/Router and the remote IPSec router must use

the same algorithms and key , which can be used to encrypt and

decrypt the message or to generate and verify a message

authentication code. Longer keys require more processing

power, resulting in increased latency and decreased

throughput.

AES: Advanced Encryption Standard is a newer method of data

encryption that also uses a secret key. This implementation of

AES applies a 128-bit key to 128-bit blocks of data. AES is

faster than 3DES. Here you have the choice of AES-128,

AES-192 and AES-256.

Select the hash algorithm used to authenticate packet data in

the IKE SA. SHA1 is generally considered stronger than MD5,

but it is also slower.

Phase 2

Authentication

In this field define the length of time before an IPSec SA

automatically renegotiates. This value may range from 120 to

86400 seconds.

Phase 2 SA Lifetime

Key Management

Select to use IKE (ISAKMP) or manual key configuration in

order to set up a VPN.

IKE Negotiation

Mode

Select how Security Association (SA) will be established for

each connection through IKE negotiations.

Main Mode: ensures the highest level of security when the

communicating parties are negotiating authentication (phase 1).

Aggressive Mode: quicker than Main Mode because it

eliminates several steps when the communicating parties are

negotiating authentication (phase 1).

Perfect Forward Secret (PFS) is disabled by default in phase 2

IPSec SA setup. This allows faster IPSec setup, but is not as

secure. You can select DH1, DH2 or DH5 to enable PFS.

Perfect Forward

Secrecy (PFS)

Phase 2 DH Group

Select DHx after enabling PFS.

118

Page 119 / 142

Select Enable to enable replay detection. As VPN setup is

processing intensive, the system is vulnerable to Denial of

Service (DOS) attacks. The IPSec receiver can detect and

reject old or duplicate packets to protect against replay attacks.

Replay Detection

Select Enable to send NetBIOS (Network Basic Input/Output

System) packets through the VPN connection. NetBIOS

packets are TCP or UDP packets that enable a computer to find

other computers. It may sometimes be necessary to allow

NetBIOS packets to pass through VPN tunnels in order to allow

local computers to find computers on the remote network and

vice versa.

NetBIOS Broadcast

Forwarding

Select Enable to force the Cable Modem/Router to periodically

detect if the remote IPSec Cable Modem/Router is available or

not.

Dead Peer Detection

If Manual mode is selected in the Key Management field, enter a

16 hexadecimal digits manual encryption key for encryption.

Manual Encryption

Key

Enter a 32 hexadecimal digit unique authentication key to be

used by IPSec.

Manual

Authentication Key

Enter a unique SPI (Security Parameter Index) for inbound SPI.

Inbound SPI

Outbound SPI

Enter a unique SPI (Security Parameter Index) for outbound

SPI.

119

Page 120 / 142

L2TP/PPTP

The L2TP/PPTP page allows you to configure server and security settings. The L2TP

(Layer 2 Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol) both allow

PPP frames to be tunneled through the network. PPTP is a Microsoft proprietary

protocol, which is very similar to L2TP.

To access the

L2TP/PPTP

page:

1

Click the

Router

menu tab.

2

Then click the

VPN /L2TP/PPTP

submenu.

Figure 33 shows an example of the menu and Table 33 describes the items you can

select.

Figure 33. Example of L2TP/PPTP Page

120

Rate

Popular Zoom Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share