Page 226 / 404 Scroll up to view Page 221 - 225
Chapter 20 VPN
VMG8324-B10A / VMG8324-B30A Series User’s Guide
226
Encryption
Algorithm
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES
- a 56-bit key with the DES encryption algorithm
3DES
- a 168-bit key with the DES encryption algorithm
AES
-
128
- a 128-bit key with the AES encryption algorithm
AES
-
196
- a 196-bit key with the AES encryption algorithm
AES
-
256
- a 256-bit key with the AES encryption algorithm
The Device and the remote IPSec router must use the same key size and encryption
algorithm. Longer keys require more processing power, resulting in increased latency and
decreased throughput.
Integrity
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are
MD5
,
SHA1
.
SHA
is generally considered stronger than
MD5
, but it is also slower.
Select Diffie-
Hellman Group
for Key Exchange
Select which Diffie-Hellman key group you want to use for encryption keys. Choices for
number of bits in the random number are: 768, 1024, 1536, 2048, 3072, 4096.
The longer the key, the more secure the encryption, but also the longer it takes to encrypt
and decrypt information. Both routers must use the same DH key group.
Key Life Time
Define the length of time before an IPSec SA automatically renegotiates in this field.
A short SA Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel renegotiates, all
users accessing remote resources are temporarily disconnected.
Phase 2
Encryption
Algorithm
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES
- a 56-bit key with the DES encryption algorithm
3DES
- a 168-bit key with the DES encryption algorithm
AES
-
128
- a 128-bit key with the AES encryption algorithm
AES
-
192
- a 196-bit key with the AES encryption algorithm
AES
-
256
- a 256-bit key with the AES encryption algorithm
Select
ESP_NULL
to set up a tunnel without encryption. When you select
ESP_NULL
,
you do not enter an encryption key.
The Device and the remote IPSec router must use the same key size and encryption
algorithm. Longer keys require more processing power, resulting in increased latency and
decreased throughput.
Integrity
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are
MD5
and
SHA1
.
SHA
is generally considered stronger than
MD5
, but it is also slower.
Table 104
Security > IPSec VPN: Add/Edit
LABEL
DESCRIPTION
Page 227 / 404
Chapter 20 VPN
VMG8324-B10A / VMG8324-B30A Series User’s Guide
227
Perfect Forward
Secrecy (PFS)
Select whether or not you want to enable Perfect Forward Secrecy (PFS)
PFS changes the root key that is used to generate encryption keys for each IPSec SA. The
longer the key, the more secure the encryption, but also the longer it takes to encrypt and
decrypt information. Both routers must use the same DH key group. Choices are:
None
- do not use any random number.
768bit(DH Group1)
- use a 768-bit random number
1024bit(DH Group2)
- use a 1024-bit random number
1536bit(DH Group5)
- use a 1536-bit random number
2048bit(DH Group14)
- use a 2048-bit random number
3072bit(DH Group15)
- use a 3072-bit random number
4096bit(DH Group16)
- use a 4096-bit random number
Key Life Time
Define the length of time before an IPSec SA automatically renegotiates in this field.
A short SA Life Time increases security by forcing the two VPN gateways to update the
encryption and authentication keys. However, every time the VPN tunnel renegotiates, all
users accessing remote resources are temporarily disconnected.
The following fields are available if you select Manual in the Key Exchange Method field.
Encryption
Algorithm
Select which key size and encryption algorithm to use in the IKE SA. Choices are:
DES
- a 56-bit key with the DES encryption algorithm
3DES
- a 168-bit key with the DES encryption algorithm
EPS_NULL
- no encryption key or algorithm
Encryption
Key
This field is applicable when you select an Encryption Algorithm.
Enter the encryption key, which depends on the encryption algorithm.
DES
- type a unique key 16 hexadecimal characters long
3DES
- type a unique key 48 hexadecimal characters long
Authentication
Algorithm
Select which hash algorithm to use to authenticate packet data. Choices are MD5, SHA1.
SHA is generally considered stronger than MD5, but it is also slower.
Authentication
Key
Enter the authentication key, which depends on the authentication algorithm.
MD5
- type a unique key 32 hexadecimal characters long
SHA1
- type a unique key 40 hexadecimal characters long
SPI
Type a unique SPI (Security Parameter Index) in hexadecimal characters.
The SPI is used to identify the Device during authentication.
The Device and remote IPSec router must use the same SPI.
OK
Click
OK
to save your changes.
Cancel
Click
Cancel
to restore your previously saved settings.
Table 104
Security > IPSec VPN: Add/Edit
LABEL
DESCRIPTION
Page 228 / 404
Chapter 20 VPN
VMG8324-B10A / VMG8324-B30A Series User’s Guide
228
20.4
The IPSec VPN Monitor Screen
Use this screen to check your VPN tunnel’s current status. You can also manually trigger a VPN
tunnel to the remote network. Click
Security > IPSec VPN > Monitor
to open this screen as
shown next.
Figure 138
Security > IPSec VPN > Monitor
This screen contains the following fields:
20.5
Technical Reference
This section provides some technical background information about the topics covered in this
section.
20.5.1
IPSec Architecture
The overall IPSec architecture is shown as follows.
Table 105
Security > IPSec VPN > Monitor
LABEL
DESCRIPTION
Refresh Interval
Select how often you want the Device to update this screen. Select
No Refresh
to have
the Device stop updating the screen.
Status
This displays a green line between two hosts if the VPN tunnel has been established
successfully. Otherwise, it displays a red line in between.
Connection Name
This displays the name of the VPN policy.
Remote Gateway
This is the IP address of the remote IPSec router in the IKE SA.
Local Addresses
This displays the IP address(es) on the LAN behind your Device.
Remote
Addresses
This displays the IP address(es) on the LAN behind the remote IPSec router.
Action
Click
Trigger
to establish a VPN connection with the remote network.
Page 229 / 404
Chapter 20 VPN
VMG8324-B10A / VMG8324-B30A Series User’s Guide
229
Figure 139
IPSec Architecture
IPSec Algorithms
The
ESP
(Encapsulating Security Payload) Protocol (RFC 2406) and
AH
(Authentication Header)
protocol (RFC 2402) describe the packet formats and the default standards for packet structure
(including implementation algorithms).
The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption
Standard) and Triple DES algorithms.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an
authentication mechanism for the
AH
and
ESP
protocols.
Key Management
Key management allows you to determine whether to use IKE (ISAKMP) or manual key
configuration in order to set up a VPN.
20.5.2
Encapsulation
The two modes of operation for IPSec VPNs are
Transport
mode and
Tunnel
mode. At the time of
writing, the Device supports
Tunnel
mode only.
Figure 140
Transport and Tunnel Mode IPSec Encapsulation
Page 230 / 404
Chapter 20 VPN
VMG8324-B10A / VMG8324-B30A Series User’s Guide
230
Transport Mode
Transport
mode is used to protect upper layer protocols and only affects the data in the IP packet.
In
Transport
mode, the IP packet contains the security protocol (
AH
or
ESP
) located after the
original IP header and options, but before any upper layer protocols contained in the packet (such
as TCP and UDP).
With
ESP,
protection is applied only to the upper layer protocols contained in the packet. The IP
header information and options are not used in the authentication process. Therefore, the
originating IP address cannot be verified for integrity against the data.
With the use of
AH
as the security protocol, protection is extended forward into the IP header to
verify the integrity of the entire packet by use of portions of the original IP header in the hashing
process.
Tunnel Mode
Tunnel
mode encapsulates the entire IP packet to transmit it securely. A
Tunnel
mode is required
for gateway services to provide access to internal systems.
Tunnel
mode is fundamentally an IP
tunnel with authentication and encryption. This is the most common mode of operation.
Tunnel
mode is required for gateway to gateway and host to gateway communications.
Tunnel
mode
communications have two sets of IP headers:
Outside header
: The outside IP header contains the destination IP address of the VPN gateway.
Inside header
: The inside IP header contains the destination IP address of the final system
behind the VPN gateway. The security protocol appears after the outer IP header and before the
inside IP header.
20.5.3
IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication)
and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses
that SA to negotiate SAs for IPSec.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top