Chapter 5
Setting Up and Configuring the Router
21
4-Port Gigabit Security Router with VPN
Remote Security Group Type
Select the remote LAN
user(s) behind the remote gateway who can use this VPN
tunnel. This may be a single IP address or a Sub-network.
Note that the Remote Security Group Type must match
the other router’s Local Security Group Type.
IP Address
Enter the IP address on the remote network.
Subnet Mask
If the Remote Security Group Type is set to
Subnet
, enter the mask to determine the IP addresses on
the remote network.
IPSec Setup
Keying Mode
The router supports both automatic and
manual key management. When choosing automatic key
management, IKE (Internet Key Exchange) protocols are
used to negotiate key material for SA (Security Association).
If manual key management is selected, no key negotiation
is needed. Basically, manual key management is used in
small static environments or for troubleshooting purposes.
Note that both sides must use the same Key Management
method.
Phase 1
Encryption
•
The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets.
Only 3DES is supported. Notice that both sides must
use the same Encryption method.
Authentication
•
Authentication determines a method
to authenticate the ESP packets. Either MD5 or SHA1
may be selected. Notice that both sides (VPN endpoints)
must use the same Authentication method.
MD5
•
A one-way hashing algorithm that produces
a 128-bit digest.
SHA1
•
A one-way hashing algorithm that produces
a 160-bit digest.
Group
•
The Diffie-Hellman (DH) group to be used for
key exchange. Select the 768-bit (Group 1), 1024-bit
(Group 2), or 1536-bit (Group 5) algorithm. Group 5
provides the most security, Group 1 the least.
Key Life Time
•
This specifies the lifetime of the IKE-
generated key. If the time expires, a new key will be
renegotiated automatically. Enter a value from 300 to
100,000,000 seconds. The default is
28800
seconds.
Phase 2
Encryption
•
The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets.
Only 3DES is supported. Note that both sides must use
the same Encryption method.
Authentication
•
Authentication determines a method
to authenticate the ESP packets. Either MD5 or SHA1
may be selected. Note that both sides (VPN endpoints)
must use the same Authentication method.
MD5
•
A one-way hashing algorithm that produces
a 128-bit digest.
SHA1
•
A one-way hashing algorithm that produces
a 160-bit digest.
Perfect Forward Secrecy
•
If PFS is enabled, IKE Phase
2 negotiation will generate a new key material for IP
traffic encryption and authentication. Note that both
sides must have this selected.
Preshared Key
•
IKE uses the Preshared Key field to
authenticate the remote IKE peer. Both character and
hexadecimal values are acceptable in this field; e.g.,
“My_@123” or “0x4d795f40313233”. Note that both
sides must use the same Preshared Key.
Group
•
The Diffie-Hellman (DH) group to be used for
key exchange. Select the 768-bit (Group 1), 1024-bit
(Group 2), or 1536-bit (Group 5) algorithm. Group 5
provides the most security, Group 1 the least.
Key Life Time
•
This specifies the lifetime of the IKE-
generated key. If the time expires, a new key will be
renegotiated automatically. Enter a value from 300 to
100,000,000 seconds. The default is
3600
seconds.
Status
Status
Displays the connection status for the selected
tunnel. The state is either connected or disconnected.
Connect
Click this button to establish a connection for
the current VPN tunnel. If you have made any changes,
click Save Settings first to apply your changes.
Disconnect
Click this button to break a connection for
the current VPN tunnel.
View Log
Click this button to view the VPN log, which
shows details of each tunnel established.
Advanced
Click this button to display the following
additional settings.
Aggressive Mode
•
This is used to specify the type of
Phase 1 exchange, Main mode or Aggressive mode.
Check the box to select Aggressive Mode or leave
the box unchecked (default) to select Main mode.
Aggressive mode requires half of the main mode
messages to be exchanged in Phase 1 of the SA
exchange. If network security is preferred, select Main
mode.
NetBios Broadcasts
•
Check the box to enable NetBIOS
traffic to pass through the VPN tunnel. By default, the
RVS4000 blocks these broadcasts.
Click
Save Settings
to save the settings you have entered.
Click
Cancel Changes
to cancel any changes you have
entered.