Cisco Systems RVL200 manual Advanced

Page 47

Chapter 4

Advanced Configuration

Manual

Incoming and Outgoing SPI (Security Parameter Index)  SPI is carried in the ESP (Encapsulating Security Payload Protocol) header and enables the receiver and sender to select the SA, under which a packet should be processed. Hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a unique Incoming SPI and Outgoing SPI. No two tunnels share the same SPI. The Incoming SPI here must match the Outgoing SPI value at the other end of the tunnel, and vice versa.

Encryption  Select a method of encryption, DES or 3DES. This determines the length of the key used to encrypt or decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same encryption method.

Authentication  Select a method of authentication, MD5 or SHA1. The Authentication method determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same authentication method.

Encryption Key  This field specifies a key used to encrypt and decrypt IP traffic. Enter a key of hexadecimal values. If DES is selected, the Encryption Key is 16-bit, which requires 16 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the Encryption Key will be automatically completed with zeroes, so the Encryption Key will be 16-bit. If 3DES is selected, the Encryption Key is 48-bit, which requires 40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the Encryption Key will be automatically completed with zeroes, so the Encryption Key will be 48- bit. Make sure both ends of the VPN tunnel use the same Encryption Key.

Authentication Key  This field specifies a key used to authenticate IP traffic. Enter a key of hexadecimal values. If MD5 is selected, the Authentication Key is 32-bit, which requires 32 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the Authentication Key will be automatically completed with zeroes until it has 32 hexadecimal values. If SHA is selected, the Authentication Key is 40-bit, which requires 40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of

the Authentication Key will be automatically completed with zeroes until it has 40 hexadecimal values. Make sure both ends of the VPN tunnel use the same Authentication Key.

Advanced

For most users, the settings on theVPN page should suffice; however, the Router provides advanced IPSec settings for advanced users using the IKE with Preshared Key mode. Click Advanced to view the Advanced settings.

Advanced

Aggressive Mode  There are two types of Phase 1 exchanges, Main Mode and Aggressive Mode.

Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If network security is preferred, leave the Aggressive Mode check box unchecked (Main Mode will be used). If network speed is preferred, select Aggressive Mode. If you select one of the Dynamic IP types for the Remote Security Gateway Type setting, then Main Mode will be unavailable, so Aggressive Mode will be used.

Compress (Support IP Payload Compression Protocol (IP Comp))  IP Payload Compression is a protocol that reduces the size of IP datagrams. Select this option if you want the Router to propose compression when it initiates a connection. If the responders reject this proposal, then the Router will not implement compression. When the Router works as a responder, it will always accept compression, even if compression is not enabled.

Keep-Alive Keep-Alive helps maintain IPSec VPN tunnel connections. If a connection is dropped and detected, it will be re-established immediately. Select this option to use this feature.

NetBIOS Broadcast  Select this option to allow NetBIOS traffic to pass through the VPN tunnel. By default, the Router blocks this traffic.

NAT Traversal  This is enabled by default. Both the IPSec initiator and responder must support the mechanism for detecting the NAT router in the path and changing to a new port, as defined in RFC 3947.

Dead Peer Detection (DPD)  When DPD is enabled, the Router will send periodic HELLO/ACK messages to check the status of the VPN tunnel (this feature can be used only when both peers or VPN devices of the VPN tunnel use the DPD mechanism). Once a dead peer has been detected,

4-Port SSL/IPSec VPN Router

39

Page 46 Page 48
Image 47
Page 46 Page 48
Contents Port SSL/IPSec VPN Router About This Guide About This GuideTable of Contents Ddns IPSec VPN Gateway to Gateway Appendix E User for the Active Directory Server Appendix C Bandwidth ManagementAppendix D Active Directory Server Appendix L Multiple VLANs with Computers Appendix I Gateway-to-Gateway VPN TunnelAppendix J IPSec NAT Traversal Appendix M Multiple VLANs and Subnets Appendix O Firmware UpgradeAppendix P Battery Replacement Appendix Q SpecificationsIntroduction to the Router ChapterChapter Introduction IntroductionComputer using SSL VPN client software to VPN Router Back Panel Chapter Product OverviewProduct Overview Front PanelPhysical Installation Chapter InstallationInstallation Cable Connection Before You Begin Chapter Advanced ConfigurationAdvanced Configuration OverviewClick Security Select Use SSL 2.0 and Use SSL How to Access the Web-Based UtilitySystem Information System SummarySSL VPN Setting Status Network Setting StatusFirewall Setting Status IPSec VPN Setting StatusWAN Connection Type Setup Tab NetworkLAN Setting NetworkPPPoE Point-to-Point Protocol over Ethernet Static IPPptp Point-to-Point Tunneling Protocol Setup PasswordTime Setup TimeSetup DMZ Host PasswordPort Triggering Setup Tab ForwardingForwarding Port Range ForwardingUPnP Setup UPnPOne-to-One NAT Setup One-to-One NATSetup MAC Clone Advanced Routing Setup DdnsSetup Advanced Routing MAC CloneStatic Routing Dhcp SetupStatic IP SetupDynamic IP Multiple VLANs Dhcp StatusStatus Dhcp Multiple VLANsInter-VLAN Routing System Management DiagnosticDiagnostic Dhcp Inter-VLAN RoutingFirmware Download Factory DefaultFirmware Upgrade System Management RestartRestart Import Configuration FileExport Configuration File System Management Port MirroringPort Status Port Management Port SetupBasic Per Port Config Port Management Port StatusCreate Vlan Port Management Port SettingPort Setting Port Management Create VlanBandwidth Management QoS Bandwidth ManagementVlan Membership Priority Rate ControlTrust Mode Default CoS QoS QoS SetupQoS Setup QoS ModeCoS Settings QoS Queue SettingsQoS Dscp Settings Queue SettingsDscp to Queue Dscp SettingsFirewall General GeneralRestrict WEB Features Firewall Access RulesAccess Rules Services Add a New Access RuleIP/MAC Group Firewall Content FilterContent Filter SchedulingIP Address IPSec VPN SummaryForbidden Domains Website Blocking by KeywordsAdd a New Tunnel Local Group SetupIPSec VPN Gateway to Gateway SummaryRemote Security Gateway Type Remote Group SetupLocal Security Group Type Remote Security Group Type IKE with Preshared Key IPSec SetupAdvanced VPN Pass Through IPSec VPN VPN Pass ThroughSSL VPN Summary SSL VPN Certificate ManagementEdit Group Authentication TypeSSL VPN User Management User ManagementEdit User SSL VPN Virtual PassageGlobal Parameters Snmp Global ParametersVirtual Passage Group Profile Snmp ViewsSnmp Group Profile ViewsCommunities Snmp Group MembershipSnmp Communities Group MembershipNotification Recipient Snmp Notification RecipientSystem Log Log System LogGeneral Log Log SettingLog System Statistics Alert LogWizard Basic SetupPPPoE Obtain an IP automaticallyAccess Rule Setup Select the Service Linksys Web Site SupportLogout ManualLogout Appendix a Appendix a TroubleshootingTroubleshooting Before You Begin Windows OS Appendix BAppendix B Virtual Passage SSL VPN Client Click Trusted sites Make the SSL VPN Portal a Trusted Site Windows OSLogin for the SSL VPN Portal Windows OS Installation of the Virtual Passage Client Windows OSClick Continue Anyway When you right-click the icon, you have three optionsWindows Vista Usage Installation of the Virtual Passage Client Mac OSLogin for the SSL VPN Portal Mac OS Click Continue Removal of the Virtual Passage Client Mac OSBefore You Begin Linux OS Installation of the Virtual Passage Client Linux OSLogin for the SSL VPN Portal Linux OS Removal of the Virtual Passage Client Linux OS Bandwidth Management Creation of New ServicesAppendix C Appendix C Bandwidth ManagementCreation of New Bandwidth Management Rules Click Save SettingsActive Directory Server Appendix DAppendix D Active Directory Server Select Domain in a new forest, and then click Next Enter a domain name, and then click Next Active Directory Server Troubleshooting Appendix E User for the Active Directory Server Appendix EUser for the Active Directory Server Appendix F Appendix F Internet Authentication Service IAS ServerInternet Authentication Service IAS Server Select Unencrypted authentication. Click Apply Click Finish Welcome to the New Connection Request Policy Wizard Click Edit Profile Click the User Management tab Appendix GLAN-to-LAN Connection Select HTTPSTCP/443~443 from the Service drop- down menuAppendix H Appendix H Deployment in an Existing NetworkWAN-to-LAN Connection Click the Gateway to Gateway tab Configuration of the RVL200Appendix Appendix Gateway-to-Gateway VPN TunnelConfiguration of PC 1 and PC Configuration of the RV082RV082 RVL200 Dynamic IP B.B.B.B with Configuration when Both Gateways Use Dynamic IP Addresses Appendix Appendix J IPSec NAT Traversal Configuration of ScenarioConfiguration of Router a Appendix JIPSec NAT Traversal Configuration of Router BOne-to-One NAT Rule on NAT 1 RV042 One-to-One NAT Rule on NAT 2 RV042Configuration of Router a Appendix K Configuration of MultipleRVL200-to-RV042 Configuration Appendix KClick the Advanced Routing tab RV042 #1 ConfigurationClick Save Setting RV042 #2 Configuration Click the Port Management tab RVL200-to-SRW2048 ConfigurationAppendix L Appendix L Multiple VLANs with ComputersClick Save Settings Click the Vlan Membership tab SRW2048 ConfigurationSelect Enable Vlan Multiple VLANs RVL200 ConfigurationAppendix M Appendix MClick the Inter-VLAN Routing tab Inter-VLAN Routing OptionOver a SSL VPN Tunnel Access of Multiple VLANsAppendix N Appendix NAppendix O Appendix O Firmware UpgradeFirmware Upgrade Click the Firmware Upgrade tab Upgrade the FirmwareAppendix P Appendix P Battery ReplacementBattery Replacement Replace the Lithium BatteryAppendix Q Appendix Q SpecificationsSpecifications Appendix R Warranty InformationLimited Warranty Regulatory Information Appendix SDansk Danish Miljøinformation for kunder i EU Port SSL/IPSec VPN Router 106 Norsk Norwegian Miljøinformasjon for kunder i EU Port SSL/IPSec VPN Router 108 Contact Information Appendix T
Top Page Image Contents