The preferred way to do this is with automatic keying using the Internet Key Exchange Protocol (IKE). This requires that your ISP or firewall allows traffic for TCP port 500. Check with your ISP or network administrator if you are not sure if traffic for TCP port 500 is allowed.
If IKE is impossible for some reason, you can set up the router’s keys for each tunnel manually. This is described in more detail be- low (see section 4.4).
The other parameters on the VPN Settings page control how the VPN tunnel is set up. If you are creating the Secure Association (SA) using the IKE Mode (the default mode), complete the fields described in the following sections.
4.3.1 Perfect Forward Secure
This is an optional feature of IKE. When enabled (the default set- ting), this feature may impose some additional overhead on the router, but can offer added protection against an eavesdropper be- ing able to decode the encrypted data. Either setting is acceptable, but both ends of the tunnel must match settings. Click the respec- tive radio button to enable or disable this feature.
4.3.2 Encryption Protocol
The router is able to use two encryption protocols: choose NULL (no encryption), DES, or Triple DES (3DES). The same protocol must be chosen (must match) that provided by the remote device. Unless you have a need for one of the others, you should select 3DES.
46 | FriendlyNET VPN Security Router |