Cisco Systems RV042RF manual Keying Mode Manual

Page 46

Chapter 4

Advanced Configuration

a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same authentication method.

Phase 1 SA Life Time  Configure the length of time a VPN tunnel is active in Phase 1. The default value is 28800 seconds.

Perfect Forward Secrecy  If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will generate new key material for IP traffic encryption and authentication, so hackers using brute force to break encryption keys will not be able to obtain future IPSec keys.

Phase 2 DH Group  If the Perfect Forward Secrecy feature is disabled, then no new keys will be generated, so you do not need to set the Phase 2 DH Group (the key for Phase 2 will match the key in Phase 1).

There are three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select Group 5. You do not have to use the same DH Group that you used for Phase 1.

Phase 2 Encryption  Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions. Select a method of encryption: NULL, DES (56-bit), 3DES (168-bit), AES-128(128-bit), AES-192(192-bit), or AES- 256 (256-bit). It determines the length of the key used to encrypt or decrypt ESP packets. AES-256 is recommended because it is the most secure. Both ends of the VPN tunnel must use the same Phase 2 Encryption setting.

Phase 2 Authentication  Select a method of authentication, NULL, MD5, or SHA. The authentication method determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure. Both ends of the VPN tunnel must use the same Phase 2 Authentication setting.

Phase 2 SA Life Time  Configure the length of time a VPN tunnel is active in Phase 2. The default is 3600 seconds.

Preshared Key  This specifies the pre-shared key used to authenticate the remote IKE peer. Enter a key of keyboard and hexadecimal characters, e.g., My_@123 or 4d795f40313233. This field allows a maximum of 30 characters and/or hexadecimal values. Both ends of the VPN tunnel must use the same Preshared Key. It is strongly recommended that you change the Preshared Key periodically to maximize VPN security.

Manual

If you select Manual, you generate the key yourself, and no key negotiation is needed. Manual key management is used in small static environments or for troubleshooting purposes.

Keying Mode > Manual

Incoming and Outgoing SPI (Security Parameter Index)  SPI is carried in the ESP (Encapsulating Security Payload Protocol) header and enables the receiver and sender to select the SA, under which a packet should be processed. Hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a unique Incoming SPI and Outgoing SPI. No two tunnels share the same SPI. The Incoming SPI here must match the Outgoing SPI value at the other end of the tunnel, and vice versa.

Encryption  Select a method of encryption, DES or 3DES. This determines the length of the key used to encrypt or decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same encryption method.

Authentication  Select a method of authentication, MD5 or SHA1. The Authentication method determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same authentication method.

Encryption Key  This field specifies a key used to encrypt and decrypt IP traffic. Enter a key of hexadecimal values. If DES is selected, the Encryption Key is 16-bit, which requires 16 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the Encryption Key will be automatically completed with zeroes, so the Encryption Key will be 16-bit. If 3DES is selected, the Encryption Key is 48-bit, which requires 40 hexadecimal values. If you do not enter enough hexadecimal values, then the rest of the Encryption Key will be automatically completed with zeroes, so the Encryption Key will be 48- bit. Make sure both ends of the VPN tunnel use the same Encryption Key.

Authentication Key  This field specifies a key used to authenticate IP traffic. Enter a key of hexadecimal values.

10/100 4-Port VPN Router

39

Page 45 Page 47
Image 46
Page 45 Page 47
Contents 10/100 4-Port VPN Router Icon Descriptions About This GuideAbout This Guide Online ResourcesTable of Contents Ddns Appendix a Troubleshooting Appendix B Linksys QuickVPN for Windows 2000, XP, or VistaAppendix G Trend Micro ProtectLink Gateway Service Appendix F Firmware UpgradeAppendix H Specifications Appendix D IPSec NAT TraversalAppendix K Regulatory Information Appendix I Warranty InformationAppendix L Contact Information Chapter Introduction ChapterIntroduction Computer using VPN client software to VPN Router Chapter Product Overview Product OverviewPhysical Installation Chapter InstallationInstallation Cable ConnectionsInstallation How to Access the Web-Based Utility Chapter Advanced ConfigurationAdvanced Configuration OverviewPort Statistics ConfigurationSystem Information Trend Micro ProtectLink GatewayVPN Setting Status Network Setting StatusFirewall Setting Status Log Setting StatusLAN Setting Setup Tab NetworkNetwork Dual-WAN/DMZ Setting WAN Connection TypePPPoE Point-to-Point Protocol over Ethernet Pptp Point-to-Point Tunneling ProtocolSetup Password Heart Beat SignalPassword Setup TimeSetup DMZ Host TimePort Range Forwarding Setup Tab ForwardingForwarding Port TriggeringSetup UPnP UPnPOne-to-One NAT Setup One-to-One NATSetup MAC Clone Add RangeWAN1/2 Setup DdnsMAC Clone DynDNS.orgDynamic Routing Setup Advanced RoutingAdvanced Routing Oray.net PeanutHull DdnsDhcp Setup Static RoutingDynamic IP SetupStatic IP Status Smart Link BackupDhcp Status Dual-WANNetwork Service Detection Load BalanceBandwidth WAN1/2 System Management Bandwidth ManagementProtocol Binding Bandwidth Management Type Bandwidth ManagementMaximum Bandwidth provided by ISP Rate ControlSystem Management Snmp PriorityDNS Name Lookup System Management DiagnosticDiagnostic PingSystem Management Restart Factory DefaultFirmware Upgrade Firmware DownloadExport Configuration File Port Management Port SetupImport Configuration File Basic Per Port ConfigPort Status Port Management Port StatusFirewall General GeneralFirewall Access Rules Restrict WEB FeaturesAdd a New Access Rule Access RulesServices Firewall Content Filter SchedulingVPN Summary Content FilterProtectLink SummaryGateway to Gateway GroupVPN StatusClient to Gateway Add a New Tunnel Local Group SetupVPN Gateway to Gateway VPN Clients StatusLocal Security Group Type Remote Group Setup Remote Security Gateway TypeIKE with Preshared Key IPSec SetupRemote Security Group Type Keying Mode Manual VPN Client to Gateway AdvancedTunnel Tunnel No The tunnel number is automatically generatedRemote Client Setup Remote ClientGroup VPN Default is Domain NameFQDN Keying Mode Manual Tunnel Only VPN VPN Client Access VPN Client Users VPN Client AccessVPN VPN Pass Through Certificate ManagementVPN Pass Through VPN Pptp ServerLog System Log Pptp ServerSyslog Log SettingSystem Log MailLog System Statistics Basic Setup WizardObtain an IP automatically PPPoE MinutesAccess Rule Setup Select the Log Rule Manual SupportLogout Linksys Web SiteTroubleshooting Appendix a TroubleshootingAppendix a Linksys QuickVPN for Appendix BAppendix B Windows 2000, XP, or VistaClick the VPN Client Access tab Linksys QuickVPN Client Installation and ConfigurationInstall from the CD-ROM Click Add to list Click Save SettingsDownload from the Internet Install the Client CertificateClick Business Click Router/VPN Solutions Linksys QuickVPN ConnectionConfirm New Password Re-enter your new password Version Number of Linksys QuickVPNAppendix C Gateway-to-Gateway VPN Tunnel Configuration of the RVL200Appendix C Before You BeginConfiguration of the RV042 Configuration of PC 1 and PCRV042 RVL200 Dynamic IP B.B.B.B with Configuration when Both Gateways Use Dynamic IP Addresses Appendix C Appendix D Configuration of ScenarioConfiguration of Router a Appendix D IPSec NAT TraversalConfiguration of Router B IPSec NAT TraversalOne-to-One NAT Rule on NAT 1 RV042 One-to-One NAT Rule on NAT 2 RV042Click the One-to-One NAT tab Configuration of Router a Appendix D Appendix E Bandwidth Management Creation of New ServicesAppendix E Bandwidth ManagementCreation of New Bandwidth Management Rules Upgrade the Firmware Appendix F Firmware UpgradeFirmware Upgrade Alternative Firmware Upgrade OptionFirmware Upgrade Appendix G Appendix G Trend Micro ProtectLink Gateway ServiceHow to Purchase, Register, or Activate the Service System SummaryHow to Use the Service ProtectLinkProtectLink Web Protection Web ProtectionEmail Protection ProtectLink Email ProtectionProtectLink License LicenseAppendix G Specifications Appendix H SpecificationsAppendix H Appendix Warranty InformationObtaining Warranty Service Exclusions and LimitationsWarranty Information Technical SupportSoftware in Linksys Products Appendix JAppendix J Software License Agreement Software LicensesSchedule Software License AgreementPreamble Appendix J END of Terms and Conditions OpenSSL License Original SSLeay LicenseAppendix J Appendix K Regulatory InformationDansk Danish Miljøinformation for kunder i EU Appendix K Norsk Norwegian Miljøinformasjon for kunder i EU Appendix K Appendix L Contact Information
Top Page Image Contents