Cisco Systems RV042RF manual Keying Mode Manual Tunnel Only

Page 52

Chapter 4

Advanced Configuration

shared keys. There are three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select Group 5.

Phase 1 Encryption  Select a method of encryption: DES (56-bit), 3DES (168-bit), AES-128(128-bit), AES-192(192- bit), or AES-256(256-bit). The method determines the length of the key used to encrypt or decrypt ESP packets. AES-256 is recommended because it is the most secure. Make sure both ends of the VPN tunnel use the same encryption method.

Phase 1 Authentication  Select a method of authentication, MD5 or SHA. The authentication method determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same authentication method.

Phase 1 SA Life Time  Configure the length of time a VPN tunnel is active in Phase 1. The default value is 28800 seconds.

Perfect Forward Secrecy  If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will generate new key material for IP traffic encryption and authentication, so hackers using brute force to break encryption keys will not be able to obtain future IPSec keys.

Phase 2 DH Group  If the Perfect Forward Secrecy feature is disabled, then no new keys will be generated, so you do not need to set the Phase 2 DH Group (the key for Phase 2 will match the key in Phase 1).

There are three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select Group 5. You do not have to use the same DH Group that you used for Phase 1.

Phase 2 Encryption  Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions. Select a method of encryption: NULL, DES (56-bit), 3DES (168-bit), AES-128(128-bit), AES-192(192-bit), or AES- 256 (256-bit). It determines the length of the key used to encrypt or decrypt ESP packets. AES-256 is recommended because it is the most secure. Both ends of the VPN tunnel must use the same Phase 2 Encryption setting.

Phase 2 Authentication  Select a method of authentication, NULL, MD5, or SHA. The authentication method determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because

it is more secure. Both ends of the VPN tunnel must use the same Phase 2 Authentication setting.

Phase 2 SA Life Time  Configure the length of time a VPN tunnel is active in Phase 2. The default is 3600 seconds.

Preshared Key  This specifies the pre-shared key used to authenticate the remote IKE peer. Enter a key of keyboard and hexadecimal characters, e.g., My_@123 or 4d795f40313233. This field allows a maximum of 30 characters and/or hexadecimal values. Both ends of the VPN tunnel must use the same Preshared Key. It is strongly recommended that you change the Preshared Key periodically to maximize VPN security.

Manual

If you select Manual, you generate the key yourself, and no key negotiation is needed. Manual key management is used in small static environments or for troubleshooting purposes.

Keying Mode > Manual (Tunnel Only)

Incoming and Outgoing SPI (Security Parameter Index)  SPI is carried in the ESP (Encapsulating Security Payload Protocol) header and enables the receiver and sender to select the SA, under which a packet should be processed. Hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a unique Incoming SPI and Outgoing SPI. No two tunnels share the same SPI. The Incoming SPI here must match the Outgoing SPI value at the other end of the tunnel, and vice versa.

Encryption  Select a method of encryption, DES or 3DES. This determines the length of the key used to encrypt or decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same encryption method.

Authentication  Select a method of authentication, MD5 or SHA1. The Authentication method determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same authentication method.

Encryption Key  This field specifies a key used to encrypt and decrypt IP traffic. Enter a key of hexadecimal values.

10/100 4-Port VPN Router

45

Image 52
Contents 10/100 4-Port VPN Router About This Guide About This GuideIcon Descriptions Online ResourcesTable of Contents Ddns Appendix a Troubleshooting Appendix B Linksys QuickVPN for Windows 2000, XP, or VistaAppendix F Firmware Upgrade Appendix H SpecificationsAppendix G Trend Micro ProtectLink Gateway Service Appendix D IPSec NAT TraversalAppendix K Regulatory Information Appendix I Warranty InformationAppendix L Contact Information Chapter Introduction ChapterIntroduction Computer using VPN client software to VPN Router Chapter Product Overview Product OverviewChapter Installation InstallationPhysical Installation Cable ConnectionsInstallation Chapter Advanced Configuration Advanced ConfigurationHow to Access the Web-Based Utility OverviewConfiguration System InformationPort Statistics Trend Micro ProtectLink GatewayNetwork Setting Status Firewall Setting StatusVPN Setting Status Log Setting StatusLAN Setting Setup Tab NetworkNetwork Dual-WAN/DMZ Setting WAN Connection TypePPPoE Point-to-Point Protocol over Ethernet Pptp Point-to-Point Tunneling ProtocolSetup Password Heart Beat SignalSetup Time Setup DMZ HostPassword TimeSetup Tab Forwarding ForwardingPort Range Forwarding Port TriggeringSetup UPnP UPnPSetup One-to-One NAT Setup MAC CloneOne-to-One NAT Add RangeSetup Ddns MAC CloneWAN1/2 DynDNS.orgSetup Advanced Routing Advanced RoutingDynamic Routing Oray.net PeanutHull DdnsDhcp Setup Static RoutingDynamic IP SetupStatic IP Smart Link Backup Dhcp StatusStatus Dual-WANNetwork Service Detection Load BalanceBandwidth WAN1/2 System Management Bandwidth ManagementProtocol Binding Bandwidth Management Maximum Bandwidth provided by ISPBandwidth Management Type Rate ControlSystem Management Snmp PrioritySystem Management Diagnostic DiagnosticDNS Name Lookup PingFactory Default Firmware UpgradeSystem Management Restart Firmware DownloadPort Management Port Setup Import Configuration FileExport Configuration File Basic Per Port ConfigPort Management Port Status Firewall GeneralPort Status GeneralFirewall Access Rules Restrict WEB FeaturesAdd a New Access Rule Access RulesServices Firewall Content Filter SchedulingContent Filter ProtectLinkVPN Summary SummaryGateway to Gateway GroupVPN StatusClient to Gateway Local Group Setup VPN Gateway to GatewayAdd a New Tunnel VPN Clients StatusLocal Security Group Type Remote Group Setup Remote Security Gateway TypeIKE with Preshared Key IPSec SetupRemote Security Group Type Keying Mode Manual VPN Client to Gateway AdvancedTunnel Tunnel No The tunnel number is automatically generatedRemote Client Setup Remote ClientGroup VPN Default is Domain NameFQDN Keying Mode Manual Tunnel Only VPN VPN Client Access VPN Client Access VPN VPN Pass ThroughVPN Client Users Certificate ManagementVPN Pptp Server Log System LogVPN Pass Through Pptp ServerLog Setting System LogSyslog MailLog System Statistics Basic Setup WizardObtain an IP automatically PPPoE MinutesAccess Rule Setup Select the Log Rule Support LogoutManual Linksys Web SiteTroubleshooting Appendix a TroubleshootingAppendix a Appendix B Appendix BLinksys QuickVPN for Windows 2000, XP, or VistaLinksys QuickVPN Client Installation and Configuration Install from the CD-ROMClick the VPN Client Access tab Click Add to list Click Save SettingsInstall the Client Certificate Click Business Click Router/VPN SolutionsDownload from the Internet Linksys QuickVPN ConnectionConfirm New Password Re-enter your new password Version Number of Linksys QuickVPNConfiguration of the RVL200 Appendix CAppendix C Gateway-to-Gateway VPN Tunnel Before You BeginConfiguration of the RV042 Configuration of PC 1 and PCRV042 RVL200 Dynamic IP B.B.B.B with Configuration when Both Gateways Use Dynamic IP Addresses Appendix C Configuration of Scenario Configuration of Router aAppendix D Appendix D IPSec NAT TraversalConfiguration of Router B IPSec NAT TraversalOne-to-One NAT Rule on NAT 1 RV042 One-to-One NAT Rule on NAT 2 RV042Click the One-to-One NAT tab Configuration of Router a Appendix D Creation of New Services Appendix EAppendix E Bandwidth Management Bandwidth ManagementCreation of New Bandwidth Management Rules Appendix F Firmware Upgrade Firmware UpgradeUpgrade the Firmware Alternative Firmware Upgrade OptionFirmware Upgrade Appendix G Trend Micro ProtectLink Gateway Service How to Purchase, Register, or Activate the ServiceAppendix G System SummaryHow to Use the Service ProtectLinkProtectLink Web Protection Web ProtectionProtectLink Email Protection ProtectLink LicenseEmail Protection LicenseAppendix G Specifications Appendix H SpecificationsAppendix H Warranty Information Obtaining Warranty ServiceAppendix Exclusions and LimitationsWarranty Information Technical SupportAppendix J Appendix J Software License AgreementSoftware in Linksys Products Software LicensesSchedule Software License AgreementPreamble Appendix J END of Terms and Conditions OpenSSL License Original SSLeay LicenseAppendix J Appendix K Regulatory InformationDansk Danish Miljøinformation for kunder i EU Appendix K Norsk Norwegian Miljøinformasjon for kunder i EU Appendix K Appendix L Contact Information