•Local Security Group Type—LAN resources that can use this tunnel. The Local Security Group is for this router’s LAN resources; the Remote Security Group is for the other router’s LAN resources.
-IP Address—Specify one device that can use this tunnel. Enter the IP Address of the device.
-Subnet—Allow all devices on a subnet to use the VPN tunnel. Enter the subnetwork IP Address and Subnet Mask.
-IP Range—A range of devices that can use the VPN tunnel. Enter the first IP address in Begin IP and the end IP address in End IP.
IPSec Setup
For encryption to be successful, the two ends of a VPN tunnel must agree on the methods of encryption, decryption, and authentication. Enter exactly the same settings on both routers.
Enter the settings for Phase 1 and Phase 2. Phase 1 establishes the preshared keys to create a secure authenticated communication channel. In Phase 2, the IKE peers use the secure channel to negotiate Security Associations on behalf of other services such as IPsec. Be sure to enter the same settings when configuring other router for this tunnel.
•Phase 1 / Phase 2 DH Group—DH (Diffie-Hellman) is a key exchange protocol. There are three groups of different prime key lengths: Group 1 - 768 bits, Group 2 - 1,024 bits, and Group 5 - 1,536 bits. For faster speed and lower security, choose Group 1. For slower speed and higher security, choose Group 5. Group 1 is selected by default.
•Phase 1 / Phase 2 Encryption—Method of encryption for this phase: DES, 3DES, AES-128, AES-192, or AES-256. The method determines the length of the key used to encrypt or decrypt ESP packets. AES-256 is recommended because it is more secure.
•Phase 1 / Phase 2 Authentication—Method of authentication for this phase: MD5 or SHA1. The authentication method determines how the ESP (Encapsulating Security Payload Protocol) header packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA1 is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is recommended because it is more secure. Make sure that both ends of the VPN tunnel use the same authentication method.
•Phase 1 / Phase 2 SA Life Time—Length of time a VPN tunnel is active in this phase. The default value for Phase 1 is 28800 seconds. The default value for Phase 2 is 3600 seconds.
