3.8.3 IPSec General Setup

In IPSec General Setup, there are two major parts of configuration.

There are two phases of IPSec.

¾Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman parameter values, and lifetime to protect the following IKE exchange, authentication of both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that starts the negotiation proposes all its policies to the remote peer and then remote peer tries to find a highest-priority match with its policies. Eventually to set up a secure tunnel for IKE Phase 2.

¾Phase 2: negotiation IPSec security methods including Authentication Header (AH) or Encapsulating Security Payload (ESP) for the following IKE exchange and mutual examination of the secure tunnel establishment.

There are two encapsulation methods used in IPSec, Transport and Tunnel. The Transport mode will add the AH/ESP payload and use original IP header to encapsulate the data payload only. It can just apply to local packet, e.g., L2TP over IPSec. The Tunnel mode will not only add the AH/ESP payload but also use a new IP header (Tunneled IP header) to encapsulate the whole original IP packet.

Authentication Header (AH) provides data authentication and integrity for IP packets passed between VPN peers. This is achieved by a keyed one-way hash function to the packet to create a message digest. This digest will be put in the AH and transmitted along with packets. On the receiving side, the peer will perform the same one-way hash on the packet and compare the value with the one in the AH it receives.

Encapsulating Security Payload (ESP) is a security protocol that provides data confidentiality and protection with optional authentication and replay detection service.

IKE Authentication Method

This usually applies to those are remote dial-in user or node

 

(LAN-to-LAN) which uses dynamic IP address and

 

IPSec-related VPN connections such as L2TP over IPSec

 

and IPSec tunnel.

 

Pre-Shared Key -Currently only support Pre-Shared Key

 

authentication.

 

Pre-Shared Key- Specify a key for IKE authentication

 

Confirm Pre-SharedKey-Confirm the pre-shared key.

IPSec Security Method

Medium - Authentication Header (AH) means data will be

 

authenticated, but not be encrypted. By default, this option is

Vigor2910 Series User’s Guide

99

Page 105
Image 105
Draytek 2910 manual IPSec General Setup, IKE Authentication Method, IPSec Security Method

2910 specifications

The DrayTek 2910 is a versatile and robust router designed primarily for small to medium-sized businesses, offering a wide array of features that cater to various networking needs. With its advanced capabilities, it delivers superior performance and flexibility for organizations that demand reliable internet connectivity.

One of the defining characteristics of the DrayTek 2910 is its dual WAN capabilities. This allows users to connect two different internet service providers, ensuring that the network remains operational even if one connection fails. The router can automatically switch between the WANs, providing seamless failover and load balancing. This feature is essential for businesses that require constant uptime and reliability.

The DrayTek 2910 is equipped with multiple Ethernet ports, enabling it to support various devices and create a robust local area network (LAN). The router includes VLAN support, which allows for the segmentation of the network into different virtual networks, enhancing security and performance by isolating sensitive data traffic.

Another notable aspect of the DrayTek 2910 is its comprehensive security features. It includes a built-in firewall, which protects the network from external threats and unauthorized access. The router supports various protocols, including VPN (Virtual Private Network), allowing secure remote access to the network. This capability is particularly beneficial for businesses with remote workers or those needing secure connections for branch offices.

DrayTek has also integrated advanced Quality of Service (QoS) features in the 2910, which prioritize bandwidth allocation to critical applications, ensuring that essential services receive the needed resources. This is crucial for maintaining the performance of VoIP (Voice over Internet Protocol) calls and video conferencing tools, which are increasingly vital in today’s business environment.

In terms of management, the DrayTek 2910 offers easy configuration through a user-friendly web interface, allowing administrators to set up and monitor the network with minimal effort. The device also supports TR-069 for remote management, enabling service providers to configure and monitor the router without requiring an on-site visit.

Overall, the DrayTek 2910 stands out for its blend of reliability, security, and performance, making it an excellent choice for businesses looking to enhance their networking capabilities while ensuring a secure and efficient operation. With its rich set of features and technologies, the DrayTek 2910 continues to be a preferred router for many organizations worldwide.