51
Chapter 5: Setting Up and Configuring the Router
VPN Tab - Client to Gateway
10/100/1000 4-Port VPN Router
Phase 2 DH Group: There are three groups of different prime key lengths. Group1 is 768 bits, Group2 is 1,024
bits and Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred,
select Group 5. You can choose the different Group with the Phase 1 DH Group you chose. If Perfect Forward
Secrecy is disabled, there is no need to setup the Phase 2 DH Group since no new key generated, and the key of
Phase 2 will be the same with the key in Phase 1.
Phase 2 Encryption: Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec
sessions. There are two methods of encryption, DES and 3DES. The Encryption method determines the length of
the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. Both sides
must use the same Encryption method. If users enable the AH Hash Algorithm in Advanced, then it is
recommended to select Null to disable encrypting/decrypting ESP packets in Phase 2, but both sides of the
tunnel must use the same setting.
Phase 2 Authentication: There are two methods of authentication, MD5 and SHA. The Authentication method
determines a method to authenticate the ESP packets. Both sides must use the same Authentication method.
MD5 is a one-way hashing algorithm that produces a 128-bit digest. If users enable the AH Hash Algorithm in
Advanced, then it is recommended to select Null to disable authenticating ESP packets in Phase 2, but both sides
of the tunnel must use the same setting.
Phase 2 SA Life Time: This field allows you to configure the length of time a VPN tunnel is active. The default
value is 3,600 seconds.
Preshared Key: Character and hexadecimal values are acceptable in this field, e.g. “My_@123” or
“4d795f40313233.” The max entry of this field is 30-digit. Both sides must use the same Pre-shared Key. It’s
recommended to change Preshared keys regularly to maximize VPN security.
Click the Save Settings button to save the settings or click the Cancel Changes button to undo the changes.
Advanced For most users, the settings on the VPN page should be satisfactory. This device provides an advanced IPSec
setting page for some special users such as reviewers. Click the Advanced button to link you to that page.
Advanced settings are only for IKE with Preshared Key mode of IPSec.
Aggressive Mode: There are two types of Phase 1 exchanges: Main mode and Aggressive mode.
Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If
network security is preferred, select Main mode. If network speed is preferred, select Aggressive mode. When
Group VPN is enabled, it will be limited as Aggressive Mode. If you select Dynamic IP in Remote Client Type in
tunnel mode, it will also be limited as Aggressive Mode.
Figure 5-47: VPN tab - Client to Gateway Advanced