Chapter 5 | Configuring the |
the VPN will terminate at the Router, instead of the PC; or Any, to allow any computer to access the tunnel. The screen will change depending on the selected option. The options are described below.
•Subnet Enter the IP Address and Mask of the remote VPN router in the fields provided. To allow access to the entire IP subnet, enter 0 for the last set of IP Addresses (e.g., 192.168.1.0).
•IP Addr. Enter the IP Address of the remote VPN router. The Mask will be displayed.
•Host The VPN tunnel will terminate at the router with this setting. Use Port Range Forwarding to direct traffic to the correct computer. Refer to the Firewall > Port Range Forwarding screen.
•Any Allows any computer to access the tunnel.
Remote Secure Gateway
The Remote Secure Gateway is the VPN device, such as a second VPN router, on the remote end of the VPN tunnel. Enter the IP Address of the VPN device at the other end of the tunnel. The remote VPN device can be another VPN router, a VPN server, or a computer with VPN client software that supports IPSec. The IP address may either be static (permanent) or dynamic, depending on the settings of the remote VPN device.
If the IP Address is static, select IP Addr. and enter the IP address. Make sure that you have entered the IP address correctly, or the connection cannot be made. Remember, this is NOT the IP address of the local VPN Router; it is the IP address of the remote VPN router or device with which you wish to communicate. If the IP address is dynamic, select FQDN for DDNS or Any. If FQDN is selected, enter the domain name of the remote router, so the Router can locate a current IP address using DDNS. If Any is selected, then the Router will accept requests from any IP address.
Key Management
Key Exchange Method IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses the
Operation Mode Use this option to set the operation mode to Main (default) or Aggressive. Main Mode operation is supported in ISAKMP SA establishment.
ISAKMP Encryption Method There are four different types of encryption: 3DES,
same type of encryption that is being used by the VPN device at the other end of the tunnel.
ISAKMP Authentication Method There are two types of authentication: MD5 and SHA (SHA is recommended because it is more secure). As with encryption, either of these may be selected, provided that the VPN device at the other end of the tunnel is using the same type of authentication.
ISAKMP DH Group This is for
ISAKMP Key Lifetime(s) This field specifies how long an ISAKMP key channel should be kept, before being renegotiated. The default is 28800 seconds.
PFS PFS (Perfect Forward Secrecy) ensures that the initial key exchange and IKE proposals are secure. To use PFS, click the Enabled radio button.
IPSec Encryption Method Using encryption also helps make your connection more secure. There are four different types of encryption: 3DES,
IPSec Authentication Method Authentication acts as another level of security. There are two types of authentication: MD5 and SHA (SHA is recommended because it is more secure). As with encryption, either of these may be selected, provided that the VPN device at the other end of the tunnel is using the same type of authentication. Or, both ends of the tunnel may choose to disable authentication.
IPSec DH Group This is the same as the ISAKMP DH Group setting.
IPSec Key Lifetime(s) In this field, you may optionally select to have the key expire at the end of a time period of your choosing. Enter the number of seconds you’d like the key to be used until a
Tunnel Options
Dead Peer Detection You can select Dead Peer Detection (DPD) to detect the status of a remote Peer.
23 |
