Manually assigned Keys, ESP Encryption | Planet Technology VRT-401

VPN

These settings must match the remote VPN. Note that you cannot use both AH and ESP.

Manually assigned Keys

AH Authentication AH (Authentication Header) specifies the authentication protocol for the VPN header, if used. (AH is often NOT used)

If AH is not enabled, the following settings can be ignored.

Keys

∙ The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.

∙ Keys can be in ASCII or Hex (0..9 A..F)

∙ For MD5, the keys should be 32 hex/16 ASCII characters.

∙ For SHA-1, the keys should be 40 hex/20 ASCII charac- ters.

	SPI
	∙ Each SPI (Security Parameter Index) must be unique.
	∙ The "in" SPI here must match the "out" SPI on the remote
	VPN, and the "out" SPI here must match the "in" SPI on
	the remote VPN.
	∙ Each SPI should be at least 3 characters.

ESP Encryption	ESP (Encapsulating Security Payload) provides security for
	the payload (data) sent through the VPN tunnel. Generally,
	you will want to enable both Encryption and Authentication.
	∙ The "3DES" algorithm provides greater security than
	"DES", but is slower.
	∙ The "in" key here must match the "out" key on the remote
	VPN, and the "out" key here must match the "in" key on
	the remote VPN.
ESP Authentica-	Generally, you should enable ESP Authentication. There is
tion	little difference between the available algorithms. Just ensure
	each endpoint use the same setting.
	∙ The "in" key here must match the "out" key on the remote
	VPN, and the "out" key here must match the "in" key on
	the remote VPN.
	∙ Keys can be in ASCII or Hex (0..9 A..F)
	∙ For MD5, the keys should be 32 hex/16 ASCII characters.
	∙ For SHA-1, the keys should be 40 hex/20 ASCII charac-
	ters.

ESP SPI	This is required if either ESP Encryption or ESP Authen-
	tication is enabled.
	∙ Each SPI (Security Parameter Index) must be unique.
	∙ The "in" SPI here must match the "out" SPI on the remote
	VPN, and the "out" SPI here must match the "in" SPI on
	the remote VPN.
	∙ Each SPI should be at least 3 characters.

79

Image 83

Planet Technology VRT-401 user manual Manually assigned Keys, ESP Encryption, ESP Authentica, Tication is enabled

Contents

Broadband VPN Router Copyright Table of Contents 107 Using Certificates 101Remote Administration 111 106 Internet Access Features VRT-401 Features Advanced Internet Functions LAN FeaturesConfiguration & Management Security Features Package Contents Front-mounted LEDs Physical Details Rear Panel To Clear All Data and restore the factory default values Connect LAN Cables ProcedureChoose an Installation Site Requirements Check the LEDs Using the DMZ PortPower Up Connect WAN Cable To Do this Refer to Overview Preparation Configuration ProgramUsing UPnP Using your Web Browser If you cant connect Password Dialog DSL Modems Config WizardCommon Connection Types Cable Modems SingTel RAS Other Modems e.g. Broadband WirelessBig Pond Cable Australia Navigation & Data Input Home Screen Data LAN Screen LAN Screen What Dhcp Does Using VRT-401’s Dhcp ServerUsing another Dhcp Server To Configure your PCs to use Dhcp Windows Clients TCP/IP Settings Overview Using Specify an IP Address Checking TCP/IP Settings Windows 9x/MEUsing Dhcp Gateway Tab Win 95/98 Windows NT4.0 TCP/IP Checking TCP/IP Settings Windows NT4.0 Specify an IP Address Obtain an IP address from a Dhcp Server Windows NT4.0 Add Gateway Windows NT4.0 DNS Network Configuration Win Checking TCP/IP Settings Windows TCP/IP Properties Win Using a fixed IP Address Use the following IP Address Network Configuration Windows XP Checking TCP/IP Settings Windows XP TCP/IP Properties Windows XP For Windows XP Internet AccessAccessing AOL For Windows 9x/ME/2000 Fixed IP Address Macintosh ClientsLinux Clients Other Unix Systems Status Screen Operation Data Status Screen PPPoE Link Status Connection Status PPPoEData PPPoE Screen Connection Physical Address Connection Log Messages Operation and Status Dress Connection Status PptpData Pptp Screen Connection Physical Ad Data Telstra Big Pond Screen Connection Status Telstra Big Pond Connection Status Connection Details SingTel RAS Data SingTel RAS Screen Internet Physical Ad Connection Details Fixed/Dynamic IP AddressData Fixed/Dynamic IP address Screen Buttons Release/Renew Internet Screen Advanced Internet Screen Special Applications Screen Communication ApplicationsSpecial Applications Checkbox Name Incoming Ports Outgoing Ports Using a Special ApplicationData Special Applications Screen URL Filter DMZ Data URL Filter Screen URL Filter Screen Dynamic DNS Screen Service works as followsDynamic DNS Domain Name Server Ddns Data User Name Ddns ServicePassword Domain Name Data Dynamic DNS Screen IP Address seen by Internet Users Virtual Servers Data Virtual Servers Screen Using the DMZ port for Virtual ServersVirtual Servers Screen Defining your own Virtual Servers Connecting to the Virtual ServersBackup DNS IP Address Options MTU size MTU Admin Login Screen Admin Login Password Dialog To use this feature Access ControlAccess Control Screen Data Access Control Screen View Log Group Members Screen Access Control Log Security Configuration Firewall Rules Screen This feature is for advanced administrators onlyFirewall Rules Data Firewall Rules Screen Source IP Define Firewall RuleData Define Firewall Rule Screen Type Log Dest IPAction Internet Connec Enable Logs DoS AttacksLogs Data Logs Screen Timezone Access ControlSyslog Server Enable Syslog Firewall Rules Include Firewall SPI Firewall Enable DoSSecurity Options Data Security Options Screen Allow L2TP Options Respond toAllow IPsec Allow Pptp Data Define Schedule Screen SchedulingDefine Schedule Screen Data Services Screen Services Buttons Delete IPSec VRT-401 does not support Transport ModeVRT-401 always uses Tunnel Mode Policies VPN Configuration Client PC to VPN Gateway Common VPN SituationsVPN Pass-through Connecting 2 VPN Gateways Connecting 2 LANs via VPN Data VPN Policies Screen VPN ConfigurationVPN Policies Screen Operations Add Able/Disable CopyAdding a New Policy Keys General SettingsEnable Policy Endpoint Local IP addresses Type VPN Wizard Traffic Selector Manual Key Exchange Remote IP addresses Type ESP Authentica Tication is enabledManually assigned Keys ESP Encryption Remote Identity IKE PhaseLocal Identity Mode AuthenticationEncryption IKE Exchange IPSec PFS IKE Phase 2 IPsec SA IPsec SA LifeAH Authentication Time Examples Example 1 Connecting 2 VRT-401sConfiguration Settings Setting LAN a Gateway LAN B Gateway IPSec SA Parameters DES Example 2 Windows 2000/XP Client to LAN VRT-401 ConfigurationSetting Value Windows 2000/XP Local Security Settings Windows Client Configuration Windows 2000/XP Policy Properties Filter Properties Addressing New Rule Properties Filter Action Modify Security Method VPN Setting Windows Setting Tunnel Setting Windows 2000/XP Client to VRT-401 Filter List Filter Action Modify Security Method DUT to Win2K Properties Properties General Tab IKE Security Algorithms Key Exchange Security Methods Example 3 Windows 2000 Server to VPN Gateway Setting Single Client Server/Gateway Windows 2000 Server Addressing Windows 2000 Server Configuration Using Certificates Adding a Self Certificate Adding a Trusted Certificate Length Hash AlgorithmSignature Algorithm Signature Key To add a New CRL CRLs Upload CRL Remote Administra Tion RoutingUpgrade PC Database PC Database Screen PC Database Data PC Database Screen PC Properties Name PC Database AdminData PC Database Admin Screen Entry Update Se∙ Dchp Client Reserved IP Address Select this if the PC Buttons Add as New To connect from a remote PC via the Internet Remote AdministrationData Remote Administration Screen Routing Screen Using this ScreenRouting Overview Static Routing Static Routing Table Entries Enable RIPData Routing Screen Local Router Configuring Other Routers on your LAN For VRT-401’s Routing Table For Router As Default RouteStatic Routing Example Other Routers on the Local LAN To perform the Firmware Upgrade Firmware UpgradeFor Router Bs Default Route Data Upnp Screen Problem 1 Cant connect to VRT-401 to configure it General ProblemsInternet Access 119 FCC Statement VRT-401 FCC Radiation Exposure Statement CE Marking Warning