Authentication, Encryption, Mode | Planet Technology VRT-401

VPN

Authentication	∙ RSA Signature requires that both VPN endpoints have
	valid Certificates issued by a CA (Certification Authority).
	∙ For Pre-shared key, enter the same key value in both
	endpoints. The key should be at least 8 characters (maxi-
	mum is 128 characters). Note that this key is used for the
	IKE SA only. The keys used for the IPsec SA are automati-
	cally generated.
Encryption	Select the desired method, and ensure the remote VPN end-
	point uses the same method. The "3DES" algorithm provides
	greater security than "DES", but is slower.
IKE Exchange	Select the desired option, and ensure the remote VPN endpoint
Mode	uses the same mode. Main Mode provides identity protection
	for the hosts initiating the IPSec session, but takes slightly
	longer to complete. Aggressive Mode provides no identity
	protection, but is quicker.
IKE SA Life Time	This setting does not have to match the remote VPN endpoint;
	the shorter time will be used. Although measured in seconds, it
	is common to use time periods of several hours, such 28,800
	seconds.
DH Group	Select the desired method, and ensure the remote VPN end-
	point uses the same method. The smaller bit size is slightly
	faster.
IKE PFS	If enabled, PFS (Perfect Forward Security) enhances security
	by changing the IPsec key at regular intervals, and ensuring
	that each key has no relationship to the previous key. Thus,
	breaking 1 key will not assist in breaking the next key.
	This setting should match the remote endpoint.

Click Next to see the following IKE Phase 2 screen.

Figure 52: VPN Wizard - IKE Phase 2

81

Image 85

Planet Technology VRT-401 user manual Authentication, Encryption, IKE Exchange, Mode, IKE SA Life Time, DH Group

Contents

Broadband VPN Router Copyright Table of Contents Remote Administration 111 Using Certificates 101106 107 Internet Access Features VRT-401 Features Configuration & Management LAN FeaturesSecurity Features Advanced Internet Functions Package Contents Front-mounted LEDs Physical Details Rear Panel To Clear All Data and restore the factory default values Choose an Installation Site ProcedureRequirements Connect LAN Cables Power Up Using the DMZ PortConnect WAN Cable Check the LEDs To Do this Refer to Overview Using UPnP Configuration ProgramUsing your Web Browser Preparation If you cant connect Password Dialog Common Connection Types Config WizardCable Modems DSL Modems Big Pond Cable Australia Other Modems e.g. Broadband WirelessSingTel RAS Navigation & Data Input Home Screen Data LAN Screen LAN Screen Using another Dhcp Server Using VRT-401’s Dhcp ServerTo Configure your PCs to use Dhcp What Dhcp Does Windows Clients TCP/IP Settings Overview Using Dhcp Checking TCP/IP Settings Windows 9x/MEUsing Specify an IP Address Gateway Tab Win 95/98 Windows NT4.0 TCP/IP Checking TCP/IP Settings Windows NT4.0 Specify an IP Address Obtain an IP address from a Dhcp Server Windows NT4.0 Add Gateway Windows NT4.0 DNS Network Configuration Win Checking TCP/IP Settings Windows TCP/IP Properties Win Using a fixed IP Address Use the following IP Address Network Configuration Windows XP Checking TCP/IP Settings Windows XP TCP/IP Properties Windows XP Accessing AOL Internet AccessFor Windows 9x/ME/2000 For Windows XP Linux Clients Macintosh ClientsOther Unix Systems Fixed IP Address Status Screen Operation Data Status Screen Data PPPoE Screen Connection Status PPPoEConnection Physical Address PPPoE Link Status Connection Log Messages Operation and Status Data Pptp Screen Connection Status PptpConnection Physical Ad Dress Data Telstra Big Pond Screen Connection Status Telstra Big Pond Connection Status Connection Details SingTel RAS Data SingTel RAS Screen Data Fixed/Dynamic IP address Screen Connection Details Fixed/Dynamic IP AddressInternet Physical Ad Buttons Release/Renew Internet Screen Advanced Internet Screen Special Applications Communication ApplicationsSpecial Applications Screen Data Special Applications Screen Using a Special ApplicationCheckbox Name Incoming Ports Outgoing Ports URL Filter DMZ Data URL Filter Screen URL Filter Screen Dynamic DNS Domain Name Server Service works as followsDynamic DNS Screen Password Domain Name Ddns ServiceData Dynamic DNS Screen Ddns Data User Name IP Address seen by Internet Users Virtual Servers Virtual Servers Screen Using the DMZ port for Virtual ServersData Virtual Servers Screen Backup DNS IP Address Connecting to the Virtual ServersOptions Defining your own Virtual Servers MTU size MTU Admin Login Screen Admin Login Password Dialog Access Control Screen Access ControlTo use this feature Data Access Control Screen View Log Group Members Screen Access Control Log Security Configuration Firewall Rules This feature is for advanced administrators onlyFirewall Rules Screen Data Firewall Rules Screen Data Define Firewall Rule Screen Define Firewall RuleType Source IP Action Dest IPLog Logs Enable Logs DoS AttacksData Logs Screen Internet Connec Syslog Server Enable Syslog Access ControlFirewall Rules Timezone Include Security Options SPI Firewall Enable DoSData Security Options Screen Firewall Allow IPsec Options Respond toAllow Pptp Allow L2TP Define Schedule Screen SchedulingData Define Schedule Screen Data Services Screen Services Buttons Delete VRT-401 always uses Tunnel Mode VRT-401 does not support Transport ModeIPSec Policies VPN Configuration VPN Pass-through Common VPN SituationsClient PC to VPN Gateway Connecting 2 VPN Gateways Connecting 2 LANs via VPN VPN Policies Screen VPN ConfigurationData VPN Policies Screen Adding a New Policy Able/Disable CopyOperations Add Enable Policy General SettingsEndpoint Keys Local IP addresses Type VPN Wizard Traffic Selector Manual Key Exchange Remote IP addresses Type Manually assigned Keys Tication is enabledESP Encryption ESP Authentica Local Identity IKE PhaseRemote Identity Encryption AuthenticationIKE Exchange Mode AH Authentication IKE Phase 2 IPsec SA IPsec SA LifeTime IPSec PFS Configuration Settings Example 1 Connecting 2 VRT-401sSetting LAN a Gateway LAN B Gateway Examples IPSec SA Parameters DES Setting Value VRT-401 ConfigurationExample 2 Windows 2000/XP Client to LAN Windows 2000/XP Local Security Settings Windows Client Configuration Windows 2000/XP Policy Properties Filter Properties Addressing New Rule Properties Filter Action Modify Security Method VPN Setting Windows Setting Tunnel Setting Windows 2000/XP Client to VRT-401 Filter List Filter Action Modify Security Method DUT to Win2K Properties Properties General Tab IKE Security Algorithms Key Exchange Security Methods Example 3 Windows 2000 Server to VPN Gateway Setting Single Client Server/Gateway Windows 2000 Server Addressing Windows 2000 Server Configuration Using Certificates Adding a Self Certificate Adding a Trusted Certificate Signature Algorithm Hash AlgorithmSignature Key Length To add a New CRL CRLs Upload CRL Upgrade Administra Tion RoutingPC Database Remote PC Database Screen PC Database Data PC Database Screen Data PC Database Admin Screen PC Database AdminPC Properties Name ∙ Dchp Client Reserved IP Address Select this if the PC Update SeButtons Add as New Entry Data Remote Administration Screen Remote AdministrationTo connect from a remote PC via the Internet Routing Using this ScreenOverview Routing Screen Data Routing Screen Enable RIPStatic Routing Static Routing Table Entries Local Router Configuring Other Routers on your LAN Static Routing Example For Router As Default RouteOther Routers on the Local LAN For VRT-401’s Routing Table For Router Bs Default Route Firmware UpgradeTo perform the Firmware Upgrade Data Upnp Screen Internet Access General ProblemsProblem 1 Cant connect to VRT-401 to configure it 119 FCC Statement VRT-401 FCC Radiation Exposure Statement CE Marking Warning