IKE Phase 2 IPsec SA IPsec SA Life | Planet Technology VRT-401

VRT-401 User Manual

IKE Phase 2 (IPsec SA)

IPsec SA Life	This setting does not have to match the remote VPN end-
Time	point; the shorter time will be used. Although measured in
	seconds, it is common to use time periods of several hours,
	such 28,800 seconds.
IPSec PFS	If enabled, PFS (Perfect Forward Security) enhances security
	by changing the IPsec key at regular intervals, and ensuring
	that each key has no relationship to the previous key. Thus,
	breaking 1 key will not assist in breaking the next key.
AH Authentication	AH (Authentication Header) specifies the authentication
	protocol for the VPN header, if used.
	AH is often NOT used. If you do enable it, ensure the algo-
	rithm selected matches the other VPN endpoint.
ESP Encryption	ESP (Encapsulating Security Payload) provides security for
	the payload (data) sent through the VPN tunnel. Generally,
	you will want to enable both ESP Encryption and ESP Authen-
	tication.
	Select the desired method, and ensure the remote VPN
	endpoint uses the same method. The "3DES" algorithm
	provides greater security than "DES", but is slower.
ESP Authentica-	Generally, you should enable ESP Authentication. There is
tion	little difference between the available algorithms. Just ensure
	each endpoint use the same setting.

For IKE, configuration is now complete.

∙Click "Next" to view the final screen.

∙On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard.

82

Image 86

Planet Technology VRT-401 user manual IKE Phase 2 IPsec SA IPsec SA Life, Time, IPSec PFS, AH Authentication

Contents

Broadband VPN Router Copyright Table of Contents 106 Using Certificates 101Remote Administration 111 107 VRT-401 Features Internet Access Features Security Features LAN FeaturesConfiguration & Management Advanced Internet Functions Package Contents Physical Details Front-mounted LEDs To Clear All Data and restore the factory default values Rear Panel Requirements ProcedureChoose an Installation Site Connect LAN Cables Connect WAN Cable Using the DMZ PortPower Up Check the LEDs Overview To Do this Refer to Using your Web Browser Configuration ProgramUsing UPnP Preparation Password Dialog If you cant connect Cable Modems Config WizardCommon Connection Types DSL Modems SingTel RAS Other Modems e.g. Broadband WirelessBig Pond Cable Australia Home Screen Navigation & Data Input LAN Screen Data LAN Screen To Configure your PCs to use Dhcp Using VRT-401’s Dhcp ServerUsing another Dhcp Server What Dhcp Does TCP/IP Settings Overview Windows Clients Using Specify an IP Address Checking TCP/IP Settings Windows 9x/MEUsing Dhcp Gateway Tab Win 95/98 Checking TCP/IP Settings Windows NT4.0 Windows NT4.0 TCP/IP Obtain an IP address from a Dhcp Server Specify an IP Address Windows NT4.0 Add Gateway Windows NT4.0 DNS Checking TCP/IP Settings Windows Network Configuration Win Using a fixed IP Address Use the following IP Address TCP/IP Properties Win Checking TCP/IP Settings Windows XP Network Configuration Windows XP TCP/IP Properties Windows XP For Windows 9x/ME/2000 Internet AccessAccessing AOL For Windows XP Other Unix Systems Macintosh ClientsLinux Clients Fixed IP Address Operation Status Screen Data Status Screen Connection Physical Address Connection Status PPPoEData PPPoE Screen PPPoE Link Status Connection Log Messages Operation and Status Connection Physical Ad Connection Status PptpData Pptp Screen Dress Connection Status Telstra Big Pond Data Telstra Big Pond Screen Connection Details SingTel RAS Connection Status Data SingTel RAS Screen Internet Physical Ad Connection Details Fixed/Dynamic IP AddressData Fixed/Dynamic IP address Screen Buttons Release/Renew Advanced Internet Screen Internet Screen Special Applications Screen Communication ApplicationsSpecial Applications Checkbox Name Incoming Ports Outgoing Ports Using a Special ApplicationData Special Applications Screen DMZ URL Filter URL Filter Screen Data URL Filter Screen Dynamic DNS Screen Service works as followsDynamic DNS Domain Name Server Data Dynamic DNS Screen Ddns ServicePassword Domain Name Ddns Data User Name Virtual Servers IP Address seen by Internet Users Data Virtual Servers Screen Using the DMZ port for Virtual ServersVirtual Servers Screen Options Connecting to the Virtual ServersBackup DNS IP Address Defining your own Virtual Servers MTU MTU size Admin Login Admin Login Screen Password Dialog To use this feature Access ControlAccess Control Screen Data Access Control Screen View Log Access Control Log Group Members Screen Security Configuration Firewall Rules Screen This feature is for advanced administrators onlyFirewall Rules Data Firewall Rules Screen Type Define Firewall RuleData Define Firewall Rule Screen Source IP Log Dest IPAction Data Logs Screen Enable Logs DoS AttacksLogs Internet Connec Firewall Rules Access ControlSyslog Server Enable Syslog Timezone Include Data Security Options Screen SPI Firewall Enable DoSSecurity Options Firewall Allow Pptp Options Respond toAllow IPsec Allow L2TP Data Define Schedule Screen SchedulingDefine Schedule Screen Services Data Services Screen Buttons Delete IPSec VRT-401 does not support Transport ModeVRT-401 always uses Tunnel Mode VPN Configuration Policies Client PC to VPN Gateway Common VPN SituationsVPN Pass-through Connecting 2 LANs via VPN Connecting 2 VPN Gateways Data VPN Policies Screen VPN ConfigurationVPN Policies Screen Operations Add Able/Disable CopyAdding a New Policy Endpoint General SettingsEnable Policy Keys VPN Wizard Traffic Selector Local IP addresses Type Remote IP addresses Type Manual Key Exchange ESP Encryption Tication is enabledManually assigned Keys ESP Authentica Remote Identity IKE PhaseLocal Identity IKE Exchange AuthenticationEncryption Mode Time IKE Phase 2 IPsec SA IPsec SA LifeAH Authentication IPSec PFS Setting LAN a Gateway LAN B Gateway Example 1 Connecting 2 VRT-401sConfiguration Settings Examples DES IPSec SA Parameters Example 2 Windows 2000/XP Client to LAN VRT-401 ConfigurationSetting Value Windows Client Configuration Windows 2000/XP Local Security Settings Windows 2000/XP Policy Properties Filter Properties Addressing New Rule Properties Filter Action VPN Setting Windows Setting Modify Security Method Tunnel Setting Windows 2000/XP Client to VRT-401 Filter List Filter Action Modify Security Method DUT to Win2K Properties Properties General Tab Key Exchange Security Methods IKE Security Algorithms Setting Single Client Server/Gateway Example 3 Windows 2000 Server to VPN Gateway Windows 2000 Server Configuration Windows 2000 Server Addressing Using Certificates Adding a Trusted Certificate Adding a Self Certificate Signature Key Hash AlgorithmSignature Algorithm Length CRLs To add a New CRL Upload CRL PC Database Administra Tion RoutingUpgrade Remote PC Database PC Database Screen Data PC Database Screen PC Properties Name PC Database AdminData PC Database Admin Screen Buttons Add as New Update Se∙ Dchp Client Reserved IP Address Select this if the PC Entry To connect from a remote PC via the Internet Remote AdministrationData Remote Administration Screen Overview Using this ScreenRouting Routing Screen Static Routing Static Routing Table Entries Enable RIPData Routing Screen Configuring Other Routers on your LAN Local Router Other Routers on the Local LAN For Router As Default RouteStatic Routing Example For VRT-401’s Routing Table To perform the Firmware Upgrade Firmware UpgradeFor Router Bs Default Route Data Upnp Screen Problem 1 Cant connect to VRT-401 to configure it General ProblemsInternet Access 119 VRT-401 FCC Statement CE Marking Warning FCC Radiation Exposure Statement