VPN
Setting Up a Gateway to Gateway (Site to Site) VPN
Cisco Small Business RV0xx Series Routers Administration Guide
135
9
•
Required fields for IKE with Preshared Key
Enter the settings for Phase 1 and Phase 2. Phase 1 establishes the
preshared keys to create a secure authenticated communication channel. In
Phase 2, the IKE peers use the secure channel to negotiate Security
Associations on behalf of other services such as IPsec. Be sure to enter the
same settings when configuring other router for this tunnel.
-
Phase 1 / Phase 2 DH Group:
DH (Diffie-Hellman) is a key exchange
protocol. There are three groups of different prime key lengths: Group 1
- 768 bits, Group 2 - 1,024 bits, and Group 5 - 1,536 bits. For faster speed
but lower security, choose
Group 1
. For slower speed but higher
security, choose
Group 5
. Group 1 is selected by default.
-
Phase 1 / Phase 2 Encryption:
Select a method of encryption for this
phase: DES, 3DES, AES-128, AES-192, or AES-256. The method
determines the length of the key used to encrypt or decrypt ESP
packets. AES-256 is recommended because it is more secure.
-
Phase 1 / Phase 2 Authentication:
Select a method of authentication
for this phase: MD5 or SHA1. The authentication method determines how
the ESP (Encapsulating Security Payload Protocol) header packets are
validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA1 is a one-way hashing algorithm that produces a 160-bit
digest. SHA1 is recommended because it is more secure. Make sure that
both ends of the VPN tunnel use the same authentication method.
-
Phase 1 / Phase 2 SA Life Time:
Configure the length of time a VPN
tunnel is active in this phase. The default value for Phase 1 is 28800
seconds. The default value for Phase 2 is 3600 seconds.
-
Perfect Forward Secrecy:
If the Perfect Forward Secrecy (PFS) feature
is enabled, IKE Phase 2 negotiation will generate new key material for IP
traffic encryption and authentication, so hackers using brute force to
break encryption keys will not be able to obtain future IPSec keys.
Check the box to enable this feature, or uncheck the box to disable this
feature. This feature is recommended.
-
Preshared Key:
Enter a pre-shared key to use to authenticate the
remote IKE peer. You can enter up to 30 keyboard characters and
hexadecimal values, such as My_@123 or 4d795f40313233. Both ends
of the VPN tunnel must use the same Preshared Key. It is strongly
recommended that you change the Preshared Key periodically to
maximize VPN security.