VPN
31
CG3000DCR Advanced Cable Modem Gateway
•
FQDN or Gateway IP (WAN IP Address)
To set up a VPN connection, you must configure each endpoint with specific identification
and connection information describing the other endpoint. You must configure the outbound
VPN settings on one end to match the inbound VPN settings on other end, and vice versa.
This set of configuration information defines a security association (SA) between the two
VPN endpoints. When planning your VPN, you must make a few choices first:
•
Will the local end be any device on the LAN, a portion of the local network (as defined by
a subnet or by a range of IP addresses), or a single computer?
•
Will the remote end be any device on the remote LAN, a portion of the remote network
(as defined by a subnet or by a range of IP addresses), or a single computer?
•
Will either endpoint use fully qualified domain names (FQDNs)? FQDNs supplied by
Dynamic DNS providers can allow a VPN endpoint with a dynamic IP address to initiate
or respond to a tunnel request. Otherwise, the side using a dynamic IP address must
always be the initiator.
Table 2. Parameters recommended by the VPNC
Parameter
Gateway Factory Default Setting
Secure Association
Main Mode
Authentication Method
Pre-shared Key
Encryption Method
3DES
Authentication Protocol
SHA-1
Diffie-Hellman (DH) Group
Group 2 (1024 bit)
Key Life
8 hours
IKE Life Time
1 hour
•
What level of IPSec VPN encryption will you use?
-
DES
. The Data Encryption Standard (DES) processes input data that is 64 bits wide,
encrypting these values using a 56-bit key. Faster but less secure than 3DES.
-
3DES
. Triple DES achieves a higher level of security by encrypting the data three
times using DES with three different, unrelated keys.
•
What level of authentication will you use?
-
MDS
. 128 bits, faster but less secure.
-
SHA-1
. 160 bits, slower but more secure.
