51
Chapter 5: Setting Up and Configuring the Router
VPN Tab - Client to Gateway
10/100 8-Port VPN Router
Manual
If you select
Manual
, you generate the key yourself, and no key negotiation is needed. Basically, manual key
management is used in small static environments or for troubleshooting purposes. Both sides must use the same
Key Management method.
Incoming & Outgoing SPI
(Security Parameter Index): SPI is carried in the ESP (Encapsulating Security Payload
Protocol) header and enables the receiver and sender to select the SA, under which a packet should be
processed. The hexadecimal values is acceptable, and the valid range is 100~ffffffff. Each tunnel must have a
unique Inbound SPI and Outbound SPI. No two tunnels share the same SPI. The Incoming SPI here must match the
Outgoing SPI value at the other end of the tunnel, and vice versa
Encryption
: There are two methods of encryption, DES and 3DES. The Encryption method determines the length
of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is
recommended because it is more secure, and both sides must use the same Encryption method.
Authentication
: There are two methods of authentication, MD5 and SHA. The Authentication method determines
a method to authenticate the ESP packets. MD5 is a one-way hashing algorithm that produces a 128-bit digest.
SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more
secure, and both sides must use the same Authentication method.
Encryption Key
: This field specifies a key used to encrypt and decrypt IP traffic, and the Encryption Key is
generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same Encryption
Key. If DES is selected, the Encryption Key is 16-bit. If users do not fill up to 16-bit, this field will be filled up to
16-bit automatically by 0. If 3DES is selected, the Encryption Key is 48-bit. If users do not fill up to 48-bit, this
field will be filled up to 48-bit automatically by 0.
Authentication Key
: This field specifies a key used to authenticate IP traffic and the Authentication Key is
generated yourself. The hexadecimal value is acceptable in this field. Both sides must use the same
Authentication key. If MD5 is selected, the Authentication Key is 32-bit. If users do not fill up to 32-bit, this field
will be filled up to 32-bit automatically by 0. If SHA1 is selected, the Authentication Key is 40-bit. If users do not
fill up to 40-bit, this field will be filled up to 40-bit automatically by 0.
IKE with Preshared Key (automatic)
IKE is an Internet Key Exchange protocol that is used to negotiate key material for SA (Security Association). IKE
uses the Pre-shared Key field to authenticate the remote IKE peer.
Phase 1 DH Group
: Phase 1 is used to create a security association (SA). DH (Diffie-Hellman) is a key exchange
protocol that is used during phase 1 of the authentication process to establish pre-shared keys. There are three
Figure 5-52: VPN tab - Client to Gateway
IPSec Setup