58
Chapter 5: Setting Up and Configuring the Router
VPN Tab - Gateway to Gateway
4-Port SSL/IPSec VPN Router
IPSec Setup
In order for any encryption to occur, the two ends of a VPN tunnel must agree on the methods of encryption,
decryption, and authentication. This is done by sharing a key to the encryption code. For key management, the
default mode is
IKE with Preshared Key
. Both ends of a VPN tunnel must use the same mode of key
management.
IKE with Preshared Key
IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses the
Preshared Key to authenticate the remote IKE peer.
Phase 1 DH Group. Phase 1 is used to create the SA. DH (Diffie-Hellman) is a key exchange protocol used during
Phase 1 of the authentication process to establish pre-shared keys. There are three groups of different prime key
lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is preferred, select
Group 1
. If network security is preferred, select
Group 5
.
Phase 1 Encryption. Select a method of encryption,
DES
or
3DES
. The encryption method determines the length
of the key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit
encryption. Make sure both ends of the VPN tunnel use the same encryption method.
Phase 1 Authentication. Select a method of authentication,
MD5
or
SHA
. The authentication method determines
how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a
one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure.
Make sure both ends of the VPN tunnel use the same authentication method.
Phase 1 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 1. The default value is
28800
seconds.
Perfect Forward Secrecy. If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will
generate new key material for IP traffic encryption and authentication, so hackers using brute force to break
encryption keys will not be able to obtain future IPSec keys.
Phase 2 DH Group. If the Perfect Forward Secrecy feature is disabled, then no new keys will be generated, so you
do not need to set the Phase 2 DH Group (the key for Phase 2 will match the key in Phase 1).
There are three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is
1,536 bits. If network speed is preferred, select
Group 1
. If network security is preferred, select
Group 5
. You do
not have to use the same DH Group that you used for Phase 1.
Figure 5-56: IPSec Setup - IKE with Preshared
Key
Содержание RVL200
Страница 170: ...157 Appendix Q Regulatory Information 4 Port SSL IPSec VPN Router ...
Страница 171: ...158 Appendix Q Regulatory Information 4 Port SSL IPSec VPN Router ...
Страница 172: ...159 Appendix Q Regulatory Information 4 Port SSL IPSec VPN Router ...
Страница 173: ...160 Appendix Q Regulatory Information 4 Port SSL IPSec VPN Router For more information visit www linksys com ...