Chapter, Setting up and configuring the router – Linksys RVS4000 User Manual

Chapter

Setting Up and Configuring the Router

4-Port Gigabit Security Router with VPN

Remote Security Group Type

Select the remote LAN

user(s) behind the remote gateway who can use this VPN

tunnel. This may be a single IP address or a Sub-network.

Note that the Remote Security Group Type must match

the other router’s Local Security Group Type.

IP Address

Enter the IP address on the remote network.

Subnet Mask

If the Remote Security Group Type is set to

Subnet, enter the mask to determine the IP addresses on

the remote network.

IPSec Setup

Keying Mode

The router supports both automatic and

manual key management. When choosing automatic key

management, IKE (Internet Key Exchange) protocols are

used to negotiate key material for SA (Security Association).

If manual key management is selected, no key negotiation

is needed. Basically, manual key management is used in

small static environments or for troubleshooting purposes.

Note that both sides must use the same Key Management

method.

Phase

Encryption

The Encryption method determines the

length of the key used to encrypt/decrypt ESP packets.

Only 3DES is supported. Notice that both sides must

use the same Encryption method.

Authentication

Authentication determines a method

to authenticate the ESP packets. Either MD5 or SHA1

may be selected. Notice that both sides (VPN endpoints)

must use the same Authentication method.

MD

A one-way hashing algorithm that produces

a 128-bit digest.

SHA

A one-way hashing algorithm that produces

a 160-bit digest.

Group

The Diffie-Hellman (DH) group to be used for

key exchange. Select the 768-bit (Group 1), 1024-bit

(Group 2), or 1536-bit (Group 5) algorithm. Group 5

provides the most security, Group 1 the least.

Key Life Time

This specifies the lifetime of the IKE-

generated key. If the time expires, a new key will be

renegotiated automatically. Enter a value from 300 to

100,000,000 seconds. The default is 8800 seconds.
Phase

Encryption

The Encryption method determines the

length of the key used to encrypt/decrypt ESP packets.

Only 3DES is supported. Note that both sides must use

the same Encryption method.

Authentication

Authentication determines a method

to authenticate the ESP packets. Either MD5 or SHA1

may be selected. Note that both sides (VPN endpoints)

must use the same Authentication method.

•

•

•

•

•

•

•

•

MD

A one-way hashing algorithm that produces

a 128-bit digest.

SHA

A one-way hashing algorithm that produces

a 160-bit digest.

Perfect Forward Secrecy

If PFS is enabled, IKE Phase

2 negotiation will generate a new key material for IP

traffic encryption and authentication. Note that both

sides must have this selected.

Preshared Key

IKE uses the Preshared Key field to

authenticate the remote IKE peer. Both character and

hexadecimal values are acceptable in this field; e.g.,

“My_@123” or “0x4d795f40313233”. Note that both

sides must use the same Preshared Key.

Group

The Diffie-Hellman (DH) group to be used for

key exchange. Select the 768-bit (Group 1), 1024-bit

(Group 2), or 1536-bit (Group 5) algorithm. Group 5

provides the most security, Group 1 the least.

Key Life Time

This specifies the lifetime of the IKE-

generated key. If the time expires, a new key will be

renegotiated automatically. Enter a value from 300 to

100,000,000 seconds. The default is 00 seconds.

Status

Status

Displays the connection status for the selected

tunnel. The state is either connected or disconnected.

Connect

Click this button to establish a connection for

the current VPN tunnel. If you have made any changes,

click Save Settings first to apply your changes.

Disconnect

Click this button to break a connection for

the current VPN tunnel.

View Log

Click this button to view the VPN log, which

shows details of each tunnel established.

Advanced

Click this button to display the following

additional settings.

Aggressive Mode

This is used to specify the type of

Phase 1 exchange, Main mode or Aggressive mode.

Check the box to select Aggressive Mode or leave

the box unchecked (default) to select Main mode.

Aggressive mode requires half of the main mode

messages to be exchanged in Phase 1 of the SA

exchange. If network security is preferred, select Main

mode.

NetBios Broadcasts

Check the box to enable NetBIOS

traffic to pass through the VPN tunnel. By default, the

RVS4000 blocks these broadcasts.

Click Save Settings to save the settings you have entered.

Click Cancel Changes to cancel any changes you have

entered.

•

•

•

•

•

•

•

•