Linksys RV016 User Manual

Page 68

background image

57

Chapter 6: Setting up and Configuring the Router
VPN Tab - Gateway to Gateway

10/100 16-Port VPN Router

screen, then it is recommended to select Null to disable the encryption and decryption of ESP packets in
Phase 2 (make sure the remote VPN device also has the AH Hash Algorithm enabled). Both ends of the VPN
tunnel must use the same Phase 2 Encryption setting: DES, 3DES, or Null.

Phase 2 Authentication. Select a method of authentication, MD5 or SHA. The authentication method
determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it
is more secure. If you enable the AH Hash Algorithm on the Advanced screen, then it is recommended to
select Null to disable the authentication of ESP packets in Phase 2 (make sure the remote VPN device also
has the AH Hash Algorithm enabled). Both ends of the VPN tunnel must use the same Phase 2 Authentication
setting: MD5, SHA, or Null.

Phase 2 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 2. The default value is 3600
seconds.

Preshared Key. This specifies the pre-shared key used to authenticate the remote IKE peer. Enter a key of
keyboard and hexadecimal characters, e.g., My_@123 or 4d795f40313233. This field allows a maximum of
30 characters and/or hexadecimal values. Both ends of the VPN tunnel must use the same Preshared Key. It is
strongly recommended that you change the Preshared Key periodically to maximize VPN security.

Click the Save Settings button to save your changes, or click the Cancel Changes button to undo the changes.

Manual

Basically, manual key management is used in small static environments or for troubleshooting purposes. If you
select Manual, you generate the key yourself, so no key negotiation is needed.

Incoming SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)
header and enables the receiver and sender to send the Security Association (SA), under which a packet
should be processed. Hexadecimal values are acceptable, and the valid range of hexadecimal values is from
100 to ffffffff. Each tunnel must have a unique Inbound SPI and Outbound SPI. The Incoming SPI of the Router
must match the Outgoing SPI set on the remote VPN device at the other end of the tunnel. For example, if the
Incoming SPI is 20123, then the Outgoing SPI would be 32102.

Outgoing SPI (Security Parameter Index). SPI is carried in the ESP (Encapsulating Security Payload Protocol)
header and enables the receiver and sender to send the SA, under which a packet should be processed.
Hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. Each
tunnel must have a unique Inbound SPI and Outbound SPI. The Outgoing SPI of the Router must match the
Incoming SPI set on the remote VPN device at the other end of the tunnel. For example, if the Outgoing SPI is
32102, then the Incoming SPI would be 20123.

Figure 6-69: IPSec Setup - Manual

See also other documents in the category Linksys Hardware: