beautypg.com

Ipsec setup, Chapter 4, Advanced configuration – Cisco 4-Port SSL/IPSec VPN Router RVL200 User Manual

Page 46

background image

Chapter 4

Advanced Configuration

8

4-Port SSL/IPSec VPN Router

Subnet
The default is Subnet. All computers on the remote subnet

will be able to access the tunnel.

IP address

Enter the IP address.

Subnet Mask

Enter the subnet mask. The default is

...0.
IP Range
Specify a range of IP addresses within a subnet that will be

able to access the tunnel.

IP range

Enter the range of IP addresses.

IPSec Setup

In order for any encryption to occur, the two ends of a

VPN tunnel must agree on the methods of encryption,

decryption, and authentication. This is done by sharing

a key to the encryption code. For key management, the

default mode is IKE with Preshared Key.

Keying Mode

Select IKE with Preshared Key or Manual.

Both ends of a VPN tunnel must use the same mode of

key management. After you have selected the mode, the

settings available on this screen may change, depending

on the selection you have made. Follow the instructions

for the mode you want to use.

IKE with Preshared Key

IKE is an Internet Key Exchange protocol used to negotiate

key material for Security Association (SA). IKE uses the

Preshared Key to authenticate the remote IKE peer.

Phase DH Group

Phase 1 is used to create the SA. DH

(Diffie-Hellman) is a key exchange protocol used during

Phase 1 of the authentication process to establish pre-

shared keys. There are three groups of different prime

key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits.

Group 5 is 1,536 bits. If network speed is preferred, select

Group . If network security is preferred, select Group .

Phase Encryption

Select a method of encryption: DES

(56-bit), DES (168-bit), AES-8 (128-bit), AES-9 (192-

bit), or AES- (256-bit). The method determines the

length of the key used to encrypt or decrypt ESP packets.

AES-256 is recommended because it is the most secure.

Make sure both ends of the VPN tunnel use the same

encryption method.

Phase Authentication

Select a method of

authentication, MD or SHA. The authentication method

determines how the ESP packets are validated. MD5 is

a one-way hashing algorithm that produces a 128-bit

digest. SHA is a one-way hashing algorithm that produces

a 160-bit digest. SHA is recommended because it is more

secure. Make sure both ends of the VPN tunnel use the

same authentication method.

Phase SA Life Time

Configure the length of time a VPN

tunnel is active in Phase 1. The default value is 8800

seconds.

Perfect Forward Secrecy

If the Perfect Forward Secrecy

(PFS) feature is enabled, IKE Phase 2 negotiation will

generate new key material for IP traffic encryption and

authentication, so hackers using brute force to break

encryption keys will not be able to obtain future IPSec

keys.

Phase DH Group

If the Perfect Forward Secrecy feature

is disabled, then no new keys will be generated, so you do

not need to set the Phase 2 DH Group (the key for Phase 2

will match the key in Phase 1).
There are three groups of different prime key lengths.

Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is

1,536 bits. If network speed is preferred, select Group .

If network security is preferred, select Group . You do

not have to use the same DH Group that you used for

Phase 1.

Phase Encryption

Phase 2 is used to create one or

more IPSec SAs, which are then used to key IPSec sessions.

Select a method of encryption: NULL, ES (56-bit), DES

(168-bit), AES-8 (128-bit), AES-9 (192-bit), or AES-

(256-bit). It determines the length of the key used to

encrypt or decrypt ESP packets. AES-256 is recommended

because it is the most secure. Both ends of the VPN tunnel

must use the same Phase 2 Encryption setting.

Phase Authentication

Select a method of

authentication, NULL, MD, or SHA. The authentication

method determines how the ESP packets are validated.

MD5 is a one-way hashing algorithm that produces a

128-bit digest. SHA is a one-way hashing algorithm that

produces a 160-bit digest. SHA is recommended because

it is more secure. Both ends of the VPN tunnel must use

the same Phase 2 Authentication setting.

Phase SA Life Time

Configure the length of time a VPN

tunnel is active in Phase 2. The default is 00 seconds.

Preshared Key

This specifies the pre-shared key used

to authenticate the remote IKE peer. Enter a key of

keyboard and hexadecimal characters, e.g., My_@123

or 4d795f40313233. This field allows a maximum of 30

characters and/or hexadecimal values. Both ends of

the VPN tunnel must use the same Preshared Key. It is

strongly recommended that you change the Preshared

Key periodically to maximize VPN security.

Manual

If you select Manual, you generate the key yourself, and

no key negotiation is needed. Manual key management is

used in small static environments or for troubleshooting

purposes.