beautypg.com

D-Link DRO-210i User Manual

Page 51

background image

Virtual Private Network

Dlink DRO-210i User Guide

51

Add/Modify Tunnel

Tunnel ID

Enter the alphanumeric string that identifies the remote tunnel.

Tunnel Source
Interface

Select the WAN interface, which serves as the tunnel's source endpoint.

Termination Type

Select the termination type (Domain name or IP address), which a
remote endpoint can use.

Termination
IP/Name

Enter the remote gateway's IP address or domain name depending on the
termination type selected. When Domain Name is configured, ensure that
DNS Proxy is configured with the appropriate DNS Server IP address.

Shared Key

Enter the secret key that should be used on both endpoints in order to
establish Phase I negotiation. The purpose of this key is for the IPSec
peers to authenticate each other

Tunnel Type

Only Public IPSec VPN tunnels are supported.

Phase 1 Proposal

Mode

This will allow a user to select the Phase 1 negotiation mode. User can
select between Main and Aggressive modes. In the Main mode, all
communications between the two endpoints of an IPSec VPN tunnel are
encrypted. In Aggressive mode, there is no encryption in the Phase 1
negotiation.

DH Group

Select the DH algorithm to generate the shared keys in a secure manner.
This shared key is used for deriving encryption and hash algorithm keys
used during Phase 1 negotiation.

Group 1 generates a 768-bit key

Group 2 generates a 1024-bit key.

The same DH Group must be used on both ends of an IPSec VPN tunnel.

IKE Life Duration

Enter the life duration (in seconds) of Phase 1 key. When it is expired, the
two IPSec peers should trigger Phase 1 negotiation again to set up a fresh
IPSec tunnel. The minimum life duration is 300 seconds and maximum
life duration is 86400 seconds.

IKE Hash

Select the algorithm that will be used to ensure that the messages
exchanged between the two IPSec VPN tunnel endpoints has been
received exactly as it was sent. In other words, a Hash algorithm is used
to generate a binary number by a mathematical operation using the entire
message. The resulting number is called a message digest. The same
operation is performed when the message is received, and if there has
been any change in the message during transit, the resulting message
digest number will be different and the message will be rejected. The
options are:

MD5 - a 128-bit message digest

SHA - a 160-bit message digest.

User must have exactly the same IKE Hash algorithm on both ends of a
VPN tunnel.

IKE Encryption

Select the encryption algorithm (DES, 3DES) that will be used to encrypt
the messages passed between the VPN tunnel endpoints during the Phase
1 negotiation. The length of the key for the 3DES algorithm is three times