D-Link DRO-210i User Manual
Page 51
Virtual Private Network
Dlink DRO-210i User Guide
51
Add/Modify Tunnel
Tunnel ID
Enter the alphanumeric string that identifies the remote tunnel.
Tunnel Source
Interface
Select the WAN interface, which serves as the tunnel's source endpoint.
Termination Type
Select the termination type (Domain name or IP address), which a
remote endpoint can use.
Termination
IP/Name
Enter the remote gateway's IP address or domain name depending on the
termination type selected. When Domain Name is configured, ensure that
DNS Proxy is configured with the appropriate DNS Server IP address.
Shared Key
Enter the secret key that should be used on both endpoints in order to
establish Phase I negotiation. The purpose of this key is for the IPSec
peers to authenticate each other
Tunnel Type
Only Public IPSec VPN tunnels are supported.
Phase 1 Proposal
Mode
This will allow a user to select the Phase 1 negotiation mode. User can
select between Main and Aggressive modes. In the Main mode, all
communications between the two endpoints of an IPSec VPN tunnel are
encrypted. In Aggressive mode, there is no encryption in the Phase 1
negotiation.
DH Group
Select the DH algorithm to generate the shared keys in a secure manner.
This shared key is used for deriving encryption and hash algorithm keys
used during Phase 1 negotiation.
•
Group 1 generates a 768-bit key
•
Group 2 generates a 1024-bit key.
The same DH Group must be used on both ends of an IPSec VPN tunnel.
IKE Life Duration
Enter the life duration (in seconds) of Phase 1 key. When it is expired, the
two IPSec peers should trigger Phase 1 negotiation again to set up a fresh
IPSec tunnel. The minimum life duration is 300 seconds and maximum
life duration is 86400 seconds.
IKE Hash
Select the algorithm that will be used to ensure that the messages
exchanged between the two IPSec VPN tunnel endpoints has been
received exactly as it was sent. In other words, a Hash algorithm is used
to generate a binary number by a mathematical operation using the entire
message. The resulting number is called a message digest. The same
operation is performed when the message is received, and if there has
been any change in the message during transit, the resulting message
digest number will be different and the message will be rejected. The
options are:
•
MD5 - a 128-bit message digest
•
SHA - a 160-bit message digest.
User must have exactly the same IKE Hash algorithm on both ends of a
VPN tunnel.
IKE Encryption
Select the encryption algorithm (DES, 3DES) that will be used to encrypt
the messages passed between the VPN tunnel endpoints during the Phase
1 negotiation. The length of the key for the 3DES algorithm is three times