Cisco WRV200 User Guide - Page 28

Remote Secure Gateway, Key Management, Tunnel Options, IP Addr., Auto IKE, Aggressive - current time

Get Cisco WRV200 - Small Business Wireless-G VPN Router PDF manuals and user guides
UPC - 745883570577
View all Cisco WRV200 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 28 highlights

Chapter 5 Configuring the Wireless-G Router the VPN will terminate at the Router, instead of the PC; or Any, to allow any computer to access the tunnel. The screen will change depending on the selected option. The options are described below. • Subnet Enter the IP Address and Mask of the remote VPN router in the fields provided. To allow access to the entire IP subnet, enter 0 for the last set of IP Addresses (e.g., 192.168.1.0). • IP Addr. Enter the IP Address of the remote VPN router. The Mask will be displayed. • Host The VPN tunnel will terminate at the router with this setting. Use Port Range Forwarding to direct traffic to the correct computer. Refer to the Firewall > Port Range Forwarding screen. • Any Allows any computer to access the tunnel. Remote Secure Gateway The Remote Secure Gateway is the VPN device, such as a second VPN router, on the remote end of the VPN tunnel. Enter the IP Address of the VPN device at the other end of the tunnel. The remote VPN device can be another VPN router, a VPN server, or a computer with VPN client software that supports IPSec. The IP address may either be static (permanent) or dynamic, depending on the settings of the remote VPN device. If the IP Address is static, select IP Addr. and enter the IP address. Make sure that you have entered the IP address correctly, or the connection cannot be made. Remember, this is NOT the IP address of the local VPN Router; it is the IP address of the remote VPN router or device with which you wish to communicate. If the IP address is dynamic, select FQDN for DDNS or Any. If FQDN is selected, enter the domain name of the remote router, so the Router can locate a current IP address using DDNS. If Any is selected, then the Router will accept requests from any IP address. Key Management Key Exchange Method IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses the Pre-shared Key to authenticate the remote IDE peer. Select Auto (IKE) for the Key Exchange Method. Both ends of a VPN tunnel must use the same mode of key management. The settings available on this screen may change, depending on the selection you have made. Operation Mode Use this option to set the operation mode to Main (default) or Aggressive. Main Mode operation is supported in ISAKMP SA establishment. ISAKMP Encryption Method There are four different types of encryption: 3DES, AES-128, AES-192, or AES256. You may choose any of these, but it must be the Wireless-G VPN Router with RangeBooster same type of encryption that is being used by the VPN device at the other end of the tunnel. ISAKMP Authentication Method There are two types of authentication: MD5 and SHA (SHA is recommended because it is more secure). As with encryption, either of these may be selected, provided that the VPN device at the other end of the tunnel is using the same type of authentication. ISAKMP DH Group This is for Diffie-Hellman key negotiation. There are 7 groups available for ISAKMP SA establishment. Group 1024, 1536, 2048, 3072, 4096, 6144, and 8192 represent different bits used in Diffie-Hellman mode operation. The default value is 1024. ISAKMP Key Lifetime(s) This field specifies how long an ISAKMP key channel should be kept, before being renegotiated. The default is 28800 seconds. PFS PFS (Perfect Forward Secrecy) ensures that the initial key exchange and IKE proposals are secure. To use PFS, click the Enabled radio button. IPSec Encryption Method Using encryption also helps make your connection more secure. There are four different types of encryption: 3DES, AES-128, AES-192, or AES-256. You may choose any of these, but it must be the same type of encryption that is being used by the VPN device at the other end of the tunnel. IPSec Authentication Method Authentication acts as another level of security. There are two types of authentication: MD5 and SHA (SHA is recommended because it is more secure). As with encryption, either of these may be selected, provided that the VPN device at the other end of the tunnel is using the same type of authentication. Or, both ends of the tunnel may choose to disable authentication. IPSec DH Group This is the same as the ISAKMP DH Group setting. IPSec Key Lifetime(s) In this field, you may optionally select to have the key expire at the end of a time period of your choosing. Enter the number of seconds you'd like the key to be used until a re-key negotiation between each endpoint is completed. The default is 3600 seconds. Pre-shared Key Enter a series of numbers or letters in the Pre-shared Key field. Based on this word, which MUST be entered at both ends of the tunnel, a key is generated to scramble (encrypt) the data being transmitted over the tunnel, where it is unscrambled (decrypted). You may use any combination of up to 24 numbers or letters in this field. No special characters or spaces are allowed. Tunnel Options Dead Peer Detection You can select Dead Peer Detection (DPD) to detect the status of a remote Peer. 23

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
Chapter µ
Configuring the Wireless-G Router
²³
Wireless-G VPN Router with RangeBooster
the VPN will terminate at the Router, instead of the PC;
or
Any
, to allow any computer to access the tunnel. The
screen will change depending on the selected option. The
options are described below.
Subnet
Enter the IP Address and Mask of the remote
VPN router in the fields provided. To allow access to the
entire IP subnet, enter
0
for the last set of IP Addresses
(e.g., 192.168.1.0).
IP Addr.
Enter the IP Address of the remote VPN
router. The Mask will be displayed.
Host
The VPN tunnel will terminate at the router with
this setting. Use Port Range Forwarding to direct traffic
to the correct computer. Refer to the
Firewall  >  Port 
Range Forwarding
screen.
Any
Allows any computer to access the tunnel.
Remote Secure Gateway
The Remote Secure Gateway is the VPN device, such as a
second VPN router, on the remote end of the VPN tunnel.
Enter the IP Address of the VPN device at the other end
of the tunnel. The remote VPN device can be another
VPN router, a VPN server, or a computer with VPN client
software that supports IPSec. The IP address may either be
static (permanent) or dynamic, depending on the settings
of the remote VPN device.
If the IP Address is static, select
IP Addr.
and enter the IP
address. Make sure that you have entered the IP address
correctly, or the connection cannot be made. Remember,
this is NOT the IP address of the local VPN Router; it is the
IP address of the remote VPN router or device with which
you wish to communicate. If the IP address is dynamic,
select
FQDN
for DDNS or
Any
. If FQDN is selected, enter
the domain name of the remote router, so the Router can
locate a current IP address using DDNS. If
Any
is selected,
then the Router will accept requests from any IP address.
Key Management
Key Exchange Method
IKE is an Internet Key Exchange
protocol used to negotiate key material for Security
Association
(SA).
IKE
uses
the
Pre-shared
Key
to
authenticate the remote IDE peer. Select
Auto (IKE)
for the
Key Exchange Method. Both ends of a VPN tunnel must
use the same mode of key management. The settings
available on this screen may change, depending on the
selection you have made.
Operation Mode
Use this option to set the operation
mode to
Main
(default) or
Aggressive
. Main Mode
operation is supported in ISAKMP SA establishment.
ISAKMP Encryption Method
There are four different
types of encryption:
³DES
,
AES-±²8
,
AES-±9²
, or
AES-
²µ¶
. You may choose any of these, but it must be the
same type of encryption that is being used by the VPN
device at the other end of the tunnel.
ISAKMP Authentication Method
There are two types
of authentication: MD5 and SHA (SHA is recommended
because it is more secure). As with encryption, either
of these may be selected, provided that the VPN device
at the other end of the tunnel is using the same type of
authentication.
ISAKMP
DH
Group
This
is
for
Diffie-Hellman
key
negotiation. There are 7 groups available for ISAKMP SA
establishment. Group 1024, 1536, 2048, 3072, 4096, 6144,
and 8192 represent different bits used in Diffie-Hellman
mode operation. The default value is
±0²´
.
ISAKMP Key Lifetime(s)
This field specifies how long
an ISAKMP key channel should be kept, before being
renegotiated.
The default is
²8800
seconds.
PFS
PFS (Perfect Forward Secrecy) ensures that the initial
key exchange and IKE proposals are secure. To use PFS,
click the
Enabled
radio button.
IPSec Encryption Method
Using encryption also helps
make your connection more secure. There are four
different types of encryption:
³DES
,
AES-±²8
,
AES-±9²
,
or
AES-²µ¶
. You may choose any of these, but it must be
the same type of encryption that is being used by the VPN
device at the other end of the tunnel.
IPSec
Authentication
Method
Authentication
acts
as another level of security. There are two types of
authentication: MD5 and SHA (SHA is recommended
because it is more secure). As with encryption, either
of these may be selected, provided that the VPN device
at the other end of the tunnel is using the same type of
authentication. Or, both ends of the tunnel may choose to
disable authentication.
IPSec DH Group
This is the same as the
ISAKMP DH Group
setting.
IPSec Key Lifetime(s)
In this field, you may optionally
select to have the key expire at the end of a time period of
your choosing. Enter the number of seconds you’d like the
key to be used until a re-key negotiation between each
endpoint is completed. The default is
³¶00
seconds.
Pre-shared Key
Enter a series of numbers or letters in
the
Pre-shared Key
field. Based on this word, which MUST
be entered at both ends of the tunnel, a key is generated
to scramble (encrypt) the data being transmitted over the
tunnel, where it is unscrambled (decrypted). You may use
any combination of up to 24 numbers or letters in this
field. No special characters or spaces are allowed.
Tunnel Options
Dead
Peer
Detection
You
can
select
Dead
Peer
Detection
(DPD) to detect the status of a remote Peer.