Cisco RVL200 User Guide - Page 46

IPSec Setup, IKE with Preshared Key, Manual

Get Cisco RVL200 - Small Business SSL/IPSec VPN Router PDF manuals and user guides
UPC - 745883571888
View all Cisco RVL200 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 46 highlights

Chapter 4 Advanced Configuration Subnet The default is Subnet. All computers on the remote subnet will be able to access the tunnel. IP address Enter the IP address. Subnet Mask Enter the subnet mask. The default is 255.255.255.0. IP Range Specify a range of IP addresses within a subnet that will be able to access the tunnel. IP range Enter the range of IP addresses. IPSec Setup In order for any encryption to occur, the two ends of a VPN tunnel must agree on the methods of encryption, decryption, and authentication. This is done by sharing a key to the encryption code. For key management, the default mode is IKE with Preshared Key. Keying Mode Select IKE with Preshared Key or Manual. Both ends of a VPN tunnel must use the same mode of key management. After you have selected the mode, the settings available on this screen may change, depending on the selection you have made. Follow the instructions for the mode you want to use. IKE with Preshared Key IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses the Preshared Key to authenticate the remote IKE peer. Phase 1 DH Group Phase 1 is used to create the SA. DH (Diffie-Hellman) is a key exchange protocol used during Phase 1 of the authentication process to establish preshared keys. There are three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select Group 5. Phase 1 Encryption Select a method of encryption: DES (56-bit), 3DES (168-bit), AES-128 (128-bit), AES-192 (192bit), or AES-256 (256-bit). The method determines the length of the key used to encrypt or decrypt ESP packets. AES-256 is recommended because it is the most secure. Make sure both ends of the VPN tunnel use the same encryption method. Phase 1 Authentication Select a method of authentication, MD5 or SHA. The authentication method determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same authentication method. 4-Port SSL/IPSec VPN Router Phase 1 SA Life Time Configure the length of time a VPN tunnel is active in Phase 1. The default value is 28800 seconds. Perfect Forward Secrecy If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will generate new key material for IP traffic encryption and authentication, so hackers using brute force to break encryption keys will not be able to obtain future IPSec keys. Phase 2 DH Group If the Perfect Forward Secrecy feature is disabled, then no new keys will be generated, so you do not need to set the Phase 2 DH Group (the key for Phase 2 will match the key in Phase 1). There are three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select Group 5. You do not have to use the same DH Group that you used for Phase 1. Phase 2 Encryption Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions. Select a method of encryption: NULL, ES (56-bit), 3DES (168-bit), AES-128 (128-bit), AES-192 (192-bit), or AES256 (256-bit). It determines the length of the key used to encrypt or decrypt ESP packets. AES-256 is recommended because it is the most secure. Both ends of the VPN tunnel must use the same Phase 2 Encryption setting. Phase 2 Authentication Select a method of authentication, NULL, MD5, or SHA. The authentication method determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure. Both ends of the VPN tunnel must use the same Phase 2 Authentication setting. Phase 2 SA Life Time Configure the length of time a VPN tunnel is active in Phase 2. The default is 3600 seconds. Preshared Key This specifies the pre-shared key used to authenticate the remote IKE peer. Enter a key of keyboard and hexadecimal characters, e.g., My_@123 or 4d795f40313233. This field allows a maximum of 30 characters and/or hexadecimal values. Both ends of the VPN tunnel must use the same Preshared Key. It is strongly recommended that you change the Preshared Key periodically to maximize VPN security. Manual If you select Manual, you generate the key yourself, and no key negotiation is needed. Manual key management is used in small static environments or for troubleshooting purposes. 38

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
Chapter 4
Advanced Configuration
´8
4-Port SSL/IPSec VPN Router
Subnet
The default is
Subnet
. All computers on the remote subnet
will be able to access the tunnel.
IP address
Enter the IP address.
Subnet Mask
Enter the subnet mask. The default is
³µµ.³µµ.³µµ.0
.
IP Range
Specify a range of IP addresses within a subnet that will be
able to access the tunnel.
IP range
Enter the range of IP addresses.
IPSec Setup
In order for any encryption to occur, the two ends of a
VPN tunnel must agree on the methods of encryption,
decryption, and authentication. This is done by sharing
a key to the encryption code. For key management, the
default mode is
IKE w±th Preshared Key
.
Key±ng Mode
Select
IKE w±th Preshared Key
or
Manual
.
Both ends of a VPN tunnel must use the same mode of
key management. After you have selected the mode, the
settings available on this screen may change, depending
on the selection you have made. Follow the instructions
for the mode you want to use.
IKE with Preshared Key
IKE is an Internet Key Exchange protocol used to negotiate
key material for Security Association (SA). IKE uses the
Preshared Key to authenticate the remote IKE peer.
Phase ² DH Group
Phase 1 is used to create the SA. DH
(Diffie-Hellman) is a key exchange protocol used during
Phase 1 of the authentication process to establish pre-
shared keys. There are three groups of different prime
key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits.
Group 5 is 1,536 bits. If network speed is preferred, select
Group ²
. If network security is preferred, select
Group µ
.
Phase ² Encrypt±on
Select a method of encryption:
DES
(56-bit),
´DES
(168-bit),
AES-²³8
(128-bit),
AES-²9³
(192-
bit), or
AES-³µ¶
(256-bit). The method determines the
length of the key used to encrypt or decrypt ESP packets.
AES-256 is recommended because it is the most secure.
Make sure both ends of the VPN tunnel use the same
encryption method.
Phase
²
Authent±cat±on
Select
a
method
of
authentication,
MDµ
or
SHA
. The authentication method
determines how the ESP packets are validated. MD5 is
a one-way hashing algorithm that produces a 128-bit
digest. SHA is a one-way hashing algorithm that produces
a 160-bit digest. SHA is recommended because it is more
secure. Make sure both ends of the VPN tunnel use the
same authentication method.
Phase ² SA L±fe T±me
Configure the length of time a VPN
tunnel is active in Phase 1. The default value is
³8800
seconds.
Perfect Forward Secrecy
If the Perfect Forward Secrecy
(PFS) feature is enabled, IKE Phase 2 negotiation will
generate new key material for IP traffic encryption and
authentication, so hackers using brute force to break
encryption keys will not be able to obtain future IPSec
keys.
Phase ³ DH Group
If the Perfect Forward Secrecy feature
is disabled, then no new keys will be generated, so you do
not need to set the Phase 2 DH Group (the key for Phase 2
will match the key in Phase 1).
There are three groups of different prime key lengths.
Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is
1,536 bits. If network speed is preferred, select
Group ²
.
If network security is preferred, select
Group µ
. You do
not have to use the same DH Group that you used for
Phase 1.
Phase ³ Encrypt±on
Phase 2 is used to create one or
more IPSec SAs, which are then used to key IPSec sessions.
Select a method of encryption:
NULL
,
ES
(56-bit),
´DES
(168-bit),
AES-²³8
(128-bit),
AES-²9³
(192-bit), or
AES-
³µ¶
(256-bit). It determines the length of the key used to
encrypt or decrypt ESP packets. AES-256 is recommended
because it is the most secure. Both ends of the VPN tunnel
must use the same Phase 2 Encryption setting.
Phase
³
Authent±cat±on
Select
a
method
of
authentication,
NULL
,
MDµ
, or
SHA
. The authentication
method determines how the ESP packets are validated.
MD5 is a one-way hashing algorithm that produces a
128-bit digest. SHA is a one-way hashing algorithm that
produces a 160-bit digest. SHA is recommended because
it is more secure. Both ends of the VPN tunnel must use
the same Phase 2 Authentication setting.
Phase ³ SA L±fe T±me
Configure the length of time a VPN
tunnel is active in Phase 2. The default is
´¶00
seconds.
Preshared Key
This specifies the pre-shared key used
to authenticate the remote IKE peer. Enter a key of
keyboard and hexadecimal characters, e.g., My_@123
or 4d795f40313233. This field allows a maximum of 30
characters and/or hexadecimal values. Both ends of
the VPN tunnel must use the same Preshared Key. It is
strongly recommended that you change the Preshared
Key periodically to maximize VPN security.
Manual
If you select Manual, you generate the key yourself, and
no key negotiation is needed. Manual key management is
used in small static environments or for troubleshooting
purposes.