Cisco RVS4000 User Guide - Page 28

IPSec Setup, Status, Remote Security Group Type - tunnel all traffic

Get Cisco RVS4000 - Gigabit Security Router PDF manuals and user guides
UPC - 745883572977
View all Cisco RVS4000 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 28 highlights

Chapter 5 Setting Up and Configuring the Router Remote Security Group Type Select the remote LAN user(s) behind the remote gateway who can use this VPN tunnel. This may be a single IP address or a Sub-network. Note that the Remote Security Group Type must match the other router's Local Security Group Type. IP Address Enter the IP address on the remote network. Subnet Mask If the Remote Security Group Type is set to Subnet, enter the mask to determine the IP addresses on the remote network. IPSec Setup Keying Mode The router supports both automatic and manual key management. When choosing automatic key management, IKE (Internet Key Exchange) protocols are used to negotiate key material for SA (Security Association). If manual key management is selected, no key negotiation is needed. Basically, manual key management is used in small static environments or for troubleshooting purposes. Note that both sides must use the same Key Management method. Phase 1 •• Encryption The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. Only 3DES is supported. Notice that both sides must use the same Encryption method. •• Authentication Authentication determines a method to authenticate the ESP packets. Either MD5 or SHA1 may be selected. Notice that both sides (VPN endpoints) must use the same Authentication method. •• MD5 A one-way hashing algorithm that produces a 128-bit digest. •• SHA1 A one-way hashing algorithm that produces a 160-bit digest. •• Group The Diffie-Hellman (DH) group to be used for key exchange. Select the 768-bit (Group 1), 1024-bit (Group 2), or 1536-bit (Group 5) algorithm. Group 5 provides the most security, Group 1 the least. •• Key Life Time This specifies the lifetime of the IKEgenerated key. If the time expires, a new key will be renegotiated automatically. Enter a value from 300 to 100,000,000 seconds. The default is 28800 seconds. Phase 2 •• Encryption The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. Only 3DES is supported. Note that both sides must use the same Encryption method. •• Authentication Authentication determines a method to authenticate the ESP packets. Either MD5 or SHA1 may be selected. Note that both sides (VPN endpoints) must use the same Authentication method. 4-Port Gigabit Security Router with VPN •• MD5 A one-way hashing algorithm that produces a 128-bit digest. •• SHA1 A one-way hashing algorithm that produces a 160-bit digest. •• Perfect Forward Secrecy If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic encryption and authentication. Note that both sides must have this selected. •• Preshared Key IKE uses the Preshared Key field to authenticate the remote IKE peer. Both character and hexadecimal values are acceptable in this field; e.g., "My_@123" or "0x4d795f40313233". Note that both sides must use the same Preshared Key. •• Group The Diffie-Hellman (DH) group to be used for key exchange. Select the 768-bit (Group 1), 1024-bit (Group 2), or 1536-bit (Group 5) algorithm. Group 5 provides the most security, Group 1 the least. •• Key Life Time This specifies the lifetime of the IKEgenerated key. If the time expires, a new key will be renegotiated automatically. Enter a value from 300 to 100,000,000 seconds. The default is 3600 seconds. Status Status Displays the connection status for the selected tunnel. The state is either connected or disconnected. Connect Click this button to establish a connection for the current VPN tunnel. If you have made any changes, click Save Settings first to apply your changes. Disconnect Click this button to break a connection for the current VPN tunnel. View Log Click this button to view the VPN log, which shows details of each tunnel established. Advanced Click this button to display the following additional settings. •• Aggressive Mode This is used to specify the type of Phase 1 exchange, Main mode or Aggressive mode. Check the box to select Aggressive Mode or leave the box unchecked (default) to select Main mode. Aggressive mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If network security is preferred, select Main mode. •• NetBios Broadcasts Check the box to enable NetBIOS traffic to pass through the VPN tunnel. By default, the RVS4000 blocks these broadcasts. Click Save Settings to save the settings you have entered. Click Cancel Changes to cancel any changes you have entered. 21

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
Chapter 5
Setting Up and Configuring the Router
21
4-Port Gigabit Security Router with VPN
Remote Security Group Type
Select the remote LAN
user(s) behind the remote gateway who can use this VPN
tunnel. This may be a single IP address or a Sub-network.
Note that the Remote Security Group Type must match
the other router’s Local Security Group Type.
IP Address
Enter the IP address on the remote network.
Subnet Mask
If the Remote Security Group Type is set to
Subnet
, enter the mask to determine the IP addresses on
the remote network.
IPSec Setup
Keying Mode
The router supports both automatic and
manual key management. When choosing automatic key
management, IKE (Internet Key Exchange) protocols are
used to negotiate key material for SA (Security Association).
If manual key management is selected, no key negotiation
is needed. Basically, manual key management is used in
small static environments or for troubleshooting purposes.
Note that both sides must use the same Key Management
method.
Phase 1
Encryption
The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets.
Only 3DES is supported. Notice that both sides must
use the same Encryption method.
Authentication
Authentication determines a method
to authenticate the ESP packets. Either MD5 or SHA1
may be selected. Notice that both sides (VPN endpoints)
must use the same Authentication method.
MD5
A one-way hashing algorithm that produces
a 128-bit digest.
SHA1
A one-way hashing algorithm that produces
a 160-bit digest.
Group
The Diffie-Hellman (DH) group to be used for
key exchange. Select the 768-bit (Group 1), 1024-bit
(Group 2), or 1536-bit (Group 5) algorithm. Group 5
provides the most security, Group 1 the least.
Key Life Time
This specifies the lifetime of the IKE-
generated key. If the time expires, a new key will be
renegotiated automatically. Enter a value from 300 to
100,000,000 seconds. The default is
28800
seconds.
Phase 2
Encryption
The Encryption method determines the
length of the key used to encrypt/decrypt ESP packets.
Only 3DES is supported. Note that both sides must use
the same Encryption method.
Authentication
Authentication determines a method
to authenticate the ESP packets. Either MD5 or SHA1
may be selected. Note that both sides (VPN endpoints)
must use the same Authentication method.
MD5
A one-way hashing algorithm that produces
a 128-bit digest.
SHA1
A one-way hashing algorithm that produces
a 160-bit digest.
Perfect Forward Secrecy
If PFS is enabled, IKE Phase
2 negotiation will generate a new key material for IP
traffic encryption and authentication. Note that both
sides must have this selected.
Preshared Key
IKE uses the Preshared Key field to
authenticate the remote IKE peer. Both character and
hexadecimal values are acceptable in this field; e.g.,
“My_@123” or “0x4d795f40313233”. Note that both
sides must use the same Preshared Key.
Group
The Diffie-Hellman (DH) group to be used for
key exchange. Select the 768-bit (Group 1), 1024-bit
(Group 2), or 1536-bit (Group 5) algorithm. Group 5
provides the most security, Group 1 the least.
Key Life Time
This specifies the lifetime of the IKE-
generated key. If the time expires, a new key will be
renegotiated automatically. Enter a value from 300 to
100,000,000 seconds. The default is
3600
seconds.
Status
Status
Displays the connection status for the selected
tunnel. The state is either connected or disconnected.
Connect
Click this button to establish a connection for
the current VPN tunnel. If you have made any changes,
click Save Settings first to apply your changes.
Disconnect
Click this button to break a connection for
the current VPN tunnel.
View Log
Click this button to view the VPN log, which
shows details of each tunnel established.
Advanced
Click this button to display the following
additional settings.
Aggressive Mode
This is used to specify the type of
Phase 1 exchange, Main mode or Aggressive mode.
Check the box to select Aggressive Mode or leave
the box unchecked (default) to select Main mode.
Aggressive mode requires half of the main mode
messages to be exchanged in Phase 1 of the SA
exchange. If network security is preferred, select Main
mode.
NetBios Broadcasts
Check the box to enable NetBIOS
traffic to pass through the VPN tunnel. By default, the
RVS4000 blocks these broadcasts.
Click
Save Settings
to save the settings you have entered.
Click
Cancel Changes
to cancel any changes you have
entered.