58
Figure 54 IPSec Connection - Gateway to Gateway
If the remote Gateway has a LAN IP address of 192.168.1.1 and
a subnet mask of 255.255.255.0 then the LAN IP address of the
remote subnet is 192.168.1.0.
The Gateways must be configured with LAN IP address ranges
that do not overlap.
■ Remote Subnet address — this is set as 255.255.255.0 as
default.
■ Tunnel Shared Key — this is the password for the connection
and is a combination of letters, numbers and punctuation and
can be up to 64 characters in length.
If you are creating a Gateway to Gateway connection you have
no need to remember the Tunnel Shared Key once the tunnel is
established and do not have to make the key a memorable
password.
■ Encryption type — choose the encryption type from DES or
3DES. 3DES is more secure but may take longer to encrypt
and decrypt.
3DES is not shipped with the Gateway as standard due to
international restrictions on encryption. If your country permits its
use it can be downloaded from the 3Com web site at
http://www.3com.com/
■ Hash Algorithm — choose either SHA-1 or MD5 from the
drop-down list. Both ends of the connection must use the
same value.
■ Exchange keys using — choose the encryption method used
to exchange shared keys. Diffie-Hellman Group 2 is more
secure but less common than Diffie-Hellman Group 1.
■ Use Perfect Forward Secrecy — Choose whether to use
perfect forward secrecy. Using perfect forward secrecy will
change the encryption keys during the course of a connection
making the tunnel more secure but slowing data transfer. To
enable perfect forward secrecy ensure that the Use Perfect
Forward Secrecy box is checked. To keep the same key for the
length of a connection leave the box unchecked.
Example: Setting up an IPSec connection between two
Gateways.
Gateway One is located at the head office and is configured with
the following settings:
■ Internet IP address: 172.27.34.202
■ LAN IP address: 192.168.1.1
■ LAN Subnet Mask: 255.255.255.0
dua08 569-5aaa02.book Pag e 58 Thursday , Novem ber 7 , 2002 3:09 PM