Filter
Top Products
Chapter 4
Advanced Configuration
39
4-Port SSL/IPSec VPN Router
Manual
Incoming and Outgoing SPI (Security Parameter
Index) SPI is carried in the ESP (Encapsulating Security
Payload Protocol) header and enables the receiver and
sender to select the SA, under which a packet should be
processed. Hexadecimal values is acceptable, and the
valid range is 100~ffffffff. Each tunnel must have a unique
Incoming SPI and Outgoing SPI. No two tunnels share the
same SPI. The Incoming SPI here must match the Outgoing
SPI value at the other end of the tunnel, and vice versa.
Encryption Select a method of encryption, DES or 3DES.
This determines the length of the key used to encrypt or
decrypt ESP packets. DES is 56-bit encryption and 3DES
is 168-bit encryption. 3DES is recommended because it is
more secure. Make sure both ends of the VPN tunnel use
the same encryption method.
Authentication Select a method of authentication, MD5
or SHA1. The Authentication method determines how
the ESP packets are validated. MD5 is a one-way hashing
algorithm that produces a 128-bit digest. SHA is a one-way
hashing algorithm that produces a 160-bit digest. SHA1
is recommended because it is more secure. Make sure
both ends of the VPN tunnel use the same authentication
method.
Encryption Key This field specifies a key used to encrypt
and decrypt IP traffic. Enter a key of hexadecimal values.
If DES is selected, the Encryption Key is 16-bit, which
requires 16 hexadecimal values. If you do not enter enough
hexadecimal values, then the rest of the Encryption
Key will be automatically completed with zeroes, so the
Encryption Key will be 16-bit. If 3DES is selected, the
Encryption Key is 48-bit, which requires 40 hexadecimal
values. If you do not enter enough hexadecimal values,
then the rest of the Encryption Key will be automatically
completed with zeroes, so the Encryption Key will be 48-
bit. Make sure both ends of the VPN tunnel use the same
Encryption Key.
Authentication Key This field specifies a key used to
authenticate IP traffic. Enter a key of hexadecimal values.
If MD5 is selected, the Authentication Key is 32-bit, which
requires 32 hexadecimal values. If you do not enter enough
hexadecimal values, then the rest of the Authentication Key
will be automatically completed with zeroes until it has 32
hexadecimal values. If SHA is selected, the Authentication
Key is 40-bit, which requires 40 hexadecimal values. If you
do not enter enough hexadecimal values, then the rest of
the Authentication Key will be automatically completed
with zeroes until it has 40 hexadecimal values. Make sure
both ends of the VPN tunnel use the same Authentication
Key.
Advanced
For most users, the settings on the VPN page should suffice;
however, the Router provides advanced IPSec settings for
advanced users using the IKE with Preshared Key mode.
Click Advanced to view the Advanced settings.
Advanced
Aggressive Mode There are two types of Phase 1
exchanges, Main Mode and Aggressive Mode.
Aggressive Mode requires half of the main mode messages
to be exchanged in Phase 1 of the SA exchange. If network
security is preferred, leave the Aggressive Mode check box
unchecked (Main Mode will be used). If network speed is
preferred, select Aggressive Mode. If you select one of
the Dynamic IP types for the Remote Security Gateway
Type setting, then Main Mode will be unavailable, so
Aggressive Mode will be used.
Compress (Support IP Payload Compression Protocol
(IP Comp)) IP Payload Compression is a protocol that
reduces the size of IP datagrams. Select this option if you
want the Router to propose compression when it initiates a
connection. If the responders reject this proposal, then the
Router will not implement compression. When the Router
works as a responder, it will always accept compression,
even if compression is not enabled.
Keep-Alive Keep-Alive helps maintain IPSec VPN tunnel
connections. If a connection is dropped and detected, it
will be re-established immediately. Select this option to
use this feature.
NetBIOS Broadcast Select this option to allow NetBIOS
traffic to pass through the VPN tunnel. By default, the
Router blocks this traffic.
NAT Traversal This is enabled by default. Both the IPSec
initiator and responder must support the mechanism for
detecting the NAT router in the path and changing to a
new port, as defined in RFC 3947.
Dead Peer Detection (DPD) When DPD is enabled, the
Router will send periodic HELLO/ACK messages to check
the status of the VPN tunnel (this feature can be used only
when both peers or VPN devices of the VPN tunnel use the
DPD mechanism). Once a dead peer has been detected,