Draytek VIGOR2910 Network Router User Manual


 
Vigor2910 Series User’s Guide
90
¾ Phase 2: negotiation IPSec security methods including Authentication Header (AH) or
Encapsulating Security Payload (ESP) for the following IKE exchange and mutual
examination of the secure tunnel establishment.
There are two encapsulation methods used in IPSec, Transport and Tunnel. The Transport
mode will add the AH/ESP payload and use original IP header to encapsulate the data
payload only. It can just apply to local packet, e.g., L2TP over IPSec. The Tunnel mode will
not only add the AH/ESP payload but also use a new IP header (Tunneled IP header) to
encapsulate the whole original IP packet.
Authentication Header (AH) provides data authentication and integrity for IP packets passed
between VPN peers. This is achieved by a keyed one-way hash function to the packet to
create a message digest. This digest will be put in the AH and transmitted along with packets.
On the receiving side, the peer will perform the same one-way hash on the packet and
compare the value with the one in the AH it receives.
Encapsulating Security Payload (ESP) is a security protocol that provides data
confidentiality and protection with optional authentication and replay detection service.
IKE Authentication Method This usually applies to those are remote dial-in user or node
(LAN-to-LAN) which uses dynamic IP address and
IPSec-related VPN connections such as L2TP over IPSec
and IPSec tunnel.
Pre-Shared Key -Currently only support Pre-Shared Key
authentication.
Pre-Shared Key- Specify a key for IKE authentication
Re-type Pre-Shared Key-Confirm the pre-shared key.
IPSec Security Method Medium - Authentication Header (AH) means data will be
authenticated, but not be encrypted. By default, this option is
active.
High - Encapsulating Security Payload (ESP) means
payload (data) will be encrypted and authenticated. You may
select encryption algorithm from Data Encryption Standard
(DES), Triple DES (3DES), and AES.
3
3
.
.
8
8
.
.
4
4
I
I
P
P
S
S
e
e
c
c
P
P
e
e
e
e
r
r
I
I
d
d
e
e
n
n
t
t
i
i
t
t
y
y
To use digital certificate for peer authentication in either LAN-to-LAN connection or
Remote User Dial-In connection, here you may edit a table of peer certificate for selection.
As shown below, the router provides 32 entries of digital certificates for peer dial-in users.