Linksys RV016 Network Router User Manual


 
56
Chapter 6: Setting up and Configuring the Router
VPN Tab - Gateway to Gateway
10/100 16-Port VPN Router
After you have selected the Keying Mode, the settings available on this screen may change, depending on the
selection you have made.
IKE with Preshared Key
IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association (SA). IKE uses the
Preshared Key to authenticate the remote IKE peer.
Phase 1 DH Group. Phase 1 is used to create the SA. DH (Diffie-Hellman) is a key exchange protocol used
during Phase 1 of the authentication process to establish pre-shared keys. There are three groups of different
prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5 is 1,536 bits. If network speed is
preferred, select Group 1. If network security is preferred, select Group 5.
Phase 1 Encryption. Select a method of encryption, DES or 3DES. The encryption method determines the
length of the key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit
encryption. 3DES is recommended because it is more secure. Make sure both ends of the VPN tunnel use the
same encryption method.
Phase 1 Authentication. Select a method of authentication, MD5 or SHA. The authentication method
determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit
digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it
is more secure. Make sure both ends of the VPN tunnel use the same authentication method.
Phase 1 SA Life Time. Configure the length of time a VPN tunnel is active in Phase 1. The default value is
28800 seconds.
Perfect Forward Secrecy. If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will
generate new key material for IP traffic encryption and authentication, so hackers using brute force to break
encryption keys will not be able to obtain future IPSec keys.
Phase 2 DH Group. If the Perfect Forward Secrecy feature is disabled, then no new keys will be generated, so
you do not need to set the Phase 2 DH Group (the key for Phase 2 will match the key in Phase 1).
There are three groups of different prime key lengths. Group 1 is 768 bits, and Group 2 is 1,024 bits. Group 5
is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select Group 5.
You do not have to use the same DH Group that you used for Phase 1.
Phase 2 Encryption. Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec
sessions. Select a method of encryption, DES or 3DES. The encryption method determines the length of the
key used to encrypt or decrypt ESP packets. DES uses 56-bit encryption, and 3DES uses 168-bit encryption.
3DES is recommended because it is more secure. If you enable the AH Hash Algorithm on the Advanced
Figure 6-68: IPSec Setup - IKE with Preshared Key