add a new tunnel
tunnel no. a tunnel number between 1-50 will be automatically generated.
tunnel name. enter a name for this vpn tunnel, such as los angeles office, chicago branch, or new york division. this allows you to identify multiple tunnels and does not have to match the name used at the other end of the tunnel.
interface. select the appropriate interface (wan1, wan2...) from the pull-down menu. if you designate more than two wan ports on the network or port management page, then additional wan ports will be available.
enable. check this box to enable a vpn tunnel. (when creating a vpn tunnel, this checkbox will be disabled.)
local group setup
local security gateway type
select one of these five available types: ip only, ip + domain name(fqdn) authentication, ip + e-mail addr.(user fqdn) authentication, dynamic ip + domain name(fqdn) authentication, or dynamic ip + e-mail addr.(user fqdn) authentication.
(if you want to use a fully qualified domain name (fqdn) for authentication but you do not have one, visit www.dyndns.org to set up a dynamic domain name system (ddns) account. then enable and configure the 10/100 16-port vpn router’s ddns settings on the ddns screen.)
the local security gateway type you select should match the remote security gateway type selected on the vpn device at the other end of the tunnel.
after you have selected the local security gateway type, the settings available on this screen may change, depending on which selection you have made.
ip only. if you select ip only, then only the computer with a specific ip address will be able to access the tunnel. the wan (or internet) ip address of the router will automatically appear in the ip address field.
ip + domain name(fqdn) authentication. if you select this type, enter the fqdn (fully qualified domain name) in the domain name field, and an ip address will automatically appear in the ip address field. the fqdn is the host name and domain name for a specific computer on the internet. an example of a fqdn is vpn.myvpnserver.com. the fqdn and ip address must match the fqdn and ip address of the remote security ateway type selected on the remote vpn device at the other end of the tunnel. the fqdn and ip can be used for only one tunnel connection.
ip + e-mail addr.(user fqdn) authentication. if you select this type, enter the appropriate e-mail address in the e-mail address fields, and an ip address will automatically appear in the ip address field.
dynamic ip + domain name(fqdn) authentication. if the local security gateway has a dynamic ip and you want to use the domain name for authentication, then select this type. when the remote security gateway asks to create a tunnel with the router, the router will work as a responder. for authentication, complete the domain name field, and make sure it matches the domain name set on the remote security gateway of the remote vpn device. the domain name can be used for only one tunnel connection, so you can’t use the same domain name to create another new tunnel connection.
dynamic ip + e-mail addr.(user fqdn) authentication. if the local security gateway has a dynamic ip and you want to use the e-mail address for authentication, then select this type. when the remote security gateway asks to create a tunnel with the router, the router will work as a responder. for authentication, enter the appropriate e-mail address in the e-mail address fields.
local security group type
select the local lan user(s) behind the router that can use this vpn tunnel. select one of these three available types: ip, subnet, or ip range. the local security group type you select should match the remote security group type selected on the vpn device at the other end of the tunnel.
after you have selected the local security group type, the settings available on this screen may change, depending on which selection you have made.
ip. if you select ip, then only the computer with a specific ip address will be able to access the tunnel. enter the appropriate ip address. the default ip is 192.168.1.0.
subnet. if you select subnet, which is the default, then all computers on the local subnet will be able to access the tunnel. complete the ip address and subnet mask fields. the default ip is 192.168.1.0, and the default subnet mask is 255.255.255.0.
ip range. if you select ip range, then you can specify a range of ip addresses within the subnet that will be able to access the tunnel. complete the ip range fields. the default ip range is 192.168.1.0~254.
remote group setup
before you configure the remote group setup, make sure your vpn tunnel will have two different ip subnets. for example, if the local 10/100 16-port vpn router has an ip scheme of 192.168.1.x (x being a number from 1 to 254), then the remote vpn router should have a different ip scheme, such as 192.168.2.y (y being a number from 1 to 254). otherwise, the ip addresses will conflict, and the vpn tunnel cannot be created.
remote security gateway type
select one of these five available types: ip only, ip + domain name(fqdn) authentication, ip + e-mail addr.(user fqdn) authentication, dynamic ip + domain name(fqdn) authentication, or dynamic ip + e-mail addr.(user fqdn) authentication.
(if you want the remote vpn router to use a fully qualified domain name (fqdn) for authentication but it does not have one, visit www.dyndns.org to set up a dynamic domain name system (ddns) account. then enable and configure the remote vpn router’s ddns feature.)
the remote security gateway type you select should match the local security gateway type selected on the vpn device at the other end of the tunnel.
after you have selected the remote security gateway type, the settings available on this screen may change, depending on which selection you have made.
ip only. if you select ip only, then only the computer with a specific ip address will be able to access the tunnel. in the ip address field, enter the ip address of the remote vpn device at the other end of the tunnel.
(this must be a static or fixed ip address only.)
ip + domain name(fqdn) authentication. if you select this type, enter the fqdn (fully qualified domain name) and ip address of the remote vpn device at the other end of the tunnel. (enter the fqdn in the domain name field, and enter the ip address in the ip address field.) the fqdn is the host name and domain name for a specific computer on the internet. an example of a fqdn is vpn.remotevpnserver.com. the fqdn and ip address must match the fqdn and ip address of the local security gateway type selected on the remote vpn device at the other end of the tunnel. the fqdn and ip can be used for only one tunnel connection.
ip + e-mail addr.(user fqdn) authentication. if you select this type, enter the e-mail address and ip address of the remote vpn device at the other end of the tunnel.
dynamic ip + domain name(fqdn) authentication. if the remote security gateway has a dynamic ip and you want to use the domain name for authentication, then select this type. when the remote security gateway asks to create a tunnel with the router, the router will work as a responder. for authentication, complete the domain name field, and make sure it matches the domain name set on the local gateway of the remote vpn device. (the remote security gateway has a dynamic ip, so you do not need to enter an ip address.) the domain name can be used for only one tunnel connection, so you can’t use the same domain name to create another new tunnel connection.
dynamic ip + e-mail addr.(user fqdn) authentication. if the remote security gateway has a dynamic ip and you want to use the e-mail address for authentication, then select this type. when the remote security gateway asks to create a tunnel with the router, the router will work as a responder. for authentication, enter the appropriate e-mail address in the e-mail address fields. (the remote security gateway has a dynamic ip, so you do not need to enter an ip address.)
remote security group type
select the remote security group behind the remote gateway that can use this vpn tunnel. select one of these three available types: ip, subnet, or ip range. the remote security group type you select should match the local security group type selected on the vpn device at the other end of the tunnel.
after you have selected the remote security group type, the settings available on this screen may change, depending on which selection you have made.
ip. if you select ip, then only the computer with a specific ip address will be able to access the tunnel. enter the appropriate ip address.
subnet. if you select subnet, which is the default, then all computers on the remote subnet will be able to access the tunnel. complete the ip address and subnet mask fields. the default subnet mask is 255.255.255.0.
ip range. if you select ip range, then you can specify a range of ip addresses within the subnet that will be able to access the tunnel. complete the ip range fields.
ipsec setup
in order for any encryption to occur, the two ends of a vpn tunnel must agree on the methods of encryption, decryption, and authentication. this is done by sharing a key to the encryption code. for key management, there are two modes available; select ike with preshared key or manual. both ends of a vpn tunnel must use the same mode of key management.
after you have selected the keying mode, the settings available on this screen may change, depending on the selection you have made.
ike with preshared key
ike is an internet key exchange protocol used to negotiate key material for security association (sa). ike uses the preshared key to authenticate the remote ike peer.
phase 1 dh group. phase 1 is used to create the sa. dh (diffie-hellman) is a key exchange protocol used during phase 1 of the authentication process to establish pre-shared keys. there are three groups of different prime key lengths. group 1 is 768 bits, and group 2 is 1,024 bits. group 5 is 1,536 bits. if network speed is preferred, select group 1. if network security is preferred, select group 5.
phase 1 encryption. select a method of encryption, des or 3des. the encryption method determines the length of the key used to encrypt or decrypt esp packets. des uses 56-bit encryption, and 3des uses 168-bit encryption. 3des is recommended because it is more secure. make sure both ends of the vpn tunnel use the same encryption method.
phase 1 authentication. select a method of authentication, md5 or sha. the authentication method determines how the esp packets are validated. md5 is a one-way hashing algorithm that produces a 128-bit digest. sha is a one-way hashing algorithm that produces a 160-bit digest. sha is recommended because it is more secure. make sure both ends of the vpn tunnel use the same authentication method.
phase 1 sa life time. configure the length of time a vpn tunnel is active in phase 1. the default value is 28800 seconds.
perfect forward secrecy. if the perfect forward secrecy (pfs) feature is enabled, ike phase 2 negotiation willgenerate new key material for ip traffic encryption and authentication, so hackers using brute force to break encryption keys will not be able to obtain future ipsec keys.
phase 2 dh group. if the perfect forward secrecy feature is disabled, then no new keys will be generated, so you do not need to set the phase 2 dh group (the key for phase 2 will match the key in phase 1).
there are three groups of different prime key lengths. group 1 is 768 bits, and group 2 is 1,024 bits. group 5 is 1,536 bits. if network speed is preferred, select group 1. if network security is preferred, select group 5.
you do not have to use the same dh group that you used for phase 1.
phase 2 encryption. phase 2 is used to create one or more ipsec sas, which are then used to key ipsec sessions. select a method of encryption, des or 3des. the encryption method determines the length of the key used to encrypt or decrypt esp packets. des uses 56-bit encryption, and 3des uses 168-bit encryption.
3des is recommended because it is more secure. if you enable the ah hash algorithm on the advanced screen, then it is recommended to select null to disable the encryption and decryption of esp packets in phase 2 (make sure the remote vpn device also has the ah hash algorithm enabled). both ends of the vpn tunnel must use the same phase 2 encryption setting: des, 3des, or null.
phase 2 authentication. select a method of authentication, md5 or sha. the authentication method determines how the esp packets are validated. md5 is a one-way hashing algorithm that produces a 128-bit digest. sha is a one-way hashing algorithm that produces a 160-bit digest. sha is recommended because it is more secure. if you enable the ah hash algorithm on the advanced screen, then it is recommended to select null to disable the authentication of esp packets in phase 2 (make sure the remote vpn device also has the ah hash algorithm enabled). both ends of the vpn tunnel must use the same phase 2 authentication setting: md5, sha, or null.
phase 2 sa life time. configure the length of time a vpn tunnel is active in phase 2. the default value is 3600 seconds.
preshared key. this specifies the pre-shared key used to authenticate the remote ike peer. enter a key of keyboard and hexadecimal characters, e.g., my_@123 or 4d795f40313233. this field allows a maximum of 30 characters and/or hexadecimal values. both ends of the vpn tunnel must use the same preshared key. it is strongly recommended that you change the preshared key periodically to maximize vpn security.
click the save settings button to save your changes, or click the cancel changes button to undo the changes.
manual
basically, manual key management is used in small static environments or for troubleshooting purposes. if you select manual, you generate the key yourself, so no key negotiation is needed.
incoming spi (security parameter index). spi is carried in the esp (encapsulating security payload protocol) header and enables the receiver and sender to send the security association (sa), under which a packet should be processed. hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. each tunnel must have a unique inbound spi and outbound spi. the incoming spi of the router must match the outgoing spi set on the remote vpn device at the other end of the tunnel. for example, if the incoming spi is 20123, then the outgoing spi would be 32102.
outgoing spi (security parameter index). spi is carried in the esp (encapsulating security payload protocol) header and enables the receiver and sender to send the sa, under which a packet should be processed.
hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. each tunnel must have a unique inbound spi and outbound spi. the outgoing spi of the router must match the incoming spi set on the remote vpn device at the other end of the tunnel. for example, if the outgoing spi is32102, then the incoming spi would be 20123.
encryption. select a method of encryption, des or 3des. the encryption method determines the length of the key used to encrypt or decrypt esp packets. des uses 56-bit encryption, and 3des uses 168-bit encryption.
3des is recommended because it is more secure. make sure both ends of the vpn tunnel use the same encryption method.
authentication. select a method of authentication, md5 or sha. the authentication method determines how the esp packets are validated. md5 is a one-way hashing algorithm that produces a 128-bit digest. sha is a one-way hashing algorithm that produces a 160-bit digest. sha is recommended because it is more secure.
make sure both ends of the vpn tunnel use the same authentication method.
encryption key. this field specifies a key used to encrypt and decrypt ip traffic. enter a key of hexadecimal values in the encryption key field. if you selected des as the encryption method, then the encryption key must be 16-bit, which requires 16 hexadecimal values. if you do not enter enough hexadecimal values, then the rest of the encryption key will be automatically completed with zeroes, so the encryption key will be 16-bit. if you selected 3des as the encryption method, then the encryption key must be 48-bit, which requires 48 hexadecimal values. if you do not enter enough hexadecimal values, then the rest of the encryption key will be automatically completed with zeroes, so the encryption key will be 48-bit. make sure both ends of the vpn tunnel use the same encryption key.
authentication key. this field specifies a key used to authenticate ip traffic. enter a key of hexadecimal values in the authentication key field. if you selected md5 as the authentication method, then the authentication key must be 32-bit, which requires 32 hexadecimal values. if you do not enter enough hexadecimal values, then the rest of the encryption key will be automatically completed with zeroes, so the authentication key will be 32-bit. if you selected sha1 as the authentication method, then the authentication key must be 40-bit, which requires 40 hexadecimal values. if you do not enter enough hexadecimal values, then the rest of the authentication key will be automatically completed with zeroes, so the authentication key will be 40-bit.
make sure both ends of the vpn tunnel use the same authentication key.
click the save settings button to save your changes, or click the cancel changes button to undo the changes.
advanced
for most users, the settings on the vpn page should suffice; however, the router provides advanced ipsec settings for advanced users. click the advanced button to view the advanced settings, which are available only for vpn tunnels using the ike with preshared key mode.
aggressive mode. there are two types of phase 1 exchanges, main mode and aggressive mode.
aggressive mode requires half of the main mode messages to be exchanged in phase 1 of the sa exchange. if network security is preferred, leave the aggressive mode checkbox unchecked. if network speed is preferred,select aggressive mode. if you select one of the dynamic ip types for the remote security gateway type setting, then main mode will be unavailable, so aggressive mode will be used.
compress (support ip payload compression protocol (ip comp)). the router supports ip payload compression protocol, which is used to reduce the size of ip datagrams. if this feature is enabled, the router will propose compression when initiating a connection. if the responders reject this proposal, then the router will not implement compression. when the router works as a responder, the router will always accept compression even when the compress feature has not been enabled. select compress to support this protocol.
keep-alive. this feature helps maintain the connections of ipsec tunnels. whenever a connection is dropped and the drop is detected, then the connection will be re-established immediately. select keep-alive to enable this feature.
ah hash algorithm. the ah (authentication header) protocol describes the packet format and default standards for packet structure. if ah is used as a security protocol, portions of the original ip header are used to verify the integrity of the entire packet during the hashing process, so protection is extended forward into the ip header. select an algorithm, md5 or sha1. md5 produces a 128-bit digest to authenticate packet data, and sha1 produces a 160-bit digest to authenticate packet data. both ends of the vpn tunnel should use the same ah hash algorithm.
netbios broadcast. click the checkbox if you want netbios traffic to pass through the vpn tunnel. by default, the router blocks these broadcasts.
click the save settings button to save your changes, or click the cancel changes button to undo the changes.