after you have selected the keying mode, the settings available on this screen may change, depending on which selection you have made.
ike with preshared key
ike is an internet key exchange protocol used to negotiate key material for security association (sa). ike uses the preshared key to authenticate the remote ike peer.
phase 1 dh group. phase 1 is used to create the sa. dh (diffie-hellman) is a key exchange protocol used during phase 1 of the authentication process to establish pre-shared keys. there are three groups of different prime key lengths. group 1 is 768 bits, and group 2 is 1,024 bits. group 5 is 1,536 bits. if network speed is preferred, select group 1. if network security is preferred, select group 5.
phase 1 encryption. select a method of encryption, des or 3des. the encryption method determines the length of the key used to encrypt or decrypt esp packets. des uses 56-bit encryption, and 3des uses168-bit encryption. 3des is recommended because it is more secure. make sure both ends of the vpn tunnel use the same encryption method.
phase 1 authentication. select a method of authentication, md5 or sha. the authentication method determines how the esp packets are validated. md5 is a one-way hashing algorithm that produces a 128-bit digest. sha is a one-way hashing algorithm that produces a 160-bit digest. sha is recommended because it is more secure. make sure both ends of the vpn tunnel use the same authentication method.
phase 1 sa life time. configure the length of time a vpn tunnel is active in phase 1. the default value is 28800 seconds.
perfect forward secrecy. if the perfect forward secrecy (pfs) feature is enabled, ike phase 2 negotiation will generate new key material for ip traffic encryption and authentication, so hackers using brute force to break encryption keys will not be able to obtain future ipsec keys.
phase 2 dh group. if the perfect forward secrecy feature is disabled, then no new keys will be generated, so you do not need to set the phase 2 dh group (the key for phase 2 will match the key in phase 1). there are three groups of different prime key lengths. group 1 is 768 bits, and group 2 is 1,024 bits. group 5 is 1,536 bits. if network speed is preferred, select group 1. if network security is preferred, select group 5. you do not have to use the same dh group that you used for phase 1.
phase 2 encryption. phase 2 is used to create one or more ipsec sas, which are then used to key ipsec sessions. select a method of encryption, des or 3des. the encryption method determines the length of the key used to encrypt or decrypt esp packets. des uses 56-bit encryption, and 3des uses 168-bit encryption.
3des is recommended because it is more secure. if you enable the ah hash algorithm on the advanced screen, then it is recommended to select null to disable the encryption and decryption of esp packets in phase 2 (make sure the remote vpn device also has the ah hash algorithm enabled). both ends of the vpn tunnel must use the same phase 2 encryption setting: des, 3des, or null.
phase 2 authentication. select a method of authentication, md5 or sha. the authentication method determines how the esp packets are validated. md5 is a one-way hashing algorithm that produces a 128-bit digest. sha is a one-way hashing algorithm that produces a 160-bit digest. sha is recommended because it is more secure. if you enable the ah hash algorithm on the advanced screen, then it is recommended to select null to disable the authentication of esp packets in phase 2 (make sure the remote vpn device also has the ah hash algorithm enabled). both ends of the vpn tunnel must use the same phase 2 authentication setting: md5, sha, or null. phase 2 sa life time. configure the length of time a vpn tunnel is active in phase 2. the default value is 3600 seconds.
preshared key. this specifies the pre-shared key used to authenticate the remote ike peer. enter a key of keyboard and hexadecimal characters, e.g., my_@123 or 4d795f40313233. this field allows a maximum of 30 characters and/or hexadecimal values. both ends of the vpn tunnel must use the same preshared key. it is strongly recommended that you change the preshared key periodically to maximize vpn security.
click the save settings button to save your changes, or click the cancel changes button to undo the changes.
manual (not applicable to group vpns)
basically, manual key management is used in small static environments or for troubleshooting purposes. if you select manual, you generate the key yourself, so no key negotiation is needed.
incoming spi (security parameter index). spi is carried in the esp (encapsulating security payload protocol) header and enables the receiver and sender to send the security association (sa), under which a packet should be processed. hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. each tunnel must have a unique inbound spi and outbound spi. the incoming spi of the router must match the outgoing spi set on the remote vpn device at the other end of the tunnel. for example, if the incoming spi is 20123, then the outgoing spi would be 32102.
outgoing spi (security parameter index). spi is carried in the esp (encapsulating security payload protocol) header and enables the receiver and sender to send the sa, under which a packet should be processed. hexadecimal values are acceptable, and the valid range of hexadecimal values is from 100 to ffffffff. each tunnel must have a unique inbound spi and outbound spi. the outgoing spi of the router must match the incoming spi set on the remote vpn device at the other end of the tunnel. for example, if the outgoing spi is 32102, then the incoming spi would be 20123.
encryption. select a method of encryption, des or 3des. the encryption method determines the length of the key used to encrypt or decrypt esp packets. des uses 56-bit encryption, and 3des uses 168-bit encryption.
3des is recommended because it is more secure. make sure both ends of the vpn tunnel use the same encryption method.
authentication. select a method of authentication, md5 or sha. the authentication method determines how the esp packets are validated. md5 is a one-way hashing algorithm that produces a 128-bit digest. sha is a one-way hashing algorithm that produces a 160-bit digest. sha is recommended because it is more secure.
make sure both ends of the vpn tunnel use the same authentication method.
encryption key. this field specifies a key used to encrypt and decrypt ip traffic. enter a key of hexadecimal values in the encryption key field. if you selected des as the encryption method, then the encryption key must be 16-bit, which requires 16 hexadecimal values. if you do not enter enough hexadecimal values, then the rest of the encryption key will be automatically completed with zeroes, so the encryption key will be 16-bit. if you selected 3des as the encryption method, then the encryption key must be 48-bit, which requires 48 hexadecimal values. if you do not enter enough hexadecimal values, then the rest of the encryption key will be automatically completed with zeroes, so the encryption key will be 48-bit. make sure both ends of the vpn tunnel use the same encryption key.
authentication key. this field specifies a key used to authenticate ip traffic. enter a key of hexadecimal values in the authentication key field. if you selected md5 as the authentication method, then the authentication key must be 32-bit, which requires 32 hexadecimal values. if you do not enter enough hexadecimal values, then the rest of the encryption key will be automatically completed with zeroes, so the authentication key will be 32-bit. if you selected sha1 as the authentication method, then the authentication key must be 40-bit, which requires 40 hexadecimal values. if you do not enter enough hexadecimal values, then the rest of the authentication key will be automatically completed with zeroes, so the authentication key will be 40-bit.
make sure both ends of the vpn tunnel use the same authentication key.
click the save settings button to save your changes, or click the cancel changes button to undo the changes.
advanced
for most users, the settings on the vpn page should suffice; however, the router provides advanced ipsec settings for advanced users. click the advanced button to view the advanced settings, which are available only for vpn tunnels using the ike with preshared key mode.
aggressive mode. there are two types of phase 1 exchanges, main mode and aggressive mode.
aggressive mode requires half of the main mode messages to be exchanged in phase 1 of the sa exchange. if network security is preferred, leave the aggressive mode checkbox unchecked. if network speed is preferred, select aggressive mode. if you select one of the dynamic ip types for the remote security gateway type setting, then main mode will be unavailable, so aggressive mode will be used—unless the remote client is microsoft xp/2000 vpn client. for microsoft xp/2000 vpn clients, then aggressive mode will be unavailable, so main mode will be used.
compress (support ip payload compression protocol (ip comp)). the router supports ip payload compression protocol, which is used to reduce the size of ip datagrams. if this feature is enabled, the router will propose compression when initiating a connection. if the responders reject this proposal, then the router will not implement compression. when the router works as a responder, the router will always accept compression even when the compress feature has not been enabled. select compress to support this protocol.
keep-alive. this feature helps maintain the connections of ipsec tunnels. whenever a connection is dropped and the drop is detected, then the connection will be re-established immediately. select keep-alive to enable this feature.
ah hash algorithm. the ah (authentication header) protocol describes the packet format and default standards for packet structure. if ah is used as a security protocol, portions of the original ip header are used to verify the integrity of the entire packet during the hashing process, so protection is extended forward into the ip header. select an algorithm, md5 or sha1. md5 produces a 128-bit digest to authenticate packet data, and sha1 produces a 160-bit digest to authenticate packet data. both ends of the vpn tunnel should use the same ah hash algorithm.
netbios broadcast. click the checkbox if you want netbios traffic to pass through the vpn tunnel. by default, the router blocks these broadcasts.
click the save settings button to save your changes, or click the cancel changes button to undo the changes.