virtual private networking (vpn) is a security measure that basically creates a secure connection between two remote locations. this connection is very specific as far as its settings are concerned; this is what creates the security.
the vpn screen allows you to configure your vpn settings to make your network more secure.
network security, while a desirable and often necessary aspect of networking, is complex and requires a thorough understanding of networking principles.
establishing a tunnel
the vpn router creates a tunnel or channel between two endpoints, so that the data or information between these endpoints is secure. to establish this tunnel, select the tunnel you wish to create in the select tunnel entry drop-down box.
it is possible to create up to 70 simultaneous tunnels.
then check the box next to enable to enable the tunnel.
once the tunnel is enabled, enter the name of the tunnel in the tunnel name field. this is to allow you to identify multiple tunnels and does not have to match the name used at the other end of the tunnel.
local secure group and remote secure group
the local secure group is the computer(s) on your lan that can access the tunnel. the remote secure group is the computer (s) on the remote end of the tunnel that can access the tunnel. under local secure group and remote secure group, you may choose one of three options: subnet, ip address, and ip range. under remote secure group, you have two additional options: host and any.
the ip addresses and subnet mask values used here are for example only. do not try to use them for your actual setup. obtain the relevant information from your own network to accurately configure your vpn router.
. subnet - if you select subnet (which is the default), this will allow all computers on the local subnet to access the tunnel. in the example shown in figure 6-9, all local secure group computers with ip addresses 192.168.1.xxx will be able to access the tunnel. all remote secure group computers with ip addresses 192.168.2.xxx will be able to access the tunnel (in your settings, use the ip addresses appropriate for your vpn).
when using the subnet setting, the default values of 0 should remain in the last fields of the ip and mask settings.
it is possible to set up your vpn router using any combination of the three settings under local secure group and the five settings under remote secure group. for instance, when subnet is chosen on the local end of the tunnel, subnet does not have to be chosen at the remote end. so a single ip address could be chosen to access the tunnel on the local end and a range of ip addresses could be set at the remote end of the tunnel.
. ip address - if you select ip address, only the computer with the specific ip address that you enter will be able to access the tunnel. in the example shown in figure 6-10, only the computer with ip address 192.168.1.10 can access the tunnel from this end. only the computer with ip address 192.168.2.12 can access the tunnel from the remote end (in your settings, use the ip addresses appropriate for your vpn).
. ip range - if you select ip range, it will be a combination of subnet and ip address. you can specify a range of ip addresses within the subnet which will have access to the tunnel. in the example shown in figure 6 11, all computers on this end of the tunnel with ip addresses between 192.168.1.1 and 192.168.1.20 can access the tunnel from the local end.
only computers assigned an ip address between 192.168.2.1 and 192.168.2.100 can access the tunnel from the remote end (in your settings, use the ip ranges appropriate for your vpn).
under remote secure group, you have two additional options: host and any.
. host - if you select host for the remote secure group, then the remote secure group will be the same as the remote security gateway setting: ip address, fqdn (fully qualified domain name), or any. (remote security gateway settings are explained on the following page.) in the example shown in figure 6-12, the remote secure group is the same as the remote security gateway, set to a specific ip address.
. any - if you select any for the remote security group, then the local vpn router will accept a request from any ip address. this setting should be chosen when the other endpoint is using dhcp or pppoe on the wan side.
remote security gateway
the remote security gateway is the vpn device, such as a second vpn router, on the remote end of the vpn tunnel. under remote security gateway, you have three options: ip address, fqdn, and any.
. ip address - if you select ip address, then enter the ip address of the vpn device at the other end of the tunnel. the remote vpn device can be another vpn router, a vpn server, or a computer with vpn client software that supports ipsec. the ip address may either be static (permanent) or dynamic (changing), depending on the settings of the remote vpn device. make sure that you have entered the ip address correctly, or the connection cannot be made. remember, this is not the ip address of the local vpn router, but the ip address of the remote vpn router or device with which you wish to communicate.
. fqdn (fully qualified domain name) - if you select fqdn, then enter the fqdn of the vpn device at the other end of the tunnel. the remote vpn device can be another vpn router, a vpn server, or a computer with vpn client software that supports ipsec. the fqdn is the host name and domain name for a specific computer on the internet, for example, vpn.myvpnserver.com.
. any - if you select any for the remote security gateway, then the vpn device at the other end of the tunnel will accept a request from any ip address. the remote vpn device can be another vpn router, a vpn server, or a computer with vpn client software that supports ipsec. if the remote user has an unknown or dynamic ip address (such as a professional on the road or a telecommuter using dhcp or pppoe), then any should be selected.
encryption
using encryption also helps make your connection more secure. there are two different types of encryption: des or 3des (3des is recommended because it is more secure). you may choose either of these, but it must be the same type of encryption that is being used by the vpn device at the other end of the tunnel. or, you may choose not to encrypt by selecting disable.
in our example shown in figure 6-16, des (which is the default) has been selected.
authentication
authentication acts as another level of security. there are two types of authentication: md5 and sha (sha is recommended because it is more secure). as with encryption, either of these may be selected, provided that the vpn device at the other end of the tunnel is using the same type of authentication. or, both ends of the tunnel may choose to disable authentication. in figure 6-16, md5 (the default) has been selected.
key management
in order for any encryption to occur, the two ends of the tunnel must agree on the type of encryption and the way the data will be decrypted. this is done by sharing a "key" to the encryption code. under key management, you may choose automatic or manual key management.
automatic key management
select auto (ike) and enter a series of numbers or letters in the pre-shared key field. check the box next to pfs (perfect forward secrecy) to ensure that the initial key exchange and ike proposals are secure. in the example shown in figure 6-17, the word mytest is used. based on this word, which must be entered at both ends of the tunnel if this method is used, a key is generated to scramble (encrypt) the data being transmitted over the tunnel, where it is unscrambled (decrypted). you may use any combination of up to 24 numbers or letters in this field. no special characters or spaces are allowed. in the key lifetime field, you may optionally select to have the key expire at the end of a time period of your choosing. enter the number of seconds you'd like the key to be useful, or leave it blank for the key to last indefinitely.
manual key management
similarly, you may choose manual keying, which allows you to generate the key yourself. enter your key into the encryption key field. then enter an authentication key into that field. these fields must both match the information that is being entered in the fields at the other end of the tunnel. the example in figure 6-18 shows some sample entries for both the encryption and authentication key fields. up to 24 alphanumeric characters are allowed to create the encryption key. up to 20 alphanumberic characters are allowed to create the authentication key.
the inbound spi and outbound spi fields are different, however. the inbound spi value set here must match the outbound spi value at the other end of the tunnel. the outbound spi here must match the inbound spi value at the other end of the tunnel. in the example (see figure 6-18), the inbound spi and outbound spi values shown would be opposite on the other end of the tunnel.
only numbers can be used in these fields. after you click the apply button, hexadecimal characters (series of letters and numbers) are displayed in the inbound spi and outbound spi fields.
once you are satisfied with all your settings, click the apply button. if you make any mistakes, clicking the cancel button will exit the screen without saving any changes, provided that you have not already clicked the apply button.
after the vpn device is set up at the other end of the tunnel, you may click the connect button to use the tunnel. this assumes that both ends of the tunnel have a physical connection to each other (e.g., over the internet, physical wiring, etc.). after clicking the connect button, click the summary button. if the connection is made, the screen shown in figure 6-19 will appear:
under status,the word connected should appear if the connection is successful.the other fields reflect the information that you entered on the vpn screen to make the connection.
if disconnected appears under statrs,some problem exists that prevents the creation of the runnel.made sure that all off of your wiring is securely connected.
dorble-check all the values you entered on the vpn screen to made sure they are correct.if the other end of the trnnel is some distance from you (e.g,in another city,etc.),call to make sure that the settings on that end of the trnnel are correct as well.
if,for any reason,you experience a temporary disconnection,the connection will be re-established as the settings on both ends of the runnel stay the same.
to get more details concerning your tunnel connection, click the view log button. the screen in figure 6-21 will appear:
the vpn log screen displays successful connections, transmissions and receptions, and the types of encryption used.
once you no longer have need of the tunnel, simply click the disconnect button on the bottom of the vpn page.
to change advanced settings, select the tunnel whose advanced settings you wish to change. then click on more... to change the advanced settings for a specific vpn tunnel.
advanced settings for selected ipsec tunnel
phase 1
phase 1 is used to create a security association (sa), often called the ike sa.
after phase 1 is completed, phase 2 is used to create one or more ipsec sas, which are then used to key ipsec sessions.
operation mode
there are two modes: main and aggressive, and they exchange the same ike payloads in different sequences. main mode is more common; however, some people prefer aggressive mode because it is faster. main mode is for normal usage and includes more authentication requirements than aggressive mode.
main mode is recommended because it is more secure. no matter which mode is selected, the vpn router will accept both main and aggressive requests from the remote vpn device.
encryption
select the length of the key used to encrypt/decrypt esp packets. there are two choices: des and 3des. 3des is recommended because it is more secure.
authentication
select the method used to authenticate esp packets. there are two choices: md5 and sha. sha is recommended because it is more secure.
group
there are two diffie-hellman groups to choose from: 768-bit and 1024-bit.
diffie-hellman refers to a cryptographic technique that uses public and private keys for encryption and decryption.
key lifetime
in the key lifetime field, you may optionally select to have the key expire at the end of a time period of your choosing. enter the number of seconds you'd like the key to be used until a re-key negotiation between each endpoint is completed.
phase 2
group
there are two diffie-hellman groups to choose from: 768-bit and 1024-bit.
diffie-hellman refers to a cryptographic technique that uses public and private keys for encryption and decryption.
key lifetime
in the key lifetime field, you may optionally select to have the key expire at the end of a time period of your choosing. enter the number of seconds you'd like the key to be used until a re-key negotiation between each endpoint is completed.
other settings
netbios broadcast
check the box next to netbios broadcast to enable netbios traffic to pass through the vpn tunnel.
anti-replay
check the box next to anti-replay to enable the anti-replay protection. this feature keeps track of sequence numbers as packets arrive, ensuring security at the ip packet-level.
keep-alive
check the box next to keep-alive to re-establish the vpn tunnel connection whenever it is dropped. once the tunnel is initialized, this feature will keep the tunnel connected for the specified amount of idle time.
unauthorized ip blocking
check this box to block unauthorized ip addresses. complete the on-screen sentence to specify how many times ike must fail before blocking that unauthorized ip address for a length of time that you specify (in seconds).